Announcement Announcement Module
No announcement yet.
Don't know where to start with Spring Security Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Don't know where to start with Spring Security

    Hello everyone,

    We'd like to use Spring Security in our applications if it's possible to do the following authentication/authorization scenario:
    - The users are authenticated through a login/password in a WebForm
    - Each user has at least one role (may have several roles) such as USER, ADMINISTRATOR, SUPERUSER etc.
    - Each role is attached (through a config file) to what we call "permissions" which are defined in an Enum with an application scope. These permissions are, for example, CAN_SEE_ALL_ORDERS, CAN_SEE_OWN_ORDERS, CAN_ADD_COMMENTS, CAN_DELETE_COMMENTS etc.
    - When a user call a method such as getOrder, the application checks if "the (user has the permission CAN_SEE_ALL_ORDERS) OR (user has the permission CAN_SEE_OWN_ORDERS AND user is the creator of the order)".

    I have no doubt that Spring Security perfectly suit for the two first points. For the two other points, I still don't understand how they can be implemented with Spring Security.

    Is it the purpose of GrantedAuthority to handle what we call "permissions"?

    Can Spring Security help us in improving the quite small but nasty code we have at the beginning of each method checking if user is granted to execute the requested method based on its "permissions" and some data of the objects he tries to access.
    As the authorization checking code may be a bit complex, does the ACL can fit our needs? Basically, we could have a special permission such as CAN_SEE_OPEN_ORDERS, the user with that role will be granted to see the order if its status is NEW, PENDING or SHIPPED but will be denied if order status is CLOSED or CANCELED.

    I realize that we have developed some software with our very private way of thinking the authorization system so I hope that my explanations and questions are clear.

    Thanks in advance for your help.

  • #2
    I will rewrite this one.....
    Last edited by vw729; Apr 13th, 2010, 11:05 PM.


    • #3
      Hi !

      What's happend with your answer? It has been really helpful and I was coming back on the forum to thank you for your help when I realize that it disappeared!!

      Anyway, extending the User class and implementing the UserDetailsService interface as you described it may be enough for us if I understand how I can make @Secured("MY_PERMISSION") be handled by my own AccessDecisionVoter implementation. Is it possible to create an AccessDecisionVoter that vote for any MY_* GrantedAuthorisation ?
      At this point, I tried to use @Secured("IS_AUTHENTICATED_FULLY") but it seams to have no effect at all. I mean that no security checks happens when I put a @Secured annotation on any method.

      I have the following in my applicationContext-security.xml :
      <global-method-security secured-annotations="enabled" />
      I read that it should be enough to activate @Secured annotations.

      This is a webapp and I'm using Spring 3.0.1

      Thanks again for your help


      • #4
        Hi again !

        The problem was due to a common misconfiguration between the Spring global and servlet contexts. I succeed in creating my own Voter.

        Thanks again