Spring security users only access to their group items - spring

In my design, each user belongs to a specific group, so when a user creates an item only users from the same user group can view or edit the item, does spring security has anything to implement this scenario or I should implement it myself. I use spring oauth2 with JWT token?

Spring Security supports ACLs for Domain Objects, sounds like this might be what your after: https://docs.spring.io/spring-security/site/docs/3.0.x/reference/domain-acls.html

Related

Custom Role Based Authorization in Spring Boot

I am developing a web application where I have React as my Frontend and Spring boot as the Backend REST API. I have authentication mechanism setup where user can login with email and password. My application will be used by a group of people for a company. The admin user will login initially and sends invites to other people in the group with predefined access privileges available in the application. How can I implement this type of role based access in spring boot.
I gone across Spring security for role based access, but I didn't find how to create custom fine grained roles based on our web application. Please someone help just to give me the path I need to go.
P.S: I want to implement the way AWS or other cloud providers implement there IAM roles to assign it to different users in their organization but not as complex but a similar functionality

Spring Security Authentication-Authorization at field level

I am new to Spring Security. I have implemented Spring Security authentication and authorization at page level for my application(Like Admin only can access Admin page and normal user can't).
But now my requirement is to apply read-write authorization at field level. Some of the fields can be edited by only Admin and whereas for others it is read-only. The remaining fields in the page are common for all.
Is there any way to do solve this please let me know.
Thanks.

Subscription design pattern : Spring

I am building a cloud based applications using spring, spring security, hibernate and Oauth.
It has different products and each product has multiple
modules. Modules also have multiple functionality.
Clients has to subscribe to each product independently to use them
Each client can have multiple user and client will have to provide access their user to product.
Client have to select packages(silver, gold, ..) while subscribing
for each product
Package will have modules details and No of users allowed for each product and client user will be
able to access only to the modules(selected package) which client is
subscribed to and user have access to.
I have to create Rest Api's for each functionality.
Problem : I am using Spring Oauth2 to secure my API's so only registered clients and their users can access them but they can access all the API's .I should allow clients to access only those API's which it has access to/subscribed to. How can I achieve that in Spring?
Currently I am planning to use inteceptors but it highly depends on URL pattern. So for each product and module i will be having different Interceptor
URL pattern : http://abc/rest/PRODUCT/MODULE/..
Is there a better way to implement it?
You can choose another way, which might be better as you don't have to write custom URL interceptors.
You can use Spring Security with it's #Secured({"ROLE"}) or #PreAuthorize annotations for which you can create roles for each product and you give the clients the roles for which they subscribed. You can find more information about this annotation and how it works here.
For #Secured and #PreAuthorize to work, you need to have the annotation #EnableGlobalMethodSecurity on the Spring Boot context class.
Hope it helps.

spring-4 role mapping ldap

I am new to Spring
Problem Statement:
I have setup ldap server(Apache DS) with roles and users.
I need to authorize the same in my spring application. I need to block the urls, based on the authorization roles coming from LDAP.
How do I tell my Spring application to authorize the data coming from LDAP.
As of now it is letting me login, but on click on any of the links with the urls given to provide access I am getting access denied(403) exception.
In my knowledge I feel I need to configure the same in spring, but how do I do it, I am not able to figure out.

Spring security - Move attributes from anonymous session to logged user session

I am writing web application using Spring MVC, Security. I would like to store some information for not logged users, and keep it in anonymous session. It will be some random uid, and some configurations that anonymous user could change. When user logs in, that data should be used in authentication using custom AuthenticationProvider.
How can I hook into Spring security anonymous authentication to put there UID?
How can I retrieve later the session while user is loging in?
thanks for any advices :)

Resources