There are 2 Roles
1) ROLE_USER1
2)ROLE_USER2
I dont want to add every URI in spring-security.xml Example I have Manage User module, Where i can Create, Update, Delete and Read Users I have one controller named user controller. Mapping in that controller is
#RequestMapping (value="user/create")
#RequestMapping (value="user/list")
#RequestMapping (value="user/update")
#RequestMapping (value="user/delete")
I want ROLE_USER1 to only access "user/create" so in this case i have to add URI "user/create" for ROLE_USER1 role in secruity.xml
And ROLE_USER2 can access only "user/list" and "user/delete", In this case i have to add 2 URI's for ROLE_USER2 in security.xml
I want if this could happen somehow that i will always give /admin in URL that Admin role can access
And for SuperAdmin URL will contain /SuperAdmin
And I just have to give /Admin/** and /superAdmin/** in spring-security.xml
But to achieve the above scenario I have to add Multiple mappings in controller for single action. If I add multiple actions then i Have Jsp Action problem. i.e there could be either "/admin/user/create" or "/superAdmin/user/create"
I want to secure url's with minimum entries in Spring.security.xml
Regards
I don't think you should create a new Controller for admin and superadmin.
Instead you should just add the roles to the URL in security.xml. For example, if your current security.xml configuration is as below
<intercept-url pattern="/user/create" access="hasAnyRole('ROLE_USER1')" />
<intercept-url pattern="/user/delete" access="hasAnyRole('ROLE_USER2')" />
You just need to add admin and superadmin roles as below.
<intercept-url pattern="/user/create" access="hasAnyRole('ROLE_USER1', 'SuperAdmin', 'Admin')" />
<intercept-url pattern="/user/delete" access="hasAnyRole('ROLE_USER2', 'SuperAdmin', 'Admin')" />
In you Java code, if you have any special logic for different roles, you can access the current role as below and switch the logic.
SecurityContextHolder.getContext().getAuthentication().getAuthorities();
Related
We are creating a spring boot web application to send RSS data to a Ticker Sign (ticker).
The URLs that send RSS data to the ticker sign do not need to be secured with ldap or other credentials.
But we have one page we we update a custom message that we send to the Ticker sign. We want to secure this page with the corporate ldap.
Is it possible to configure spring boot to only require a login for one page and the rest of the pages can remain unsecured.
You can create a role with all permission to access and grant that access just in some methods using Spring security annotation http://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html
<http use-expressions="true">
<intercept-url pattern="/*"
access="hasRole('admin')"/>
</http>
Then in your free access method
#PreAuthorize("hasRole('admin')")
public void create(Contact contact);
To use this it is very important that you name your URLs wisely i.e. if you want to assign admin role then make a URL look something like /admin/v1/something-here. It will make things readable and simple for you.
How can I restrict access to web resources based on permission groups rather than roles in spring security?
For instance, suppose I have a permission group called Domain\Developers, how can I use it for access control?
I've tried to find a solution using expression based access control. Something similar to:
<sec:intercept-url pattern="/**" access="hasRole('USER_ROLE')" />
But instead of using hasRole I'd expect to have something like inGroup(). Couldn't find anything so far.
Could it be that there's no implementation out there for what I ask for and I'd have to implement it myself?
I have a web application which has 2 actors:
superAdmin & admin
The superAdmin can determine all permissions of admin(eg: admin will use "add" methode and won't use "delete")
SuperAdmin can change permissions for Admin in the web page (not the programmer)
So how can i do that? if someone can just tell me the big lines to follow.
PS: I'm using Spring MVC + Spring security+hibernate+jsp
Using Spring security you can add the paths and user access to them
<intercept-url pattern="/add.do" access="superAdmin, admin"/>
<intercept-url pattern="/delete.do" access="superAdmin"/>
I am new in spring framework and little confused in managing the directory structure according to the role of user like admin (all jsp will be inside admin directory), how to make login according to the user role like admin will have access only to the admin directory and the session of the user it's time out etc.
I have used this website as reference for login management using hibernate :-
http://fruzenshtein.com/spring-mvc-security-mysql-hibernate/
what i want to do is to protect the user from seeing the pages, which they do not have permission in spring and my project is managing the directory as their role like admin - admin directory, user - user directory and other user - other directory and home pages, when admin will login he will have access to the pages inside admin.
Using hibernate security framework how can i do this.
You have to use SPRING security framework to achive that.
just add whatever filter you want to add in spring-security.xml.
For example: add
<intercept-url pattern="/admin/*" access="ROLE_ADMIN" />
<intercept-url pattern="/user/*" access="ROLE_USER" />
It will create check that accessing controller mapping starting with /admin* will require admin login.
Go through spring security docs then configure security with help of below link:
Steps for configuring spring security
I am using Spring security with two filters:
- One filter for x.509 authentication for client certificates. All his filter does is extracts the username from certificate into principle.
- One filter to do header based authentication. The header should have username and roles. In this filter I check to make sure that there is a principal already present in the security context. If present I make sure that it matches whats in the headers. Then I extract the roles from the header and set the granted authorities.
I have a url pattern that I want to be made accessible to roles - 'ROLE_USER'
Now here is the problem. The request only hits the first filter(X.509), the role is missing in this header obviously and access is denied by spring security.
I cannot switch the order of the filters because if I do then X.509 filter provided by spring simply sees that principal is already present and does nothing making it useless.
Is there any way for the role check to be deferred until all filters are processed? Or any other way to achieve what I am trying to do.
Here is my spring security config:
<security:http auto-config="true" entry-point-ref="customEntryPoint">
<security:intercept-url pattern="/user/**" access="ROLE_USER"/>
<security:custom-filter after="EXCEPTION_TRANSLATION_FILTER" ref="x509Filter" />
<security:custom-filter after="FILTER_SECURITY_INTERCEPTOR" ref="headerFilter"/>
</security:http>
where the x509Filter is standard spring security filter configured as:
<beans:bean id="x509PrincipalExtractor" class="org.springframework.security.web.authentication.preauth.x509.SubjectDnX509PrincipalExtractor">
<beans:property name="subjectDnRegex" value="CN=(.*?),"/>
</beans:bean>
I can provide scrubbed up customHeaderFilter if needed but at this point the control never reaches the filter so it is inconsequential as to what happens in it.
Any help/guidance would be greatly appreciated.
Thanks to the pointer from #Maksym, the problem was resolved by changing 'after' to 'before' in the customHeaderFilter as follows:
<security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="headerFilter"/>
FilterSecurityInterceptor is responsible for handling security of HTTP resources, including applying role checks. In my case X509Filter would fire setting principal but would not set any authorities. This would cause the interceptor to deny access to the resource and the headerFilter would not even come into the picture.
By setting the position of the headerFilter to before the interceptor allowed the principal and authentication object in the security context to be set up correctly with the given authorities, leading to the expected behavior.