How to override security access in Spring? - spring

I'm using Spring Framework 4.0.0 GA and Spring Security 3.2.0 GA. I have applied security to all methods of all classes in a package using a point cut expression as follows.
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" proxy-target-class="false">
<protect-pointcut expression="execution(* admin.dao.*.*(..))" access="ROLE_ADMIN"/>
</global-method-security>
All methods of all classes defined in the package admin.dao would only be accessed by the user whose authority is ROLE_ADMIN.
Is it now possible to override this security constraint in some method(s) of some class in this package?
I need to give an anonymous access to some methods in some class under this package (which is already secured).
In JAAS, this can be achieved by using the javax.annotation.security.PermitAll annotation above the method in question which will override any global constraints (constraints applied class level, for example).
I have tried with #Secured(value = "permitAll") and #Secured(value = "isAnonymous()") above the method in question but none of them worked.

Try the following:
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" proxy-target-class="false">
<protect-pointcut expression="execution(* admin.your.permit.all.dao.*.*(..))"
access="permitAll"/>
<protect-pointcut expression="execution(* admin.dao.*.*(..))" access="ROLE_ADMIN"/>
</global-method-security>
make sure to put the protect-pointcutpermitAll entry first, in this case order is important.

Related

Extend Spring MVC class

I'm trying to extend a Spring MVC class which is the ConcurrentSessionControlAuthenticationStrategy and override the getMaximumSessionsForThisUser method with my own implementation.
How do I register or communicate to Spring to use my implementation of it's method rather than it's own?
For XML configuration, see Spring Security Reference:
21.2 SessionAuthenticationStrategy
SessionAuthenticationStrategy is used by both SessionManagementFilter and AbstractAuthenticationProcessingFilter, so if you are using a customized form-login class, for example, you will need to inject it into both of these. In this case, a typical configuration, combining the namespace and custom beans might look like this:
<http>
<custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />
<session-management session-authentication-strategy-ref="sas"/>
</http>
<beans:bean id="myAuthFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="sas" />
...
</beans:bean>
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy" />
For Java configuration, see SessionManagementConfigurer#sessionAuthenticationStrategy:
public SessionManagementConfigurer<H> sessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy)
Allows explicitly specifying the SessionAuthenticationStrategy. The default is to use SessionFixationProtectionStrategy. If restricting the maximum number of sessions is configured, then CompositeSessionAuthenticationStrategy delegating to ConcurrentSessionControlAuthenticationStrategy, SessionFixationProtectionStrategy (the default) OR SessionAuthenticationStrategy the supplied sessionAuthenticationStrategy, RegisterSessionAuthenticationStrategy. NOTE: Supplying a custom SessionAuthenticationStrategy will override the default provided SessionFixationProtectionStrategy.

Not picking up properties from spring security config

I am using spring security and have an auth-ref-handler. Inside of it I need to get a property yet that property is not getting set. If I do the same code in my spring MVC controller REST handler method, it works?
spring-security.xml
<context:property-placeholder location="file:/TcatServer6/myapp/properties/myapp/myapp.properties" />
<beans:bean id="adsh" class="com.mycompany.security.ADAuthenticationSuccessHandler"/>
<http auto-config="true">
<intercept-url pattern="/agent/**" access="ROLE_AGENT" />
<intercept-url pattern="/supervisor/**" access="ROLE_SUPERVISOR" />
<form-login
login-page="/r/views/login.html"
authentication-failure-url="/r/views/loginfailed.html"
authentication-success-handler-ref="adsh"
/>
<logout logout-success-url="/logout" />
</http>
In ADAuthenticationSuccessHandler:
#Autowired
#Value("${acr_url}")
private String acrURL;
I have the EXACT same code in one of my spring MVC controllers and it works! In my AuthenticationSuccessHandler it always gets null?
Spring is turning out to be a configuration nightmare with all these things working inconsistently.
Update: Based on the feedback and my test, I think this may be a bug in Spring. Try it for yourself. Just try to get a property out of a property file using the #Autowire or #Value annotations within a Spring AuthenticationSuccessHandler in your spring-security.xml...can someone else try it and see if they get similar results?

Spring Security environment specific intercept-url

Here is the Spring Security intercept-url configuration:
<intercept-url pattern="/**.html"
access="ROLE_USER" requires-channel="https" />
I want to make requires-channel="any" for local environment.
Is it possible to add absolute URL in the pattern?
You can use Spring bean definition profiles to achieve that.
<beans profile="local">
</beans>
It's a new feature. Take a look at the entry in Spring Source blog: http://blog.springsource.com/2011/02/11/spring-framework-3-1-m1-released/

spring security3's protect pointcut is not working

<http >
<intercept-url pattern="/a.jsp" access="hasRole('ROLE_X')"/>
</http>
in spring security3.0.7 or 3.1
it is Ok. only 'ROLE_X' can see a.jsp page.
but:
<global-method-security >
<protect-pointcut expression="execution(* test.Test.o1*(..))" access="hasRole('ROLE_X')"/>
</global-method-security>
it is not working,eneryone can use the method test.Test.o1~~
when pre-post-annotations="enabled"
#PreAuthorize("hasRole('ROLE_X')")
it is also not working,eneryone can use the method test.Test.o1~~
i'm so sad~~
any advise or used 'global-method-security' demo , ths.
You need to place this annotation in servlet config.
http://static.springsource.org/spring-security/site/faq/faq.html#faq-method-security-in-web-context
See also:
Can Spring Security use #PreAuthorize on Spring controllers methods?

global-method-security works on some beans but not others using spring security

i've a service ,
<bean id="myservicie" class="org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter">
<property name="service" ref="aService"/>
<property name="serviceInterface" value="com.statestr.oms.fx.ws.service.IService"/>
</bean>
inside this aservice,
#Secured ({"ROLE_USER"})
private void mythod(),
but it's not working,
however, if i move this method to another bean, say, mybean,the security annotation will work,
i've enabled both in the configuration like below, can anyone help? thx.
<global-method-security secured-annotations="enabled" access-decision-manager-ref="accessDecisionManager">
<protect-pointcut expression="execution(* *..com.statestr.oms.service.impl.*Mybean*.*(..))" access="ROLE_USER"/>
<protect-pointcut expression="execution(* *..com.statestr.oms.service.impl.*Service*.*(..))" access="ROLE_USER"/>
</global-method-security>
I guess it is because your application uses Spring Proxy AOP. And this AOP Style has no influence if the method is invoked directly (from the same bean). And I think that is what you do, because the method you mentioned is a private method.
So what you can do is:
use AspectJ (I strongly recommend it),
put the #Secured annotation to a method that is invoked from outside of the bean
Anyway your configuration looks a bit strange - why do you use #Secured AND <protect-pointcut... for the same Class? One of them should be enough.

Resources