I am working on a Grails project that protects resources using Spring Security ACL plugin.
This application also allows resource owners to delegate permissions to other users and those users can further delegate their permissions to other users in viral fashion.
This works fine with standard Spring ACL API, but now I have new requirements:
Track who granted/delegated the given permission [User should be able to
see his/her permissions on a given resource as well as all other users
permissions that he/she delegated for that resource].
Control viral delegate by grantee by setting a flag to indicate if
this permission can be further delegatable.
I am planing to support those requirements by adding two additional fields [ 1. grantee (SID) , 2. isDelegatable ] to ACL_ENTRY table.
I wonder if it will impact any of the Spring ACL core functionality. How can I access those fields using standard Spring ACL API? Can I cast to custom Permission object and access those extended fields?
We are also planing to support time based expirable Permissions which are only applicable during given start and end time frame. where should I add this validation logic so that hasPermission() method call consider the time validity of the granted Permission?
Please advice.
Related
In Dynamics-365 crm, I want to grant read-write access request to an user of D-365 to a specific record of an entity if the user is not privileged with that privileges.
I did that by assigning some sort of security roles to that user. But I can't do that by modifying security role.
So how can I do that without assigning security role?
You can achieve the same share functionality in code using GrantAccessRequest, refer my another Stack Overflow answer for C# plugin example.
For web api, your org has to be greater than v9.0 as GrantAccess message was not available in web api till v8.2
Still to achieve this object based security model, you should give users privilege to read-write that entity records through role based security model. Without user having entity edit privilege in security role they cannot edit by getting record sharing.
Read more: Use record-based security to control access to records
If you do not wish to change/update your security Roles, then you can do so by sharing a particular Record with Either Team or User.Below 2 images will help you explain how to share a Record.
Now this process below is manual and you could achieve this process programmatically as well using C# i.e server side coding
Note:
If this solves your problem do mark this answer as solved.
I'm developing an application using Grails and Spring Security.
My wish is, when the user creates his account informing his company name, the app creates an entry in the company, role and user tables and relates that role and user with the company entry.
The role created will be like an administrator which has permission for do every thing. This user with that role can creates new roles specifying the permissions but all roles created should be only in the company scope, so those roles should not be available for users of others companies.
I've seen that the Spring Security has a feature called Requestmap which for each URL, the application can specify the roles which will have access.
I don't know if this is the best solution, because in my app the number of roles will increase at least as many as the number of user.
Do you guys have some advice of how to solve this problem?
Thank you for all.
You should have a look on Spring Security ACL plugin.
With this plugin you would be able to add permissions (like write or read permission) to certain users on certain domain models.
Have a look on example taken from documentation:
#Transactional
#PreAuthorize("hasPermission(#report, write) or " +
"hasPermission(#report, admin)")
Report updateReport(Report report, params) {
report.properties = params
report.save()
report
}
By using PreAuthorize annotation it is checked if user has write (or admin) permission on this certain Report entity.
I am applying spring security to a web application where i need to do the following:
Limit access to certain pages for certain roles/authorities
Limit access to certain data based on user access and user role (for
example admin can see all data, a user can see only data on which the admin granted access for the user)
Allow actions on data based on the access right the user has (read,
manage, etc)
So, i was thinking:
Limit access to certain pages for certain roles/authorities -> use
hasRole
Limit access to certain data -> filter directly in the queries
getting the principal from the security context
Allow actions on data based on the access right the user has -> use
my custom PermissionEvluator's hasPermission method
Now this is a setup i came up with, but would like to know if this makes sens and if it is according to a good use of the spring security framework or am i simply twisting it too much.
Spring security provides all these features and makes implementing these features simple. Yes your approach is right. you can add below cases.
security none: allow unauthenticated users access to certain
pages.(login, public pages) authenticated: allow access to
authenticated users.. (general access to all registered users)
restrict based on role: readonly, editor/manager, based on
permissionEvaluator on the data user has access to
You can also use spring security to protect your web application against malicious users with features like
- CSRF protection (enabled by default)
- XSS protection
for further detail read: spring security manual
I have a requirement where I need to use role based access to service methods. I have restful services and i use spring-data to interact with MongoDB.
There are some of the restrictions that I have. I deal with a document in DB called "Organization". In each organization, I know who are the Admins. I do not have a repository of users who can access the services.
So the only way I can enforce some access based rules is to check if the logged in user is one of the admin's configured for each organization and then allow the user to access the methods.
Should I think of applying Spring security in this case? Otherwise will a simple check on user against the configured admins in the database document help? Can I make this check at a single point so that I can apply it to service methods based on my use case needs.
Please provide your suggestions / thoughts on how to go about this.
If you use Spring Security your rest methods can take advantage of a passed-in authenticated Principal object (example here) whereupon you can do whatever extra validation desired (such as checking if the admin is good for the given organization requested, etc.) There are many other parameters also available, perhaps allowing for this org checking to be done once and stored in the session object.
I'm using Spring Security which works great to make sure that a user has a certain role before accessing a resource. But now I need to verify something a little different:
`/product/edit/{productId}`
What is the best way to verify that the logged in user "owns" productId? My business mappings handle the relationship (a user has a list of products). I need to verify this product belongs to the user and hence, they can edit it.
I know how to gain access to productId and the logged in user in both the controller and an interceptor. I don't believe this logic belongs in the controller at all. The interceptor seems better but I wondered if Spring Security had an "accepted" way of handling this situation.
Yes, in Spring you can implement this by implementing Access Control Lists. ACL declaration specifies permissions for individual objects per user. Once you have everything setup like acl entries in your database and logic, you can use SpEL and #PostFilter annotation to control the list of objects returned to a user.
Spring Security Documentation
Related: