Printable View
Hello,
I developed an application using spring security.
I have secure it with intercept-url.
But my application has several project, and an user can not acces at all projects, this permition is defined in my database.
I want know if it's possible to use Spring security for restrict the access without add a ligne in all my controller.
Thanks.
I kindly suggest you to try to use a PermissionEvaluator (you'll need to enable Spring Security’s ACL module). Here you may find further information. This could resolve your problems at controller level
In case you're using Spring 3.1 (not sure if it's valid for 3.0), you may try the Accesscontrollist tag this way:
Here is also a discussion about permissions.Code:<sec:accesscontrollist hasPermission="admin,viewer" domainObject="${someProject}">
// display the link giving access to the project
</sec:accesscontrollist>
Best,
Carlos.
Thank's to spend your time to share. This is what I (and others, I believe), really need. It's really very informative post. Please keep it up. Looking for more relevant post.
thanks for your response.
When i have read your link, I have see the annotation @PreAuthorize for restrict the acces on the function. In my case i find this solution better as your Accesscontrollist .
But when I want use it... nothing, this annotation not work. And i want know why. I have put
In my applicationContext-security.xml. but nothing.Code:<global-method-security secured-annotations="enabled" pre-post-annotations="enabled"/>
I have try to move it in my applicationContext.xml and always nothing.
I dont understand.
Thanks.
Hi,
I think you'll need to provide more info about your application, otherwise we'll in what I call "a guessing scenario".
Info you might expose:
- spring version
- the applicationContext.xml
- an example where you're using the @PreAuthorization annotation
It also may help if you can inspect the log with DEBUG level, and see what happens when the annotated method is invoked.
Check the schema namespace you put in the applicationContext.xml is OK.
Check the global-method-security is in DispatcherServlet's context (I assume you're working with a web application).
And also check the documentation in order to verify everything is OK.
Hi,
My version of Spring is : 3.1.0.RELEASE,
And I use Spring Roo.
My application Contexe is :
My applicationContext-Security :Code:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:jee="http://www.springframework.org/schema/jee"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!--
This will automatically locate any and all property files you have
within your classpath, provided they fall under the META-INF/spring
directory. The located property files are parsed and their values can
then be used within application context files in the form of
${propertyKey}.
-->
<context:property-placeholder location="classpath*:META-INF/spring/*.properties"/>
<!--
Turn on AspectJ @Configurable support. As a result, any time you
instantiate an object, Spring will attempt to perform dependency
injection on that object. This occurs for instantiation via the "new"
keyword, as well as via reflection. This is possible because AspectJ
is used to "weave" Roo-based applications at compile time. In effect
this feature allows dependency injection of any object at all in your
system, which is a very useful feature (without @Configurable you'd
only be able to dependency inject objects acquired from Spring or
subsequently presented to a specific Spring dependency injection
method). Roo applications use this useful feature in a number of
areas, such as @PersistenceContext injection into entities.
-->
<context:spring-configured/>
<!--
This declaration will cause Spring to locate every @Component,
@Repository and @Service in your application. In practical terms this
allows you to write a POJO and then simply annotate the new POJO as an
@Service and Spring will automatically detect, instantiate and
dependency inject your service at startup time. Importantly, you can
then also have your new service injected into any other class that
requires it simply by declaring a field for your service inside the
relying class and Spring will inject it. Note that two exclude filters
are declared. The first ensures that Spring doesn't spend time
introspecting Roo-specific ITD aspects. The second ensures Roo doesn't
instantiate your @Controller classes, as these should be instantiated
by a web tier application context. Refer to web.xml for more details
about the web tier application context setup services.
Furthermore, this turns on @Autowired, @PostConstruct etc support. These
annotations allow you to use common Spring and Java Enterprise Edition
annotations in your classes without needing to do any special configuration.
The most commonly used annotation is @Autowired, which instructs Spring to
dependency inject an object into your class.
-->
<context:component-scan base-package="com.logica.soa.ui">
<context:exclude-filter expression=".*_Roo_.*" type="regex"/>
<context:exclude-filter expression="org.springframework.stereotype.Controller" type="annotation"/>
</context:component-scan>
<!-- THE GLOBAL SECURITY, COMMENT FOR TEST -->
<!-- <security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled"> -->
<bean class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close" id="dataSource">
<property name="driverClassName" value="${database.driverClassName}"/>
<property name="url" value="${database.url}"/>
<property name="username" value="${database.username}"/>
<property name="password" value="${database.password}"/>
<property name="testOnBorrow" value="true"/>
<property name="testOnReturn" value="true"/>
<property name="testWhileIdle" value="true"/>
<property name="timeBetweenEvictionRunsMillis" value="1800000"/>
<property name="numTestsPerEvictionRun" value="3"/>
<property name="minEvictableIdleTimeMillis" value="1800000"/>
<property name="validationQuery" value="SELECT 1"/>
</bean>
<bean class="org.springframework.orm.jpa.JpaTransactionManager" id="transactionManager">
<property name="entityManagerFactory" ref="entityManagerFactory"/>
</bean>
<tx:annotation-driven mode="aspectj" transaction-manager="transactionManager"/>
<bean class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean" id="entityManagerFactory">
<property name="persistenceUnitName" value="persistenceUnit"/>
<property name="dataSource" ref="dataSource"/>
</bean>
</beans>
And I use this annotation for protect the acces of my controller by exemple :Code:<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- HTTP security configurations -->
<http auto-config="true" use-expressions="true" >
<form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" />
<logout logout-url="/resources/j_spring_security_logout" />
<!-- Configure these elements to secure URIs in your application -->
<intercept-url pattern="/choices/**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/member/**" access="isAuthenticated()" />
<intercept-url pattern="/projects/**" access="isAuthenticated()" />
<intercept-url pattern="/campaigns/**" access="isAuthenticated()" />
<intercept-url pattern="/property/**" access="isAuthenticated()" />
<intercept-url pattern="/formats/**" access="isAuthenticated()" />
<intercept-url pattern="/connectors/**" access="isAuthenticated()" />
<intercept-url pattern="/suites/**" access="isAuthenticated()" />
<intercept-url pattern="/providers/**" access="isAuthenticated()" />
<intercept-url pattern="/test-cases/**" access="isAuthenticated()" />
<intercept-url pattern="/**" access="permitAll" />
</http>
<!-- Configure Authentication mechanism -->
<!-- <authentication-manager alias="authenticationManager"> -->
<!-- SHA-256 values can be produced using 'echo -n your_desired_password | sha256sum' (using normal *nix environments) -->
<!-- <authentication-provider> -->
<!-- <password-encoder hash="sha-256" /> -->
<!-- <user-service> -->
<!-- <user name="admin" password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918" authorities="ROLE_ADMIN" /> -->
<!-- <user name="user" password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb" authorities="ROLE_USER" /> -->
<!-- </user-service> -->
<!-- </authentication-provider> -->
<!-- </authentication-manager> -->
<!-- Configure Authentication mechanism -->
<beans:bean name="conferenceAuthenticationProvider" class="com.logica.soa.ui.security.ConferenceAuthenticationProvider">
</beans:bean>
<!-- Configure Authentication mechanism -->
<authentication-manager alias="authenticationManager">
<authentication-provider ref="conferenceAuthenticationProvider" />
</authentication-manager>
<!-- THE GLOBAL METHOD SECURITY -->
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled"/>
</beans:beans>
Code:@RequestMapping(params = "crea", produces = "text/html", method = RequestMethod.GET)
@PreAuthorize("hasRole('ROLE_ADMIN')")
public String seeProject(@RequestParam(value="crea", required = true) TstTestTool project, Model uiModel)
the @PreAuthorize("hasRole('ROLE_ADMIN')") work with all function or only with the controller?
And I want use the @PreAuthorize("hasRole('ROLE_ADMIN')") in a controller :
my applicationContext.xml :Code:@RequestMapping(produces = "text/html", value = "/view")
@PreAuthorize("hasPermission(#tstt, 'view')")
public String list(@RequestParam(value = "project", required = false) TstTestTool tstt, Model uiModel) {
But When I use the application the debug show that is always "DenyAllPermissionEvaluator" who are used.Code:<!-- CONFIGURE THE PERMISSION EVALUATOR -->
<beans:bean name="FlowUnitPermissionEvaluator" class="com.logica.soa.ui.security.FlowUnitPermissionEvaluator"/>
<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator" ref="FlowUnitPermissionEvaluator"/>
</beans:bean>
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled">
<expression-handler ref="expressionHandler"/>
</global-method-security>
And I never seen my FlowUnitPermissionEvaluator.
I don't understand why.
Thanks
I have try your code
this code is ok, my classe is used for test the permission.Code:<sec:accesscontrollist hasPermission="admin,viewer" domainObject="${someProject}">
// display the link giving access to the project
</sec:accesscontrollist>
but with the annotation @PreAuthorize my class is not used I don't understand why...
Thanks
It sounds as though you are trying to secure your Spring MVC Controllers. You will need to ensure that you place the global-method-security in the web configuration as mentioned in the FAQQuote:
Originally Posted by deblockt
Thanks My issue is solved :)
I have put
in the web.xmlCode:<!-- CONFIGURE THE PERMISSION EVALUATOR -->
<beans:bean name="FlowUnitPermissionEvaluator" class="com.logica.soa.ui.security.FlowUnitPermissionEvaluator"/>
<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator" ref="FlowUnitPermissionEvaluator"/>
</beans:bean>
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled">
<expression-handler ref="expressionHandler"/>
</global-method-security>
Thanks