How to secure just some of the scaffolded controller methods

[acof]

Hi, this is my problem :

1. suppose we have a RooScaffoldController
2. suppose we have ROLE_USER and ROLE_ADMIN users

what I'd like to do is having ROLE_USER access create, createForm, show, update, updateForm methods, but not delete and list, that should be only accessible to ROLE_ADMIN.

I was able to do it for delete method by adding

<intercept-url pattern="/dogs/*" access="hasRole('ROLE_ADMIN')" method="DELETE" />

in applicationContext-security.

But list,create and update share the same GET method request, so how to discriminate a createForm from a list for example?

In addition to that, why do I have to state pattern="/dogs/*" if the url I call is in the form dogs?form?

Can someone help me pls?

[acof]

For now what I could do is this :

Code:

<http auto-config="true" use-expressions="true" path-type="regex">
    	<form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t"/>
        <logout logout-url="/resources/j_spring_security_logout"/>
        <!-- Configure these elements to secure URIs in your application -->
    	<intercept-url pattern="/dogs\?form" access="permitAll"/> //matches create
    	<intercept-url pattern="/dogs.+?form" access="hasRole('ROLE_USER')"/> //matches edit
    	<intercept-url pattern="/dogs\?page.+" access="hasRole('ROLE_ADMIN')"/> //matches list
        <intercept-url pattern="/dogs/*" access="hasRole('ROLE_ADMIN')" method="DELETE" /> //matches delete
    </http>

But it's a solution I don't really like. Is it the only way to do it?

I even tried to use global-method-security, pushing methods from aj to java class and using @secured annotation, but I was not able to let it manage login form like it does with the actual configuration.
Now if the user has to login, the app automatically displays the login form. With global-method-security if the user has to login the app just redirects to a page that says invalid access or something like that. How could I solve this?

[mikej]

It's not a simple solution, but you can secure your controller methods with Spring Security annotations:

1. Add <global-method-security pre-post-annotations="enabled" mode="aspectj"/> to applicationContext-security.xml
   
2. Modify your pom as noted here: http://forum.springsource.org/showpo...7&postcount=12
   
3. You will have to create your own security aspect to inject @PreAuthorize or @Secured annotations (since the methods you are tring to secure exist in Roo-managed .aj files):
   
   
   Code:

   public aspect SecurityAspectBean
   {
   ..
   declare @method : public * Dog.remove() : @PreAuthorize("hasRole('ROLE_ADMIN')");
   }

4. I think you need spring security 3.0.5 or greater.
   
5. You may get an error something like "cannot use spring security X.x schema with spring security version Y.y". If so, change the schema location defined at the top of applicationContext-security.xml. For Spring Security 3.0.5, use:
   
   http://www.springframework.org/schem...rity-3.0.4.xsd
   
   For a 3.1 build of spring security, you can probably use:
   
   http://www.springframework.org/schem...curity-3.1.xsd
   
   NOTE: STS may still display the schema warning and an error marker in applicationContext-security.xml, but should not throw a compile error.
   

[acof]

Thanks man I'll try this and let you know, thanks again

[mikej]

acof, is it possible your intercept urls were not set up correctly at the time you were testing the annotations? I'd be surprised if the "@Secured" interceptor stepped in front of the general auth interceptor.

[acof]

acof, is it possible your intercept urls were not set up correctly at the time you were testing the annotations? I'd be surprised if the "@Secured" interceptor stepped in front of the general auth interceptor.

What do you mean? When I used @Secured I removed all intercept urls from my configuration file. And when login was needed (since @Secured worked) I was not redirected to login page, but to an exception page with an access denied message.

[mikej]

You should use both. @PreAuthorize and @Secured simply allow or deny access to annotated methods, they won't prompt for a login. That's the job of the intercept urls in the Spring Security configuration.

Use the Spring Security config to define access requirements for broad swaths of your website such as /, /public, /user, /admin, etc.

Then annotate your admin-only service method with @PreAuthorize or @Secured to prevent a normal logged-in user from accessing the method.

[acof]

You should use both. @PreAuthorize and @Secured simply allow or deny access to annotated methods, they won't prompt for a login. That's the job of the intercept urls in the Spring Security configuration.

Use the Spring Security config to define access requirements for broad swaths of your website such as /, /public, /user, /admin, etc.

Then annotate your admin-only service method with @PreAuthorize or @Secured to prevent a normal logged-in user from accessing the method.

Ok, now I get it, I'll try to use your setup asap, thanks

[acof]

One more thing, I'm desperately trying to understand where, when and how a url in the form of dogs?form gets directed to the controller method createForm of DogsController... I don't find any configuration file that sets url rewriting for the application.

[mikej]

The request mappings are defined by the @RequestMapping annotations.