Bypass access control for admin user

[amitkhanna]

Hi

I have implemented method level security using spring annotations:

Code:

public class GreetServiceImpl implements GreetService{
    @Secured({"ROLE_USER"})
    public String greet(String username){
    ...
    }
    @Secured({"ROLE_EDIT_USER"})
    public String update(String username, Data data){
    ...
    }
    
}

I have introduced a new role in this application, ROLE_ADMIN, which has access to all the methods in all the service classes irrespective of the annotations at method level or interceptors at url level. Is there any way to bypass the access check for ROLE_ADMIN?

Thanks
Amit Khanna

[Luke Taylor]

The role check is done in the class RoleVoter. You could use a custom voter (extending RoleVoter) which automatically grants access if the user has the admin role.

You'll need to set a custom AccessDecisionManager on the global-method-security element:

Code:

    <global-method-security secured-annotations="enabled"  
        access-decision-manager-ref="accessDecisionManager" />

where the accessDecisionManager bean is an instance of "Affirmativebased", configured with your custom voter.

[amitkhanna]

Hi

I created a new voter and this is how my decision manger looks:

Code:

<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    <beans:property name="decisionVoters">
        <beans:list>
            <beans:bean class="org.springframework.security.access.vote.RoleVoter" />
            <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
            <beans:bean class="pkg.java.auth.AllowPrivilegedRolesVoter">
                <beans:property name="privilegedRoleTypes">
                    <beans:set>
                        <beans:value>ROLE_ADMIN</beans:value>
                    </beans:set>
                </beans:property>
            </beans:bean>
        </beans:list>
    </beans:property>
</beans:bean>

I want to use the same accessDecisionManager for url level access control, so i added it in http element:

Code:

<http auto-config="false" disable-url-rewriting="true" use-expressions="true
        access-decision-manager-ref="accessDecisionManager">
     <intercept-url pattern="/login.jsp" access="permitAll" />
     <intercept-url pattern="/**" access="isAuthenticated()" />
</http>

then I found that when we use expressions in http element then default voter is WebExpressionVoter, hence I added in decisionVoters list

Code:

    <beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/>

But after adding this voter I got the following exception:

Code:

2011-03-16 20:18:01,258 ERROR [main] ContextLoader.initWebApplicationContext(220) | Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor#0': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: AccessDecisionManager does not support secure object class: interface org.aopalliance.intercept.MethodInvocation
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1420)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519)
	... 
Starting Jetty on port 8888
   [WARN] Failed startup of context com.google.gwt.dev.shell.jetty.JettyLauncher$WebAppContextWithReload@9b5441{/,/home/amit/workspace/TestProject/war}
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor#0': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: AccessDecisionManager does not support secure object class: interface org.aopalliance.intercept.MethodInvocation
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1420)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291)
	...  
   [WARN] Nested in org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor#0': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: AccessDecisionManager does not support secure object class: interface org.aopalliance.intercept.MethodInvocation:
java.lang.IllegalArgumentException: AccessDecisionManager does not support secure object class: interface org.aopalliance.intercept.MethodInvocation
	at org.springframework.util.Assert.isTrue(Assert.java:65)
	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.afterPropertiesSet(AbstractSecurityInterceptor.java:126)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1477)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1417)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519)
	....

Please help me fix this.


Thanks
Amit Khanna

[Rob Winch]

The reason this happens is that the WebExpressionVoter does not know how to decide access for methods (it understands URLs). I would create two AccessDecisionManager instances (one for method and one for urls). You can place the same instance of your AllowPrivilegedRolesVoter in both AccessDecisionManager instances to allow admins to do anything.