Web Security Expressions and PathVariables

[spgmx]

Hi,

imagine the following url:

Code:

/users/{id}

secured by

Code:

<intercept-url pattern="/users/*" access="hasRole('admin')"/>

Now I what that not only admin-users are allowed to access this url but normal users too, but only if the user-id represents themself.

Code:

<intercept-url pattern="/users/{id}" access="hasRole('admin') or (hasRole('user') and principal.id == id)"/>

How could this be done?

Thank you

[Rob Winch]

This is more fine grained than Spring Security URL based security supports. To enforce constrains at the domain level (i.e. specific objects) you will need to use method level security.

[spgmx]

you will need to use method level security.

Hm, could you give me an example?

[achang]

Hi spgmx,

Take a look at something we just put up: (blog post) (github). It allows you to put @PreAuthorize annotations on Spring MVC controllers and routes requests based on whether the expression in @PreAuthorize evaluates to true or false. Maybe you can do something with what we currently have and add path variables into the @PreAuthorize expression evaluation context to get the behavior you desire.

UPDATE - Just added support for path variables. You can do something like:

Code:

	@RequestMapping("/secure/{name}")
	@PreAuthorize("authentication.name == #name")
	public String securePage(Principal principal, ModelMap model) {
		...
	}

Thanks,
Andy

[spgmx]

Hm... what you did was my first idea too. But then I would spread my access decisions across xml and annotations.
I would like to have it in the same place (xml).
My way now is the use an Aspect with pointcuts on these controller methods where it is needed.
Another way would be a web interceptor, but this is a bit more complicated because you have to parse the requests.

But I still think that <intercept-url /> would be the best place to run this logic...

[Marten Deinum]

The url knows nothing about path mappings, variables etc. it is just that a URL... Spring Security is also not aware of Spring MVC (nor should it as that would make it unusable for other web frameworks) so not sure how you see that functionality implemented...

[spgmx]

Well, i think this should be possible and it would also not interfere with other frameworks:

Code:

<intercept-url pattern="/users/{id}" access="hasRole('admin') or (hasRole('user') and principal.id == id)"/>

[achang]

@spgmx, I agree, it can definitely be done with <intercept-url> without interfering with other frameworks. Having intercept-url patterns support path variables seems like a pretty cool feature that doesn't seem difficult to implement. Have you implemented this already?

@Marten, yes, Spring Security definitely should not be aware of other web frameworks. If you were asking about my post, the functionality was implemented as add-on functionality on Spring MVC's side to support Spring Security's @PreAuthorize annotation using custom request conditions. It is based on Spring Security's <authorize> jsp tag. For use, it's only added in the DispatcherServlet's context so its effect is limited to Spring MVC's context (your service layer can still be protected by a <global-method-security />).

[spgmx]

@spgmx, I agree, it can definitely be done with <intercept-url> without interfering with other frameworks. Having intercept-url patterns support path variables seems like a pretty cool feature that doesn't seem difficult to implement. Have you implemented this already?

No, and I wonder why this is not part of standard spring security.

[Marten Deinum]

Missed the part about adding the expression to the URL expression in Spring Security, my reaction was to the fact that you basically want to use the @RequestMapping features for Spring Security also (which would let it interfere with other frameworks and have a hard dependency on Spring MVC).

That could indeed work, however it would only work for objects (as method arguments) available to Spring Security and not other domain objects as that would tie it more or less into Spring MVC.