Authorize tag when using a custom Voter

[hguidetti]

Hi all,

I have a defined a custom Voter to check roles depending on business data that is in the http session (in fact it depends on the datasource we use).
I can secure my method like that (and it works like a charm)

Code:

    
    @Secured("DS_ROLE_EDITOR")
    public void deleteCustomer(String id){
    ...
    }

In this example, the datasourceRoleVoter checks if the connected user has the role "EDITOR" on the datasource currently used.

Now I would like to secure my JSP pages using these DS_ROLE_* roles.

I tried to use

Code:

	<sec:authorize  access="hasRole('DS_ROLE_EDITOR')">
	You are editor on this datasource
	</sec:authorize>

But it doesn't work.

How can I tell Spring security authorize tag to use my voter, so it will so check if the user is an EDITOR for that datasource ?

Here is my config file :

Code:

	
	<http auto-config="true" use-expressions="true"
		access-decision-manager-ref="webAccessDecisionManager">
		<http-basic />
		<intercept-url pattern="/**" access="isAuthenticated()" />
	</http>
	
	<global-method-security secured-annotations="enabled"
		jsr250-annotations="enabled" pre-post-annotations="enabled"
		access-decision-manager-ref="methodAccessDecisionManager">
	</global-method-security>

	<beans:bean id="methodAccessDecisionManager"
		class="org.springframework.security.access.vote.AffirmativeBased">
		<beans:property name="decisionVoters">
			<beans:list>
				<beans:ref bean="datasourceRoleVoter" />
				<beans:ref bean="roleVoter" />
				<beans:ref bean="authenticatedVoter" />
			</beans:list>
		</beans:property>
	</beans:bean>

	<beans:bean id="webAccessDecisionManager"
		class="org.springframework.security.access.vote.AffirmativeBased">
		<beans:property name="decisionVoters">
			<beans:list>
				<beans:ref bean="datasourceRoleVoter" />
				<beans:ref bean="roleVoter" />
				<beans:ref bean="authenticatedVoter" />
				<beans:ref bean="webExpressionVoter" />
			</beans:list>
		</beans:property>
	</beans:bean>


	<beans:bean id="datasourceRoleVoter"
		class="com.mycompany.DataSourceRoleVoter">
		<beans:property name="rolePrefix" value="DS_ROLE_" />
	</beans:bean>
	<beans:bean id="webExpressionVoter"
		class="org.springframework.security.web.access.expression.WebExpressionVoter" />
	<beans:bean id="authenticatedVoter"
		class="org.springframework.security.access.vote.AuthenticatedVoter" />
	<beans:bean id="roleVoter"
		class="org.springframework.security.access.vote.RoleVoter" />

	...

Thanks in advance for you answer.

Hervé

[hguidetti]

I finally created my own expression handlers and use them in both method and web security.

Code:

	<http auto-config="true" use-expressions="true">
		<http-basic />
		<expression-handler ref="datasourceRoleWebSecurityExpressionHandler"/>
		<intercept-url pattern="/**" access="isAuthenticated()" />
	</http>
	
	<beans:bean id="datasourceRoleWebSecurityExpressionHandler" class="com.ibm.bcc.adminapp.web.domain.datasource.security.DataSourceWebSecurityExpressionHandler"/>
	

	<global-method-security secured-annotations="enabled"
		jsr250-annotations="enabled" pre-post-annotations="enabled">
		<expression-handler ref="datasourceRoleMethodSecurityExpressionHandler"/>
	</global-method-security>
	
	<beans:bean id="datasourceRoleMethodSecurityExpressionHandler" class="com.ibm.bcc.adminapp.web.domain.datasource.security.DataSourceMethodSecurityExpressionHandler"/>

So now, I can use the same expression for web and method security.

Code:

<sec:authorize access="hasDsRole('EDITOR')"> The secured content </sec:authorize>

Code:

@PreAuthorize("hasDsRole('EDITOR')")
public void aSecuredMethod()