Results 1 to 3 of 3

Thread: AND, OR Conditions for global-method-security>protect-pointcut access in XML

  1. Jun 20th, 2012, 11:24 PM #1
    raghuktdm
    raghuktdm is offline Junior Member
    Join Date
    Jun 2012
    Posts
    1

    Question AND, OR Conditions for global-method-security>protect-pointcut access in XML

    Below is my configuration:
    <global-method-security pre-post-annotations="enabled" access-decision-manager-ref="accessDecisionManager">
    <expression-handler ref="expressionHandler"/>
    <protect-pointcut expression="execution(* com.myService.save(..))"
    access="ACL_WRITE,ROLE_ADMIN"/>
    <after-invocation-provider ref="afterAclObjectRead"/>
    <after-invocation-provider ref="afterAclCollectionRead"/>
    </global-method-security>

    I am using spring security 3.1 with ACL's and expecting access="ACL_WRITE,ROLE_ADMIN" will grant access to user with ROLE_ADMIN OR ACL_WRITE but it is working like an AND condition ie granting access only when user has both ACL_WRITE AND ROLE_ADMIN.

    I strictly what to do it in XML and not using annotations also i don't want to grant ACLs to ROLE_ADMIN because going forward i might want to give the save access to some other ROLE's based on business requirements.

    How can i solve this? How can i make it work as an OR condition?

    Also i couldn't use EL here is there anyway i can do something like access="ACL_WRITE or hasRole('ROLE_ADMIN')"
    Reply With Quote Reply With Quote
  2. Jan 28th, 2013, 06:06 AM #2
    charybr
    charybr is offline Junior Member
    Join Date
    Oct 2012
    Posts
    5

    Default

    Even I am facing the same problem.

    My configuration is:
    Code:
            <security:protect-pointcut expression="execution(* com.*service.addEntity(..))" 
            access="hasAnyRole('ROLE_ADMIN','ROLE_USER')"/>
    where I am expecting access="hasAnyRole('ROLE_ADMIN','ROLE_EXTN')" will grant access to user with ROLE_ADMIN or ROLE_USER authority. But it is working like AND condition granting access to user who has both ROLE_ADMIN and ROLE_USER authorities.
    Last edited by charybr; Jan 28th, 2013 at 06:19 AM.
    Reply With Quote Reply With Quote
  3. Jan 28th, 2013, 06:16 AM #3
    charybr
    charybr is offline Junior Member
    Join Date
    Oct 2012
    Posts
    5

    Default

    I came across the defect - Expression support in protect-pointcut xml config (https://jira.springsource.org/browse/SEC-1663).

    I could find a workaround by adding MethodExpressionVoter as mentioned in this defect.

    Also I was unable to use hasAnyRole because of attributes are built based on comma i.e hasAnyRole('ROLE_ADMIN','ROLE_USER') is broken down into 2 expression:
    hasAnyRole('ROLE_ADMIN and 'ROLE_USER) , which is invalid
    So used hasRole and its working with below config:
    Code:
            <security:protect-pointcut expression="execution(* com.*service.addEntity(..))" 
            access="hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')"/>
    Best Regards,
    Chary
    Last edited by charybr; Jan 28th, 2013 at 06:19 AM.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules