How to customize the access level?

**Tao** · Mar 20th, 2009, 03:58 PM

In my project, all our authorities are stored in database and we use group instead of role to control the access. After rewriting the UserDetails to prepare all our authorities from database, I got IllegalArgumentException if I use our customized authority level in configuration file. There is no problem to start the application if I use 'ROLE_ADMIN' instead of 'REGISTERED_USER_READ_ACCESS' as the value of 'access' property in the 'intercept-url' element. Any one knows which class defines the 'ROLE_ADMIN' values? How can I defined my own access level inside the intercept-url element? Thanks ahead.

My configuration file:

Code:

<security:http>
    	<security:form-login login-page="/login.xhtml" authentication-failure-url="/login.xhtml?login_error=true" />
             
       <security:intercept-url pattern="/registeredUserHome.xhtml" access="REGISTERED_USER_READ_ACCESS"/>
        
        <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<security:logout />
	    
</security:http>

The exception I got:

Code:

SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainProxy': Initialization of bean failed; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainList': Cannot resolve reference to bean '_filterSecurityInterceptor' while setting bean property 'filters' with key [3]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterSecurityInterceptor': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: Unsupported configuration attributes: [REGISTERED_USER_READ_ACCESS]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:480)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:429)
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:728)
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:380)
	at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:255)
	at 
     ...

**mlom** · Mar 23rd, 2009, 06:11 AM

In my project I customize the logic for db acces in the class JdbcDaoImpl (extends JdbcDaoSupport implements UserDetailsService) in the package org.springframework.security.userdetails.jdbc.
If you isolate this class (source) you can see the specific management for groups and authorities logic.

Marco

**Tao** · Mar 23rd, 2009, 02:06 PM

Marco, thanks for your reply. We don't use JdbcDaoImpl in our porject and our UserDetailService object can retrieve all privileges from database quite well. My problem lays on the AccessDecisionManager.supports() method in spring security will return false if any "access" value in not begin with "ROLE_" prefix in intercept-url configuration. I tried change the roleprefix in decision manager setting, it did not work either. I'll I may have to use the quick and dirty fix add "ROLE_" in front of all our database values.

**mlom** · Mar 23rd, 2009, 03:15 PM

But, do you find the place in the framework where you can change the string constants ROLE_....?

**Tao** · Mar 23rd, 2009, 04:39 PM

Originally Posted by mlom

But, do you find the place in the framework where you can change the string constants ROLE_....?

Based on my research, in spring security configuration there are two places you can specify a role prefix. they are <ldap-user-service> and <jdbc-user-service>. If you don't use ldap or jdbc approach, like us, we have to use dao since we access database based on hibernate jpa, I don't find any simple configuration solution yet.

I tried to customize the role-prefix in the voter through <global-method-security> setting, it did not work. Besides the voter class there are two other classes in the source hard coded the prefix which are org.springframework.security.authoritymapping.Simp leAttributes2GrantedAuthoritiesMapper and org.springframework.security.runas.RunAsManagerImp l. There must be some tricks. BTW according to the java doc, it may cause some potential problems if we don't use any prefix at all.

Since I've spent too much time on this issue, I think I have to surrender to this "ROLE_" prefix bully now. God Bless anyone who intends to challenge it.

**Luke Taylor** · Mar 23rd, 2009, 06:11 PM

The "ROLE_" prefix is supported by the RoleVoter class. Since you are using the namespace, there is a default AccessDecisionManager used with a standard RoleVoter configuration.

You can customize the AccessDecisionManager and voters used by for web requests by setting the access-decision-manager-ref property of the <http> element and configure an implementation (usually AffirmativeBased) using standard Spring beans.

The same can be done for method security if required.

**Tao** · Mar 25th, 2009, 05:21 PM

Originally Posted by Luke Taylor

The "ROLE_" prefix is supported by the RoleVoter class. Since you are using the namespace, there is a default AccessDecisionManager used with a standard RoleVoter configuration.

You can customize the AccessDecisionManager and voters used by for web requests by setting the access-decision-manager-ref property of the <http> element and configure an implementation (usually AffirmativeBased) using standard Spring beans.

The same can be done for method security if required.

Luke, have you tried to customized the role prefix through AccessDecisionManager yourself? I tried it, unfortunately it did not work. The following is my configuration file, any idea what is wrong?

Code:

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="
           http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security-2.0.2.xsd">
           
	<security:global-method-security secured-annotations="enabled" access-decision-manager-ref="accessDecisionManager">
		<!-- AspectJ pointcut expression that locates our "post" method and applies security that way
		<protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/>
		-->
	</security:global-method-security>
	
	<bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
		<property name="decisionVoters">
			<list>
				<bean class="org.springframework.security.vote.RoleVoter">
					<property name="rolePrefix">
						 <value></value>
					 </property>
				</bean>
			</list>
		</property>
	</bean>
	
	<bean id="userDetailsService" class="myproject.security.MyUserDetailsService" />
	
	<bean id="passwordEncoder" class="org.springframework.security.providers.encoding.Md5PasswordEncoder" />
	
	<bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
  		<security:custom-authentication-provider />
  		<property name="userDetailsService" ref="userDetailsService"/>
  		<property name="passwordEncoder" ref="passwordEncoder"/>
	</bean>
	
	<security:http>
    	<security:form-login login-page="/web/login.xhtml" authentication-failure-url="/web/login.xhtml?login_error=true" />
        <security:intercept-url pattern="/**/login.xhtml*" filters="none" />
        
        <security:intercept-url pattern="/*.xhtml" access="READ_BY_REGISTERED_USER"/>	
        
        <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<security:logout />
		
        <!-- All of this is unnecessary if auto-config="true"
        <form-login />
        <anonymous />
        <http-basic />
        <logout />
        <remember-me /> -->

        <!-- Uncomment to limit the number of sessions a user can have
        <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/>
		-->		
    </security:http>
</beans>

Thread: How to customize the access level?

Thread Tools

Display

How to customize the access level?

Posting Permissions