All geek questions in one place

Role and resolution in spring security 3

I am new to ss3 and I read its link, also read spring security book.

However, I did not find anything about role resolution.

For example, here is a configuration for forms-based authentication.

<http auto-config='true'> <intercept-url pattern="/user/add/**" access="hasRole('USER_ADMIN')"/> <intercept-url pattern="/user/delete/**" access="hasRole('USER_ADMIN')"/> <intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/**" access="ROLE_USER" /> <form-login login-page='/login.jsp'/> </http>

I want to control the user's work (add / remove):

 <intercept-url pattern="/user/add/**" access="hasRole('USER_ADMIN')"/> <intercept-url pattern="/user/delete/**" access="hasRole('USER_ADMIN')"/>

I define the role "USER_ADMIN", but this is not enough, because I want to be different from a user who has "add" permission from a user who has permission to "delete".

Perhaps I can add several roles, such as 'user_admin_add' and 'user_admin_delete'.

But I don’t think this is a good idea, because add or remove are permissions, not roles.

How to do it?

Also, it seems that all roles should be configured in an XML file, I wonder if I can dynamically add new roles and permissions (on the admin page)?

+4
source share
4 answers

Think of a role as privilege. And granulate them as much as you need. Another thing is that perhaps you should do a more RESTFul implementation. But this is another thread.

For example, your “delete” might be the HTTP “DELETE” method. Then you can:

 <security:intercept-url pattern="/users/*" method="DELETE" access="ROLE_DELETE_USER" />

and a curl -X DELETE -u login:password 'http://example.com/users/1'

will remove user with id 1 .

RESTFul, since uris are either identifiers or actions, there is no need for dynamic additions (privileges). Because these roles are intended to be used against a new resource that must contain an XML file.

I’m afraid you won’t be able to do this unless you use wildcards ** . Which, in my opinion, if used carelessly, can lead to trouble.

+3
source

In my personal opinion, spring security has several (say), unfortunately, selected names. Therefore, do not pay so much attention to the term "Role", it works great if you use it for privileges.

My applications use a naming convention to choose between Roles and privileges. (roles are written in uppercase, lowercase privileges). But note that the Role voter will only pay attention to lines starting with "ROLE" (the default setting may be changed.)

See also Spring Security Group Authorization

+2
source

Perhaps I can add several roles, such as 'user_admin_add' and 'user_admin_delete'.

Like this. Permissions are roles, and there are usually people who view differentiation between them as unnecessary.

I don’t think there is a big difference in the role of ROLE_USER_ADDER or the permission of PERMISSION_ADD_USERS .

However, you can use roles as a concept for group permissions if you need to. For example, you might have a role administrator who can add and remove users. Thus, the roles ROLE_ADMIN will be PERMISSION_ADD_USER and PERMISSION_REMOVE_USER . However, spring will only consider roles and permissions as powers.

As for adding dynamic roles, you can do this, for example, by loading the current user permissions from your database. Take a look at spring Security UserDetailsService . The UserDetails object that it returns has a getAuthorities() method, which you can populate from your database.

 /** * Returns the authorities granted to the user. Cannot return <code>null</code>. * * @return the authorities, sorted by natural key (never <code>null</code>) */ Collection<GrantedAuthority> getAuthorities();

Here is a very good example of implementing your own UserDetailsService .

+2
source

You should think about roles more in strings, well, roles, not about permissions. If you want to distinguish between adding and removing users, you can define the roles described as ROLE_SALES and ROLE_USER_ADMIN. Sales staff may need to add new users to the system.

Regarding the dynamic use of roles, you should look at the Spring Security architecture. Most likely, you will want to use or implement a suitable UserDetailsService . See the UserDetailsService Help documentation.

If you store user authorization data in a JDBC database, for example, you can use JdbcDaoImpl .

There are several examples of using different authentication providers in the namespace .

0
source

Source: https://habr.com/ru/post/1380194/

More articles:


All Articles