All geek questions in one place

@PreAuthorize Not working with spring security 4

I am having problems with annotation @PreAuthorize. There are two things to do.

  • The removal of all employees must be carried out by an authorized person USERor ADMIN.

  • Removing an employee should only be done with authority ADMIN. I need to use method level authorization with spring-security-4.

Project_explorer_view

User.java

package com.nikunj.SpringMethodLevelAuthorization;
public class user {
    int id;
    String firstName;
    String type;

    public user(int id, String firstName, String type){
        this.id = id;
        this.firstName = firstName;
        this.type = type;
    }
    public int getId() {
        return id;
    }
    public void setId(int id) {
        this.id = id;
    }
    public String getFirstName() {
        return firstName;
    }
    public void setFirstName(String firstName) {
        this.firstName = firstName;
    }
    public String getType() {
        return type;
    }
    public void setType(String type) {
        this.type = type;
    }
}

userService.java

package com.nikunj.SpringMethodLevelAuthorization;
import java.util.Vector;
import org.springframework.security.access.prepost.PreAuthorize;
public interface userService {
    @PreAuthorize("hasRole('ADMIN')")
    public void deleteUser(int id);

    @PreAuthorize("hasRole('ADMIN') or hasRole('USER')")
    public Vector<user> getAllUsers();
}

userImplementation.java

package com.nikunj.SpringMethodLevelAuthorization;
import java.util.Vector;
public class userImplementation implements userService {
    Vector<user> users; 
    public userImplementation(){
        users = new Vector<user>();
        users.add(new user(1,"Nikunj","SE"));
        users.add(new user(2,"Abdul","SSE"));
        users.add(new user(3,"Mrinal","LSE"));
        users.add(new user(4,"Anurag","SE"));
        users.add(new user(5,"Naresh","LSE"));
        users.add(new user(6,"Mahesh","SE"));
    }

    public user findById(int id){
        for(user u : users){
            if(u.getId()==id){
                return u;
            }
        }
        return null;
    }

    public Vector<user> getAllUsers(){
        return users;
    }

    public void deleteUser(int id){
        user u = findById(id);
        users.remove(u);
    }
}

homeController.java

package com.nikunj.SpringMethodLevelAuthorization;

import java.util.Vector;

import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@Controller
public class HomeController {
    userImplementation ui=new userImplementation();
    Vector<user> users;

    @RequestMapping(value = { "/users" },method = RequestMethod.GET)
    public String getAllUsers(Model model) {
        System.out.println("in getAll()");
        users=ui.getAllUsers();
        model.addAttribute("users", users);
        return "allUsers";
    }


    @RequestMapping(value = { "/delete/{id}" }, method = RequestMethod.GET)
    public String deleteUser(@PathVariable int id,Model model){
        System.out.println("in delete()");
        ui.deleteUser(id);
        users=ui.getAllUsers();
        model.addAttribute("users", users);
        return "allUsers";  
    }   
}

dispatcher-servlet.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
    <!-- Enables the Spring MVC @Controller programming model -->
    <annotation-driven />

    <!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources directory -->
    <resources mapping="/resources/**" location="/resources/" />

    <!-- Resolves views selected for rendering by @Controllers to .jsp resources in the /WEB-INF/views directory -->
    <beans:bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <beans:property name="prefix" value="/WEB-INF/views/" />
        <beans:property name="suffix" value=".jsp" />
    </beans:bean>

    <context:component-scan base-package="com.nikunj.SpringMethodLevelAuthorization" />
</beans:beans>

spring -security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">

    <http auto-config="true">
        <intercept-url pattern="/" access="hasRole('USER') or hasRole('ADMIN')" />
    </http> 

    <!-- Eable method level security -->
    <global-method-security pre-post-annotations="enabled"/>    

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="abdul" password="root123" authorities="ROLE_ADMIN"/>
                <user name="nikunj" password="secret" authorities="ROLE_USER"/>
            </user-service>
        </authentication-provider>
    </authentication-manager>
</beans:beans>

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
                        http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

    <!-- Processes application requests -->
    <servlet>
        <servlet-name>dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
                     /WEB-INF/dispatcher-servlet.xml
                     /WEB-INF/spring-security.xml
        </param-value>
    </context-param>

    <!-- Creates the Spring Container shared by all Servlets and Filters -->
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <!-- Spring Security Configuration -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
</web-app>
+4
source share
1 answer

Make userImplementation like Spring bean and enter it in HomeController either by annotation or define it in xml.

<beans:bean name="userService" class="com.nikunj.SpringMethodLevelAuthorization.userImplementation" />

OR

@Service
public class userImplementation implements userService {
....
....
}

HomeController.

@Controller
public class HomeController {
    //userImplementation ui=new userImplementation();
    @Autowired
    UserService ui;
 ......
 ......
}
0

Source: https://habr.com/ru/post/1623903/

More articles:


All Articles