I am developing a Spring Boot application. And I have some permission checks in that program that is checked within controller methods. For an example there are some checking methods to check if there is any duplicate records, if that logged in user a member and so on. So what I was thinking is I need to move onto #PreAuthorize. So how can I create custom methods to do those duplicate validations and member validations and used them via #PreAuthorize. I know those duplicate checked can be done in anywhere else but I personally need to use #PreAuthorize. So anybody can help me? I really appreciate that.
You can do this using custom expression with #PreAuthorise
#PreAuthorize("isDuplicate(#id)")
#GetMapping("/organizations/{id}")
#ResponseBody
public Organization findOrgById(#PathVariable long id) {
return organizationRepository.findOne(id);
}
public boolean isDuplicate(Long OrganizationId) {
// add your logic here to check duplicates or any validation
}
refer https://www.baeldung.com/spring-security-create-new-custom-security-expression for more info
Related
I'm developing API using Spring Framework and faced a problem that can be solved by simply adding a necessary logic to every place I have it, but I think that there might be an elegant solution to fix it.
I have the following method in my controller:
#GetMapping("/user/{userId}/permissions")
public List<PermissionDto> list(#PathVariable long userId,
#ModelAttribute #Valid PermissionCriteria criteria) {
return permissionService.list(criteria);
}
The thing is that in dto I have a field called userId. It's made not to have a lot of arguments going to the method of the service. But, I want this user id to be set exactly from path since I use the URL that specifies that we are adding permission exactly to specific user resource. It's doable by making addition line that uses setter in the criteria and sets the value of userId. However, now I should never forget to add this line every time I have a case like that. That's why I decided to move it to InitBinder:
#InitBinder(PERMISSIONS_CRITERIA_NAME)
public void permissionsCriteriaInitBinder(WebDataBinder binder) {
PermissionsCriteria criteria = (PermissionsCriteria) binder.getTarget();
Optional.ofNullable(requestHelper.getUserId())
.map(Long::parseLong)
.ifPresent(criteria::setUserId);
}
It works fine. The user ID is set from the path. However, If I specify request parameter and path variable at the same time, even though userId is set from the path in init binder, it's overridden afterwards before it goes to the controller method. So, this one doesn't solve all the issues.
What I want to find, is someplace where the logic can be put to apply to both init binder(I need it for validation) and controller method. Maybe there is a special type of hook or interceptor or at least something to implement to satisfy this conditions?
in my controller, I need to choose what service implementation I need to use on spring. Before I was encapsulating this code in a factory, but I think that its not a good practice...
#Component
public class StoreServiceFactory {
#Autowired
private List<StoreService> storeServices;
public StoreService getService(){
if(isActiveSale){
return storeServices.get("PublicStoreService")
}
return storeServices.get("PrivateStoreService")
}
}
So I would like to encapsulate this behaviour to not care about inside my controller.. How can I get it??
If isActiveSale changes when the application is running, I think that what you got is a good solution. Since the Controller is a singleton you can't expect a different injection everytime this value changes.
If you get the value only on the startup of the application(e.g. from some property) you can use a profile.
There is nothing wrong with a factory, although as #R4J points out in the comments it is more of a provider, since it doesn't instantiate anything. I would consider the factory/provider a good choice if the 'isActiveSale' status changes based on things outside of the current control flow, like a configuration in a property file. A setting set in some adminstration screen, or maybe based on the time of day.
I have in place a spring security ACL system, and it seems to work fine, only that I `m not sure how should I perform a permission check programmatically.
My app is split into 3 layers (View,Service(Business),DAO) and I want to perform the auth in the Service layer. So, for a method that take as an argument a domain object :
#PreAuthorize("hasPermission(#proj,'write'")
public Project updateProject(Project proj) {
.............
}
the problem is solved with annotations.
But for a method that take as an argument an object that does not have an acl on it I have to programmatically check if user has permission.
Let`s say i have an object ProjectWrapper:
public class ProjectWrapper {
private Project project;
private Something something;
// setters and getters here
}
so now my Service method received this type of argument:
public Project updateProject(ProjectWapper projWrapp) {
Project p = projWrapp.getProject();
// before performing any operation on project I need to know if current user has neccessary permissions on this object
// ??? how do i check that ?
}
Do i need to use AclService to perform that ? just like when I need to create/update a permission, or is there an cleaner/nicer possibility ?
The same question for deleteProject(Long id) methods,as first i have to get the object from db to check if the current user has delete permission.
Method security annotations support Spring EL expressions. In case of your wrapper class, you can use it as follows.
#PreAuthorize("hasPermission(#projectWrapper.project, 'write'")
public Project updateProject(ProjectWrapper projectWrapper) {
// body omitted
}
And if you have just an object identifier instead of the actual object, you can use pattern below.
#PreAuthorize("hasPermission(#id, 'my.package.Project' 'delete'")
public void deleteProject(Long id) {
// body omitted
}
You may need to adjust default configuration (e.g. strategy to retrieve object identity and the like) to meet you requirements. See org.springframework.security.acls.AclPermissionEvaluator class for more details.
In play 2.0 you can get the request binding with validation done (via annotations) by :
ABCForm abcForm=(ABCForm)form(ABCForm.class).bindFromRequest().get();
The problem I have is , I want to get the validation done after trimming the form values.
So is there a way to either defer or call the validation stuff post binding in play 2.0 ?
Binding and validation are combined. So validation after the binding is not possible, as far as I know. However you can create a validate() method, in which you trim your values before validating them. For example:
public class User {
public String name;
public String validate() {
name.trim
if(name == "") {
return "Name is required";
}
return null;
}
}
The validate() method will be invoked when you bind a form. So you can make sure your data is valid, but errors won't be automatically added to the Form.Field objects. So it is certainly a nice solution.
There are also pretty much discussions about Form validation in Play's Google Group, so if you want to know more about the binding/validation problems I recommend reading them: https://groups.google.com/forum/#!searchin/play-framework/%5B2.0%5D$20validation.
If you need to modify your values before validation. You can create a setter for your field and do your trims there.
In Spring 3, is there a method that accepts a comma-separated list of permissions and returns a Boolean of whether the logged in user has any of those permissions? I envision doing something like:
if(loggedInUserHasAnyOfThesePermissions("PERMISSION_READ,PERMISSION_EDIT")){
//do stuff
}
Currently, since don't know of any such built-in method, I'm doing this:
Set<String> permissions = new HashSet();
for (GrantedAuthority auth : SecurityContextHolder.getContext().getAuthentication().getAuthorities()) {
permissions.add(auth.getAuthority());
}
if (permissions.contains("PERMISSION_READ") || permissions.contains("PERMISSION_EDIT")) {
//do stuff
}
I've searched for hours and haven't found a more concise and elegant way of doing this, but one must exist. Thanks for your help!
P.S. I'm already familiar with how to handle permissions in JSP like this: ( how to conditionally show jsp content to logged in users with Spring security ) But what I need now is a way to check within the controller.
The HttpServletRequest has a method isUserInRole, which may be useful. Example:
public String someControllerMethod(HttpServletRequest request, ...) {
boolean read = request.isUserInRole("PERMISSION_READ");
...
}
In Spring 3, is there a method that accepts a comma-separated list of permissions and returns a Boolean of whether the logged in user has any of those permissions?
No there is not.
I ended up defining and implementing my own convenience API to do this kind of thing.
You can use Spring security and than use the Pre and Post Annotations which operates on a method level.
The actual logic behind the pre a post annotations is probably accessible so you can probably accomplish what you want.
In Spring 3, is there a method that accepts a comma-separated list of permissions and returns a Boolean of whether the logged in user has any of those permissions?
Are you talking about ExpressionUtils that can evaluate expressions such as hasAnyRole([role1,role2])?
I ended up coding my own class: MyUserDetails class has various methods including one that iterates over roles and permissions to see all the permissions that a user has, such as:
for (Permission permission : role.getPermissions()) {
permissions.add(new GrantedAuthorityImpl(permission.getName()));
}
It's pretty ugly, but I don't have a better way yet.
I use it by doing something like:
MyUser loggedInUser = myUserDAO.getByUsername(principal.getName());
MyUserDetails loggedInUserUD = new MyUserDetails(loggedInUser);
if (loggedInUserUD.hasAnyPermission("perm1, perm2")){
//do stuff
}