Based on other postings on SO and the web, it would appear that there is no built-in mechanism in a Servlet 3+ container to retrieve the roles from a logged in user, but rather only to check if a user is in a role: request.isUserInRole(String)
But is there any way to retrieve the security-role list as defined for the application?
I find it strange that a LoginModule must persist the principal's credentials but there is nothing defined/related to a principal's roles. At some point, when you call isInRole(), the container must be able to check the list of the user's assigned roles. Is that information not exposed anywhere?
I cannot seem to find any mechanism which allows me to retrieve the defined roles from my deployment descriptor (or via annotations). I'm targeting Wildfly 10/Undertow, but ideally looking for a container agnostic solution.
Is this even feasible? Is there any easy way to programatically retrieve the security-roles defined in my application (either as defined in my descriptor or via #DeclareRoles annotations)?
For retrieve #rolesAllowed annotation I used introspection.
You can do the same to retrieve the defined roles via annotations.
Te reference this in the example is a Servlet.
ServletSecurity ss = this.getClass().getAnnotation(ServletSecurity.class);
for (String role : ss.value().rolesAllowed() ) {
out.print(role + " ");
}
The annotation in the servlet is:
#WebServlet(name = "Coquito", urlPatterns = {"/Coquito"})
#ServletSecurity (#HttpConstraint( rolesAllowed= {"nuevo_menu_intranet"}))
public class Coquito extends HttpServlet {
}
Related
Using Spring Security 5.2.X (latest currently), I need to prevent the access to a third party role to all methods but one in a SOAP service. In other words, I need that particular role to have access only to one particular method among all of the availables in the service.
Normally, a usual method level securization consists of annotation with #Secure("MY_ROLE"). This makes the method only to be accessible for that role.
Is it possible to tell Spring Security Core to do the opposite. I.e, configure it in a way that certain user only has access to the secured method.
Of course, the workaround could be:
// Method accessible by anyone but third party role
#Secured({"GOOD_ROLE1", "GOOD_ROLE2", "GOOD_ROLE3"})
public void methodAccessibleByAnyoneButThirdPartyRole(){
}
// Method accessible by anyone, including third party role
#Secured({"GOOD_ROLE1", "GOOD_ROLE2", "GOOD_ROLE3", "THIRD_PARTY_ROLE"})
public void methodAccessibleByAnyone(){
}
Other workaround would consist of just creating a new service only with the method to be restricted.
But is there any annotation option to get the same straightaway? Something like #PreAuthorize("!hasRole('THIRD_PARTY_ROLE')") or similar?
According to Spring Security doc you can use any Spring Expression Language (SpEL) in #PreAuthorize
Any Spring-EL functionality is available within the expression, so you
can also access properties on the arguments. For example, if you
wanted a particular method to only allow access to a user whose
username matched that of the contact, you could write
#PreAuthorize("#contact.name == authentication.name")
public void doSomething(Contact contact);
So you can use:
#PreAuthorize("!hasRole('THIRD_PARTY_ROLE')")
Also as more readable variant:
#PreAuthorize("not hasRole('THIRD_PARTY_ROLE')")
Good morning
I am using ejb2 (older application) on weblogic 10.
There are methods in my session beans that are secured to be executed by certain role.
Each of my ejb interface method I annotate with
`#ejb.permission role-name="role1, role2"`
Since some methods maybe executed by users in few different roles, how can I tell which role runs the method?
I know how to know if a "caller is in a certain role"
Principal principal = ctx.getCallerPrincipal() ;
boolean isRole = ctx.isCallerInRole("role2") ;
But, is there a way to obtain the actual caller's role? Something like "getCallerRole()" or such?
In the xml file "ejb-security-roles.xml" I specify what roles are in application domain
<security-role>
<role-name>role1</role-name>
<role-name>role2</role-name>
</security-role>
Then, each of those roles are mapped to LDAP in the "weblogic-security-role-assignment.xml"
<security-role-assignment>
<role-name>role1</role-name>
<principal-name>Role1User</principal-name>
</security-role-assignment>
<security-role-assignment>
<role-name>role2</role-name>
<principal-name>Role2User</principal-name>
</security-role-assignment>`
Can anyone help, directing me to the right path of thinking?
Just use if (ctx.isCallerInRole("role2")) {
According to Oracle Accessing an Enterprise Bean Caller’s Security Context,
it is only way to check user's role.
Here is what I'm trying to do: I have an authentication EJB that can grant user a "ticket" (pair of key and token) by validating username and password. Clients should pass the ticket every call to remote EJB and such ticket should be able to be fetched by EJB (method, or interceptor) and EJB/ or interceptor should validate the ticket and determine whether the call is valid or not.
I don't want to add ticket as parameter to each function that requires authentication, and I believe there should be a way to implement this. I've looked through several articles about JAAS custom login module, but still can't find a non-vendor specific way to do this. (And I am trying to avoid vendor specific implementation)
If JAAS can't do the job, is there anything like "header" in EJB?
Couldn't you just use roles to perform this authorization? Instead of granting a ticket to a user, assign him a role.
Then, it's just a matter of using the inbuilt functionality of checking whether a user is in a role or not.
Although I agree with #EdH, i.e. use #RunAs, you can accomplish what you want by adding to the EJB context your token.
Red Hat does something similar here by using the interface EJBClientInterceptor.
By looking the code of ReceiverInterceptor (which implements the EJBClientInterceptor) you can see how to modify the EJB context (on the client-side) and add your token:
context.setReceiverInvocationContext(new
EJBReceiverInvocationContext(context, receiverContext));
context.sendRequest();
I working on Spring MVC app. The app funcionality is accessible through ReST API which jsp containing ajax logic consume. I am using spring security with defined roles (USER, COMPANY, ADMIN). Methods use requestMapping with responseBody such as:
www.app.com/auth/{userId}/request/{requestId}
It, of course, support GET for obtaining resource and POST for its creating or updating.
The problem is that after succesful login with, for example, userId = 1 I want GET request with requestId = 99. But when I run WebDev client for Chrome, I can also access another resource with easy request in format
www.app.com/auth/5/request/{requestId}
So basically, I can access resources, which I am not allowed to see. I hope you got the idea, where I am heading.
My question is - What is the best approach to secure this?
I was thinking about storing logged user Id (Integer) in session and comparing it everytime request for resource is made, but it seems to me that I am pulling the wrong end of rope :)
Thank you for any advice
You should have a look into the Expression-Based Access Control section of the spring security documentation.
Example copied from the documentation:
#PreAuthorize("#contact.name == authentication.name")
public void doSomething(Contact contact) {
..
}
This would check if name of the contact is equal to the name of the currently logged in user.
Using this this feature you can build much more sophisticated access rules than you could do with simple roles. However, this does not exclude using roles. You can still keep roles for basic security checks.
I need to make a legacy application start using spring security 3.
This app already has its security data model with:
Very simple by far. I can write my custom usersByUsernameQuery and authoritiesByUsernameQuery.
The thing is that there is another table indicating the operation (i.e. #Service layer method) that a Role can execute:
So the administrator can enable/disable a role from accessing an operation through a web interface, without redeploying the app.
I still can annotate the business methods with #Secure('ROLE_ADMIN') for example, but my custom UserDetailsService must know at least the method name that is being secured, so I can perform the right query.
So, the question is: is there a way that my custom UserDetailsService can intercept the method's name that is being secured?
It sounds like your access-decision is based on the "operation role", rather than the user roles, so it might be better to use the "operational role" directly in the Spring Security constraints. That is essentially an RBAC approach, where there is a mapping between the user roles and the operations they are allowed to perform.
You would address the issue in the AuthenticationProvider rather than the UserDetailsService, by adding a mapping layer in there which translates the user roles (supplied by the UserDetailsService) into the rights that the user has within the application. These would make up the collection of authorities that are returned in the Authentication object created by the AuthenticationProvider.
The mapping layer would directly use the data which your administration interface provides.
You might want to take a look at this presentation, by Mike Weisner, which covers similar material, amongst other things.
Not also that Spring Security 3.1 will include an additional GrantedAuthorityMapper strategy to make it easier to plug in a mapping of this kind.