My requirement is the following: We have an application that uses roles lets said (ADMIN/USER/GUEST), depending on the role they can access to different sections on the application. However in an specific section, some of them can see some actions/options/buttons/tabs, it means for two ADMIN users, the configuration of the screen and available option could be different.
I was reading about DomainACL in spring security and spring-security permissions, I believe use DomainACL is not what I need to cover this requirement as I don't need to have object granular security.
My question is there is specific out-of-the box feature of spring-security that can solve this requirement that I don't know, taking in consideration that I need to add some java tags in the jsp to remove buttons/controls from the UI.
Other question is : permissions without DomainACL will be enough to solve this requirement or I am missing something.
Basically I need to save actions that can be executed for some users + the role of the users, lets said that I want to store in the database the permissions as "EXECUTE SEARCH", "VIEW_USER_TAB".
ADMIN / peter / "EXECUTE SEARCH", "VIEW_USER_TAB"
ADMIN / sarah / "EXECUTE SEARCH"
USER / john / "VIEW_USER_TAB"
I'm using spring-security3.2 and jsp pages as my view technology.
I did ROLES and OPERATION in my Application.
Look at this answer, it helped me:
Difference between Role and GrantedAuthority in Spring Security
Basically what the article said is there is no difference between roles and permissions both are granted authorities and need to be placed in top of the security context to be able to manage the access to the different resources. Use hasRole or hasPermission is just only about specify something that is more readable for the developer, but both operates analyzing the granted authorities domain.
Related
I am currently working on a project with Spring 4, Spring Security 4, Hibernate 4, MySQL 5. When I login with the user credentials, it logs in but takes me to unauthenticated user page. I tried debugging the code in eclipse but I am not able to find out why it goes to the unauthenticated user page. We are using 4 different types of users for the project, so the database design given to me was a little different.
I have also asked the same question in coderanch 4 days ago but I didn't receive any answers. Here is the link to the question Coderanch. I have added the source files there for reference.
If you guys need any more files, please ask me and I shall provide you the same here.
This tutorial will help u to understand how its working, and fix ur prblm:
Spring MVC 4 + Spring Security 4 + Hibernate Example
For people looking answers to this question, here is the trick. You will have to add "ROLE_" in your SimpleGrantedAuthority object if you are fetching roles from database. That is
authorities.add(new SimpleGrantedAuthority("ROLE_" + user.getType());
The explanation of why we should add the "ROLE_" token is given in this doc.
From the docs,
The prefix "ROLE_" is a marker which indicates that a simple comparison with the user’s authorities should be made. In other words, a normal role-based check should be used. Access-control in Spring Security is not limited to the use of simple roles (hence the use of the prefix to differentiate between different types of security attributes).
In addition to the answer by Parthe, you may want to make sure the user account you used to log in have at least one of the roles listed ("SUPER ADMIN","ADMIN","STAFF").
I want to have authorization in my Java EE application.
Online it describes how you should define the roles in sun-web.xml. However I would like to have all my roles, and groups defined in a database table.
That means, when I access a method for my application, the request needs to be intercepted to see if the user is allowed in the role.
Do I need to
create some kind of interceptor class that checks auth as user makes call to my web service method
create a custom Login Module that fishes out the group and role data from the database when a user first logs on
Any pointers would be really helpful.
First of all: I would strongly suggest using standard authorization mechanisms.
But for your use-case these standard mechanisms won't work, see this post: dynamic roles on a Java EE server
Roles have to be declared in the web.xml or sun-web.xml.
Frameworks
The next thing I would look into are frameworks, that could help you with that. The link will provide you with two suggested frameworks.
Building your own
If you don't need it for productive purposes, I would suggest the following:
use Filters to check for authorization and authentication: Filters a fairly easy to use ,very powerful and often used for security purposes: See http://docs.oracle.com/javaee/6/tutorial/doc/bnagb.html for more information about filter.
For the login, you could probably just stick with the standard form-based login.
We are using Spring Security and it is working fine in the single web application. Now, I need to create another Web application with Spring security. In the first application the user can sell his/her stuff (e.g. EBay). The second app which I am creating now, it is for general users where he can save his general preferences, searches, save some items he looked at etc. He may/may not be the existing user. So the difference between the two users are:
User 1 (existing user): Can post his stuff for sale.
User 2: He/she should be able to login. Save his general activities etc. & if he/she wants to sell his/her item, he/she needs to go thru the additional steps for verification.
All this cannot be done in just one application due to some reasons. My question is on how to handle the security? Should I create separate security filters for each applications or is there a way to use common security implementation who can manager both of these application. Please provide your feedback, I would really appreciate it.
if you wrap both components in two different webapps, each will have his own spring security web filter infrastructure.
So in principle there will be a security session for each web application, to be backed by whatever authentication system you use.
If you use JDBC then the user would have to login twice.
If you want your customers to only login once, you can for example use a token based system.
When you cross link from webapp 1 to webapp 2, you could hook the links up to a redirect servlet.
The servlet then generates a token, persists it in a database and forwards the user with the token in the url to the other webapp.
In spring security you can then implement your own PRE_AUTH_FILTER which reads out the token, verifies if it is persisted in the Database.
For security reasons you should make these tokens only one use.
I'm new to web applications and security and I have a basic question.
Imagine a single java web application with a single database but multiple accounts. Let's think about a to-do list for simplicity where people can access only their own 'items' at /item/item-id. EG:
User1 creates items 1 and 2;
User2 creates items 3 and 4;
How do I prevent User2 from accessing /item/1 for instance?
This seems to go beyond Authentication (who is this?) and Authorization (what role does he/she have?) to me.
Should I keep a persisted map of user-items and check every time before returning a response?
Are there any Spring (or other) tricks/helpers for this problem?
Authorization isn't "What role do you have?". It's "Are you allowed to do this?". The role will play a part in deciding if the subject is allowed.
What you are describing is exactly the purpose of authorization.
User2 is trying to access (think of CRUD in HTTP GET,POST,DELETE,PUT) the resource at /item/1. Are they allowed? No. So deny them access.
Should I keep a persisted map of user-items and check every time before returning a response?
How you perform authorization is up to you. Spring security definitely offers some good tools to do it from a database while separating that logic from your application logic (if need be).
I'd also like to recommend another security framework: Apache Shiro. I think it's a little easier to configure than Spring security and I find its authentication/authorization logic more straightforward .
In addition to Spring Security and Apache Shiro, you want to consider XACML-based authorization frameworks e.g. SunXACML, WSO2, Axiomatics (disclaimer: I work for Axiomatics).
XACML is the eXtensible Access Control Markup Language. It's the de-facto standard for fine-grained authorization. Much like SAML is great at identity federation / SSO, XACML helps you achieve authorization.
XACML gives you an architecture (see picture below) as well as an authorization language which you can use to express specific authorization scenarios e.g.
doctors can view medical records of patients they are assigned to
nurses can view medical records of patients that belong to the same clinic
patients can view their own records and that of patients for whom they are the guardian
You can have as many rules as you like. There is no limit.
I'm trying to get Spring Security to handle authorization via GET variables. All the examples I've been able to find focus pretty much entirely on role-based authorization, which doesn't really work for my application. The way the authentication/authorization process needs to work is as follows:
User authenticates through external system, gets a session ID.
User passes two GET parameters to my application, sessionId and objectId.
Application verifies that session is valid (already figured this part out)
Application verifies that the object is visible to the user (need help here)
Application returns object information to the user
All the examples I've seen have been demonstrating how powerfully Spring Security can check a granted authority on a URL pattern or a Java method. But I need to implement a custom check on step 4 to make sure that the user has the correct permissions in the backend (users can be granted object-specific rights, so a role approach won't work here).
I am new to Spring Security, so it could be that my thought process is just all sorts of wrong. If I am, feel free to correct me!
You need to use ACL feature or you can emulate the same thing via some custom code (for example via custom web security expression). See this post for details.
I think you need to look at the Pre-Authentication Scenarios section in the documentation. In particular, you will probably need to implement a AbstractPreAuthenticatedProcessingFilter to pre-authenticate the user based on the GET parameters.