Imagine a website permissions similar to Reddit. A specific user-account has access to "SUPER-MOD" for "/r/subreddit-A" and "MOD" on "/r/Subreddit-B" and finally "BANNED" on "/r/Subreddit-C"
The way our spring security config is currently setup is we have the concept(s) of SUPER-MOD, MOD, USER, etc... but not SUPER-MOD(domain-A).
Clearly, writing my own code for this is not rocket science, but I was wondering if there was a common or standard interface for these types of permissions.
P.S. We're using Spring MVC / Tomcat. Articles & tutorials welcome.
The way that I have usually dealt with roles is typically using the Expression-Based Access Control with Spring. Since you seem to have most of the roles and permissions defined it should be a piece of cake getting them out of the security context.
Just make sure you have <global-method-security pre-post-annotations="enabled"/> because lack of that will obviously make the annotations useless.
Anyway hope that helps.
Related
I'm working on a implementation of a webapp in Java, where there will be limitations on some roles shall only be able to read data and some to update. All roles shall not have access to all pages.
I've looked at Apache Shiro together with JSP/Javascrip/CSS.
Are there any other alternatives for this?
Or is this the best choice?
//Henrik
Consider Spring Security, formerly known as Acegi.
http://projects.spring.io/spring-security/
Seems it's a bit more mainstream:
http://www.indeed.com/jobtrends?q=Apache++Shiro%2C+Spring+Security&l=
I have a web app running with Grails looking after the view and controller and calling into a spring-mvc backend via the service layer (Grails app using services from spring-mvc backend). Now I need to implement Spring Security (SS) for the app.
Its at this point I'm not sure how to marry both. The backend already has a fully functioning spring security implementation but to get the Grails app to work I needed to exclude all transient spring security dependencies coming from the spring-mvc app and go with a purely Grails solution (maybe this was the wrong decision?). The backend already has User and Role objects complete with a user_roles table modelled via a joinTable annotation in the User domain.
Questions:
Am I on the right track? Ignore everything from java backend in terms of SS bar using its data objects and go with Grails impl with SS plugin? I've seen posts saying I don't even need to use the Grails plugin but they're quite old now and I'm not sure how I'd annotate my controllers and services.
If Grails is the way, I'm not sure what I need from by backend and what I need to reimplement/extend in Grails.
I have an SS extended User and UserDetailsService in the backend app but cannot use them as I've completely excluded all the SS jars that they depend on so I presume I have to roll my own?
So I implement a UserDetails object, a custom UserDetailsService (should this implement the GrailsUserService?) and expose the latter as a bean and everything should work? Wishful thinking maybe.
Any guidance, even at a high level would be much appreciated as I'm struggling to determine my approach at this point, never mind implementation.
I have managed to implement what I need to get this working. I have gone with the purely Grails approach and so have my own implementation of userDetails, an instance of which is returned by my custom userDetailsService.
One thing to look out for, if getting a proof of concept working, is to make sure that you are reading back your password in the format you are storing it in. Spring Sec will hash your password to compare against what is in your database and so you will not successfully load a user if your storing your password as plain text. One way around this is to use the following config in resources.groovy.
passwordEncoder(PlaintextPasswordEncoder)
But of course I would not advocate this as being the long term solution from a security point of view.
I need to design a user role management module for online examine tool application, There are several users in the system (Admin, Moderator, Contributor, Examiner). These users have different privileges for the system.
I need to use the Spring framework and spring security for the user access system. How do I use the spring security for this module. Can anyone direct me to a good tutorial and your ideas allways welcome.
Based on your description, I think that you might be looking at a custom implementation of UserDetailsService.
It's worth checking out Stephan Gerth's ZK sample project, that integrates Spring, Hibernate, customized Spring security, ZK Ajax, etc. Here you have the announcement post, that has links to source and documentation. I suggest reading the chapter 13.2. Spring-Security (and related), that should help you navigate the source code.
Try this one Spring Authorization and Authentication.A very simple tutorial for beginners.
i wonder how to create security annotation like spring security does (#PreAuthorized or #Secured) that will check session than do something to decide how application will threat the authority to log on user.
is any resource i can read or any recommendation?
best regards
ps: for some reason, i cannot use spring security
The technique behind these annotations is called Aspect Oriented Programming (AOP).
Spring Security relies on Spring AOP, which allows you to intercept particular method calls on Spring-managed object, so that you can apply security checks to them.
See Aspect Oriented Programming with Spring. Alternatively, if you want to do it without Spring, see standalone AOP implementations such as AspectJ.
The best tutorial for 'how does Spring Security work' is 'the source of Spring Security'. It is open source. You can read it. Honestly, the question as posed is much to broad to allow for much more of an answer.
Typically in any web application, the major security concern is securing the resources from the malicious users who are trying to access un-authorized resources. They can change a value in the request parameter and try to access something that doesn't belong to that particular user.
For Example:
http://blah.com/id=foo
a user can change this to http://blah.com/id=bar and try to access the bar resource to access it.
With restful services this may lead to greater security concerns as the restful URL's are rather self explanatory.
eg:
http://hotels.com/hotels/1
a user can easily guess and change the id to 2 to see the details of it..
One design is to check at every request manually to see the access rights for the resources and deny it if needed.
but this is a cumbersome and not maintainable.
So the question is "Is there any tool/framework that can help achieve this in a easy manner? I know spring security supports static rules not dynamic.
Over the last couple of years, the de-factory standard for this has become Spring Security. This sits in frotn of any old java webapp (not just Spring webapps) and provides an interception authentication and authorization layer of your choice.
It's very powerful, although also rather complicated (over-complicated, IMO).
I would highly recommend looking into Seam Security. It can even be tied into a rules system.
edit: I believe you would need the Seam Core package for this to work. However, I have never tried using it without Seam, so I can't be positive about its dependencies.