Is there a way using the latest verions of Spring Roo to having this RequestMapping URL/value in this manner(s):
localhost/application/[generated-code]/menu
localhost/application/[generated-code]/settings
localhost/application/admin
generated-code is supplied to a column in the accounts table.
menu, settings and admin are Controllers having the class names MenuController, SettingController and AdminController respectively.
OPTIONAL: Since both menu and settings to share the same URL mapping, is there a way to have such validation on an abstract controller to implement the abstraction OOP concept.
The idea was to put additional security feature to end-user by supplying them them their login URL and login account. The plan was in the application named: application both the admin users and end users share the same application build.
Is this feature possible using Spring-Roo, Spring MVC, and Spring Security? How can such be implemented?
UPDATED
#CodeChip comment to use #PathVariable can be a solution. But as stated in the question and on comment to #CodeChip suggestion, creating an abstract controller is a optimal approach.
Related
I'm currently developing a Vaadin 8 app with spring boot and as I've read on many posts, the correct way of securing a view is to annotate the class with PreAuthorize. I'm doing that to protect views like this:
#SpringView(name="arinteractions")
#PreAuthorize("hasAuthority('OWNER') or hasAuthority('ADMIN')")
public class ARInteractionsView extends SideMenuViewBase {
The first problem I encountered was that my roles didn't have the ROLE_ prefix so I added that.
Still, spring was allowing the user to enter any view just by typing its URL (which in vaadin is a hashbang like #!interactionview).
Adding this allows the user with access to enter the view, but also users without access. When a user without the roles tries to enter the views he they open. The logs show:
Found view ARStorageBanksView annotated with #PreAuthorize but no access decision manager. Granting access.
And also an exception is thrown:
org.springframework.security.access.AccessDeniedException
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.0.4.RELEASE.jar:5.0.4.RELEASE]
I tried adding an access decision manager by adding a bean maker method in the security config, but I didn't found any documentation on how to implement this correctly.
Also, adding the access decision manager only made it worse. All views became blocked and the logs showed that the views 'didn't exist'.
What I did to solve was to use the old #Secured annotation. That for some reason is working flawlessly.
Spring security Roles, Authorities, are very confusing. Some of its objects are strings, some are plain objects, the auth scripts are hard to debug, the convetions aren't obvious that are required.
So the question is, what is the correct way of setting up security so that I can use the newer pre-authorize?
I think there is nothing wrong using #Secured, especially if it works. The Vaadin reference application (Bakery) has been implemented using that as well. See more at: https://vaadin.com/start/v8-full-stack-spring
I need configure my spring-boot web application to return different templates for same URL. Template should be returned checking roles for current user.
To solve this issue i think should be used UrlBasedViewResolver to create\configure special CustomSecurityBasedInternalResourceViewResolver. It will be really good if someone will show how to implement this idea.
I have a simple web application which I am writing using spring-boot and storm path for user authentication. (I'm actually using spring-boot-starter-stormpath-thymeleaf)
I have a have the following request mapping in my controller
#RequestMapping(value = "/secure", method = RequestMethod.GET)
public String secure(Model mode, HttpServletRequest request) {
Account account = AccountResolver.INSTANCE.getAccount(request);
if (account != null)
return "secure";
else
return "redirect:/login?next=secure";
}
which forces a user to login to view the secure page. It works, but it doesn't feel like it is the most elegant of solutions. Is there a better way? I think a solution with filters should be possible but I cannot figure it out.
The current Stormpath Spring Boot starter does not (yet) have an authentication filter, but it will on future releases for those that want an out-of-the-box experience without having to use Spring Security or Apache Shiro.
That said, we're currently working on natively supporting Spring Security and Apache Shiro as Spring Boot starters that 'just work' with the Stormpath Spring Boot starter. Until we can release those, creating a custom servlet filter as you indicate is the best approach.
Are you also using the Stormpath Servlet as well?
If so, you could do what you need following this piece of documentation. This way you will only need to declare which are the resources of your application that you want to secure and Stormpath's authc filter will prompt for authentication when required.
If you're using Spring MVC, you should use Spring Security and have Stormpath acting as an authentication provider. Then use the standard Spring Security tools to declare access rules and inject the current user where needed.
I have a scenario where I have roles and permissions in a different system (where i need to make a REST call) and that system will specify whether I can access a particular resource or not.
I need to intercept my controller methods and that Interceptor should talk to external service and figure out the authorization. I am using just spring boot (no spring security).
It should be similar to this with JAX-RS but I'm looking in spring context. Can I achieve this using #RolesAllowed?
I would recommend using an interceptor:
http://docs.spring.io/spring/docs/current/spring-framework-reference/html/mvc.html#mvc-handlermapping
You need to have a configuration that you will annotate with (check spring documentation)
#EnableGlobalMethodSecurity(jsr250Enabled = true)
Then you will have to create your own access decision manager and register your own roles. With this you should be able to annotate your controllers to a specific user like #RolesAllowed("admin")
I'm building a Maven Web Application user authentication. I created a new JDBC Realm in Glassfish and setup my domain classes with JPA. I can login with some created users and can check if they have a specific role. But when i secure a bean i always can access it.... The security annotation is ignored, for example #RolesAllowed, #DenyAll
Found the solution! Be sure your class is a EJB, for example with #Stateless. Then the authorization annotations will work!
http://www.oracle.com/technetwork/articles/javaee/security-annotation-142276.html