I am working to configure Spring-Security with an existing application, for just basic security (i.e. what pages a user can see based on their roles). The question came up wondering if we could set what roles are required for each page in java instead of the ApplicationContext.xml.
The idea is to store them in a table in our database, so we can easily change them with out a redeployment. Is this possible? How?
Yes you can configure Spring-Security programmatically. But I don't think that is what you want / need to do.
The question came up wondering if we could set what roles are required for each page in java instead of the ApplicationContext.xml.
You could implement your own AccessDecisionManager class that queries your database to fetch the rules (or whatever) for each resource / page. This is described in Section IV of the SpringSecurity manual.
Alternatively, you could embed your own custom access control logic inside your MVC controller. Use SpringSecurityContext to fetch the request's Authorization object, fish out the identity and/or authorities, and implement the decision making however you want to.
We did this using Interceptors. Basically a MethodInterceptor proxies any call to any method you want (i.e. getting an object from your database). You can then, programmatically intercept the object and check the current user and do pretty much anything you want in terms of access control. If that means querying the database for a list of users who has access (and hence a list you can changes without modifying code) the so be it.
Related
I have a spring application that allows administrators to manage several sub-sections of the application, with each sub-section having its own users. The sub-sections are loaded depending on the URL that's being used to access the app. I've had some pretty simple experience using Spring security and setting up a pretty simple custom UserDetailsService, adding roles and granting authority to users, etc.
What I'd like to be able to do is have users be allowed to register under different sub-sections with the same username, and then ideally instead of loadUserByUsername in UserDetailsService for example, use something more like "loadUserByUsernameAndSubSection". So for example user 'scott75' could be registered on subsection1.myApp.com and also on subsection2.myApp.com.
I'm not looking for anyone to write a solution for me, but hopefully point me in the right direction in terms of classes in Spring Security that could do something like this. Or, alternatively, tell me I'm crazy and to go about it another way, like building an interface around adding/removing sub-section access to/from users, or adding/removing users from sub-sections.
I manage few spring based web applications. for example if my client is a flex application, with many modules/screens. Access to the screen or page or even a spring service is controlled by spring security based on the user role.
At certain time we may want to block access to that screen or service completely irrespective of the access granted by role. May be we want to take down a specific page/screen or a service for maintenance. and enable it after certain time. What is the best practice to achieve it. I do not want to restart the application.
I think of using some filter, so every request will pass through the filter and this filter will have the logic to check , if the current operation or view is allowed or disabled.
Is this the better way to handle it. or Is there any other solution.
What is the best practice.
Servlet filtler is a good choice if you want to block pages known by URL. This solution is simple and pretty straightforward.
Spring aspect will be better if you want to block services. Just wrap classes you would like to block and perform a check prior to calling it. Throw a specific exception that you can handle in the presentation layer.
We implemented a similar feature once in REST-based application. A global filter/aspect blocks all non-GET methods effectively switching an application to read-only mode.
You can always front your application with an apache httpd (or some other reverse-proxy web-front) and control access to individual URL-patterns there. That also gives you the added benefit that you can actually have a nice maitenance-page up while you take down the entire application.
I am working on a project that requires that i implement a mechanism for controlling data access to the content that displayed on the pages.
First off to clarify, i am not refering to the ability for different users to log on to a specific page and or view specific pages. That is a different type of access control. I am more interested in the "Data Access" i.e. where multiple users can view the same page but the data that is displayed depend on the data access control privileges they have.
I am intersted to know of the different approaches out there to implementing "data access" control. is there a framework out there for this kind of thing? I am currently using Struts.
I'm thinking to do this, i will need to somehow to categorize and store the kinds of data i keep and which configure which users can view/amend it. I want to try and avoid produce something completely from scratch so I'm wondering how the experts do this and what frameworks technologies assist them in doing it.
I guess you need Spring Security Framework. With this framework, you assign different roles to different users. For example, we can define two roles: ROLE_USER, ROLE_ADMIN. Then we assign those roles to users. For example, a user A can have only one role, ROLE_USER and a user B can have both of the roles. Now if on a particular JSP, you want to show something to user B only, you can put the code into a pair of authorization tags:
<sec:authorize ifAllGranted="ROLE_USER, ROLE_ADMIN">
<!-- html, jsp scriplets, jstl tags inside here will be visible to user B only -->
</sec:authorize>
Similarly if you want to show something to both of them:
<sec:authorize ifAllGranted="ROLE_USER">
<!-- anything inside here will be visible to both users -->
</sec:authorize>
Hope it helps.
You are looking for a authorization solution? Have you already checked JAAS, OSUser and similars?
The authentication requirements can vary greatly, i think you need to be more specific, try adding a use case.
I think he was pretty specific with his question, though I also do not yet know the answer for it.
In any well build Enterprise application, you have two levels of security:
(a) Functionlity ACL.
Can user search for other in facebook? (etc..
(b) Which data are you granted access to read and update.
e.g. Which users profiles can you open and read in facebook?
For some users, e.g. those in your firends list, you can see their profiles. For others you can't.
Thus, the fact that you can open a JSP that lists entities, does not mean that you will be able to sell the full set of entities in the system.
(a) Is easily solvable with Java EE users and roles security concepts.
(b) How do you associate your database data to specific JNDI users and roles?
do you alwas have to reinvent the wheel when it comes to data access ACL?
If I let anyone modify a freemarker viewpage, can I somehow make it hack free?
I know I read somewhere that I can make disable scriplets, but that was for .jsp pages so not sure if it will work with freemarker.
I basically want a way where I can set the attributes that will be available on the page, and let web designers go into the page and edit it all they want (all the while making it secure).
i.e. I don't want people to be able to access any of objects in the request pipeline, or output my connection string to the page etc.
Request and other objects are exposed to the FreeMarker template by Spring's FreeMarkerView, when FreeMarker is used as a Spring MVC view technology.
To have a full control over the data being exposed to the templates, you can use FreeMarker directly, as described in the FreeMarker docs. However, you can still use Spring's support for FreeMarker configuration (FreeMarkerConfigurationFactoryBean).
It would make a lot of sense to be able to monitor the contents of Session, Application and Request Bean while developing a JSF app but as far as I know, I should explicitly add watch points for the parameters I'm interested in.
Is there an easier way to see these values as I navigate through my apps the pages?
You can do it as a cross cutting concern using some Filter of your own, or some of the AOP techniques provided by the framework. The idea is to log all these information on every request. It can be console, why not.
IMO, monitoring the content of request might not be a very useful idea, though.
If you want to see what is being added to and removed from these scopes, have a look at ServletContextAttributeListener, ServletRequestAttributeListener and HttpSessionAttributeListener. You can define instances of these classes using your web.xml.
As Vinegar says, if you want to monitor arbitrary classes, you could use AOP. You could also think about using the debugger programmatically.