Geek Answers Handbook

Is it possible to implement method-level access checks with annotations?

Consider the basic authorization structure with User and Group , where access to methods must be protected by checks that ensure that the user or group has the necessary PriviledgeLevel to execute the method and otherwise refuse.

I present something like this:

 @AccessCheck(PriviledgeLevel.ADMINISTRATOR) public static void secureMethod(){ ... }

If code verification basically does

 if(currentUser.getPriviledgeLevel >= PriviledgeLevel.ADMINISTRATOR || currentUser.getGroup.priviledgeLevel >= PriviledgeLevel.ADMINISTRATOR) // Allow access else // Deny access

Is it possible to implement it this way?

I did a little research, which points to some existing AspectJ- based things, mainly the Security Annotation Framework (SAF) and Spring Security .

I'm a little worried that SAF no longer seems active, and the documentation is not that useful.

I'm not sure about Spring's security, but it seems to be more focused on security issues in web themes.

The Java authentication and authorization service seems to be connected, but does not use the annotation approach.

Does it make sense to try to define these security requirements using this declarative approach?

Is there another library / framework that I am missing that already implements what I want, or some kind of technology that will be important here?

Or is there a completely different solution (for example, the implementation of my own ClassLoader , ...) that surpasses what I present (in terms of brevity and readability for the library user)?

+4
source share
4 answers

I think AspectJ will do what you want. We have a whole bunch of methods for which you need certain access rights, and we created an AspectJ aspect that will check this and log out if the user does not have these rights.

As a plus, since AspectJ is "woven" into classes at compile time, it cannot be disabled by configuration.

We also use Spring Security, you can use both in harmony!

+1
source

You can do this pretty trivially yourself using dynamic proxies.

 public interface MyInterface { @AccessCheck(Privilege.ADMIN) public void doSomething(); }

A proxy server will be created in a class that implements your interface, and you would annotate your interface with your user annotation.

  MyInterface aInterface = (MyInterface) java.lang.reflect.Proxy.newProxyInstance(obj.getClass() .getClassLoader(), obj.getClass().getInterfaces(), new YourProxy(new Implementation());

In your proxy's invoke () method, you can check if your method has an annotation and throws a SecurityException if these privileges are not executed.

 public YourProxy implements InvocationHandler { .... public Object invoke(Object proxy, Method method, Object[] args) throws Throwable { if ( method.isAnnotationPresent(AccessCheck.class) { ....// do access check here and throw SecurityException() } }
+1
source

With Spring Security, you just need to add:

 @Secured("ADMINISTRATOR") public static void secureMethod(){ ... }

And configure it correctly:

If you are not using a database credential store, simply configure your preferred UserDetailsService to add user and group credentials to UserDetails credentials.

Because of this, it is difficult to understand this without checking the concept in the documentation , but checking access to the level method is quite possible with the help of spring security, and this is my preferred technology for it.

+1
source

In Spring Security, as the state of docs , you can use both @Secured and @PreAuthorize at the method level.

To enable @PreAuthorize (if you haven't already ...), you need to put <global-method-security pre-post-annotations="enabled" /> in your XML configuration;

For @Secured use <global-method-security secured-annotations="enabled" /> .

See this article for more details.

0
source

More articles:


All Articles