Geek Answers Handbook

Spring Securiy: Allow Admin to Do Everything

How to allow an administrator (a user with the ROLE_ADMIN role) access to everyone without explicitly specifying it in each expression? I currently have controller methods annotated as

@PreAuthorize("(hasRole('ROLE_VENDOR') and hasPermission(#product, 'admin')) or hasRole('ROLE_ADMIN')")

but I want it to be as simple as this, allowing the administrator to do something:

@PreAuthorize("hasRole('ROLE_VENDOR') and hasPermission(#product, 'admin')")

Is it possible? How can I do it? It is important to note that hasPermission (#product, ...) evaluates to false for admin.

+4
source share
3 answers

Use a hierarchical role.

Here is a typical configuration:

<bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter">
    <constructor-arg ref="roleHierarchy" />
</bean>
<bean id="roleHierarchy"
    class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
    <property name="hierarchy">
        <value>
            ROLE_ADMIN > ROLE_STAFF
            ROLE_STAFF > ROLE_USER
            ROLE_USER > ROLE_GUEST
        </value>
    </property>
</bean>

reference

Edit

, , PermissionEvaluator. : AclPermissionEvaluator hasPermission, true, admin ; return super.hasPermission(...)

beans :

<security:global-method-security pre-post-annotations="enabled">
     <security:expression-handler ref="expressionHandler" />
</security:global-method-security>

<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
   <property name="permissionEvaluator" ref="customPermissionEvaluator" />
   ... 
</bean>
+2

, .

+1

security-config

<http use-expressions="true">
    // your security patterns
    <intercept-url pattern="/**" access="hasRole('admin')" />

</http>

If you put this template at the end of the list, after checking all the rules and the lack of compliance, any template at the end of spring will allow you adminto send a request to any address that in practice matches any controller

+1
source

More articles:


All Articles