Geek Answers Handbook

Spring Security, Authorization Setup, AccessDecisionManager and Security Filter

I am going to implement custom authorization based on the [User ↔ Role ↔ Right] model, and the rights should be compared with the name of the controller and method (for example, "controller method").

I used the UserDetails and AuthenticationProvider settings to configure the granted permissions ( here ), but as verifiable source codes and documents on how to set up privilege comparisons I found that there is a SecurityContextHolderAwareRequestWrapper filter) that implements isGranted and isUserInRole for comparing permissions, while as the documents say using voters AccessDecisionManager to configure (As I understand it). Which one should I use? Where do I have the name of the controller and the method (action) for comparing permissions with them?

I was a little confused about Spring security. Is there any other resource than official documents that illustrate how this works, I mean the sequence of actions and methods and their configuration.

+7
spring spring-security
source share
1 answer

There are several approaches:

  • A role system where you assign a role to each user and check the role before continuing
  • Using Spring Security Expressions
  • There is also a new Spring acl component that allows class-level acl management and is stored in a database. My personal use so far has been 1 and 2, where you assigned roles only to users. But option 3 allows you to create a more subtle security model without having to rebuild your webapp when choosing a security model.

Role structure

Role-based security can be implemented using the UserDetailsService interface and Spring security settings to use this class.

To learn how to implement such a project, check out the following tutorials:

  • Form-based login using user memory in a link
  • Registration based on forms using a custom user data service Link

In short, Spring Security does the following backstage:

  • After authentication (for example, sending a login form), an authentication object is created that contains the login credentials. For example, UsernamePasswordAuthenticationFilter creates a UsernamePasswordAuthenticationToken
  • The authentication object is passed to the AuthenticationManager , which can be considered as a controller in the authentication process. The default implementation is the ProviderManager.
  • AuthenticationManager authenticates with AuthenticationProvider . The default implementation used is DaoAuthenticationProvider .
  • DaoAuthenticationProvider authenticates by returning UserDetails from the UserDetailsService . UserDetails can be thought of as a data object that contains user credentials, as well as user credentials / roles! DaoAuthenticationProvider retrieves the credentials using the loadUserByUsername method and then compare it with the UserPasswordAuthenticationToken provided by the user.
  • UserDetailsService collects user credentials, credentials, and creates a UserDetails object from it. For example, you can get the password hash and permissions from the database. When setting website URLs, you can contact the authorities in the attribute. Alternatively, you can get the authentication object in controller classes using SecurityContextHolder.getContext (). GetAuthentication ().

To better understand the inner workings of these classes, you can read javadocs:

Spel

Instead of checking privileges, SPEL also lets you check other user properties. You can use them in URL patterns, as well as annotate methods with @Preauthorize. Thus, protecting a business layer is less intrusive.

ACL Based

The ACL-based model was introduced in Spring security 3.0, but was not well documented . Their suggestion is to look at an XML contact example , as this one uses its new acl component.

The last of this book contains great examples of how to further customize your security wishes.

+9
source share

More articles:


All Articles