Geek Answers Handbook

How to change Spring security roles by context?

I want to know if roles can be set based on the selected category. Our application has categories containing articles. Now we have a role hierarchy similar to this: ROLE_ADMIN > ROLE_EDITOR > ROLE_USER . The problem is that the user may have different roles based on the currently selected category:

 user1 - cat1 - ROLE_USER user1 - cat2 - ROLE_EDITOR

Categories are not static. New ones can be added and old ones deleted. Is it possible to achieve this using Spring Security?

+6
spring spring-security authorization roles
source share
4 answers

From your description, this is similar to the RBAC model that Spring Security doesn't give you enough. You have 2 options. Or:

  • you configure Spring Security by implementing your own access solution manager (see here for more details) or
  • you go on to attribute-based access control (like ABAC, as explained by NIST here ). The way to use ABAC in Spring is to use the Java implementation of XACML , an extensible access control markup language. XACML provides an external, rule-based and attribute-based authorization structure. This means that you can define policies such as a user with role = manager, who can do action = view in category = foo. You can have as many rules as you want, and combine / fine-tune them accordingly.

There are several versions of XACML for open source Java and vendors:

  • Sunxacml
  • Herasaf
  • Ibm
  • Axiomatics (disclaimer: the provider I'm working on)

If you need more information about XACML, I would recommend you check out its wikipedia , as well as our YouTube channel , which has vendor-neutral tutorials.

XACML may be too large for your use, but it's worth considering anyway.

+6
source share

I donโ€™t know how your โ€œcategoriesโ€ work, but you can set โ€œROLEโ€ to the UserDetails object.

The UserDetails object has a Collection<? extends GrantedAuthority> getAuthorities(); Collection<? extends GrantedAuthority> getAuthorities(); , and "ROLE" is the value of GrantedAuthority.getAuthority() .

Thus, you can set multiple "ROLE" in one session.

And you can manage your UserDetails object using the UserDetailsService implementation.

0
source share

I think I'm a little late here, but this is what worked for me:

When a new category is selected, you can set up a new authentication object with new roles in your session (the previous authentication object becomes invalid). Something like that:

 @RequestMapping(value = "/cat1") String cat1(HttpServletRequest request) { reloadRolesForAuthenticatedUser("cat1") .... } private void reloadRolesForAuthenticatedUser(String cat) { Authentication auth = SecurityContextHolder.getContext().getAuthentication() List<String> newRoles = getRoles(auth.getPrincipal().getUsername(), cat) List<GrantedAuthority> authorities = getAuthorities(newRoles) Authentication newAuth = new UsernamePasswordAuthenticationToken(auth.getPrincipal(),auth.getCredentials(),authorities) SecurityContextHolder.getContext().setAuthentication(newAuth) } private List<GrantedAuthority> getAuthorities(List<String> roles) { List<GrantedAuthority> auths = new ArrayList<GrantedAuthority>() if (!roles.isEmpty()) { for (String r : roles) { auths.add(new SimpleGrantedAuthority(r)) } } return auths }
0
source share

This use case cannot be performed using the default role-based access control (RBAC) function, because user permissions change dynamically at run time depending on some user-related data.

This is actually a use case for which access control lists ( ACLs ) are intended.

Spring Security has ACL support by adding spring -acl jar. This is a quote from the spring section for Acl security:

In complex applications, it is often necessary to determine access rights not just during a web request or method call level. Instead, security solutions should contain both those who (Authentication), where (MethodInvocation) and what (SomeDomainObject). In other words, authorization decisions must also take into account the actual object instance of the object object of the method call.

See Spring Security Guide in Section 16.1 for details on how spring security ACLs work. This is a tutorial on how to use spring security ACLs.

But spring ACLs mean 4 additional database tables, etc., so if this is one case in your application, it is probably best to create a custom decision manager with some coded rules.

But if this use case is often used in your application, you should consider switching to ACL instead of RBAC, hope this helps.

-one
source share

More articles:


All Articles