Best IT Recipes

Spring Security with Roles and Permissions

I am trying to configure role-based security with permissions. I am trying to do this with Spring-Security.

I do not want to configure ACLs as this seems redundant for my requirements.

I just want to have the simple permissions and roles described in this article . Unfortunately, the article does not describe how to implement this solution.

Has anyone already tried this and can point me in the right direction? Maybe there is another blog post that describes the implementation?

Thank you very much.

+61
java spring-security
Jun 15 '11 at 12:20
source share
4 answers

To implement this, it seems that you need:

  • Create your model (user, role, permissions) and a way to get permissions for this user;
  • Define your own org.springframework.security.authentication.ProviderManager and configure it (install its providers) in custom org.springframework.security.authentication.AuthenticationProvider . This last one should return its Authentication authentication method, which should be set using org.springframework.security.core.GrantedAuthority , in your case, all permissions for this user.

The trick in this article is to assign roles to users, but to set permissions for these roles in the Authentication.authorities object.

To do this, I advise you to read the API and see if it is possible to extend the main ProviderManager and AuthenticationProvider instead of implementing everything. I did this with org.springframework.security.ldap.authentication.LdapAuthenticationProvider by setting a custom LdapAuthoritiesPopulator that will get the correct roles for the user.

Hope this time I got what you are looking for. Good luck.

+24
Jun 16 2018-11-11T00:
source share

I am the author of this article.

Sure, there are several ways to do this, but as I usually do, it is to implement a custom UserDetails that knows about roles and permissions. Role and Permission are just the user classes you write. (Nothing unusual - Role has a name and a set of Permission instances, and Permission has a name.) Then getAuthorities() returns GrantedAuthority objects that look like this:

PERM_CREATE_POST , PERM_UPDATE_POST , PERM_READ_POST

instead of returning things like

ROLE_USER , ROLE_MODERATOR

Roles are still available if your UserDetails implementation has a getRoles() method. (I recommend having it.)

Ideally, you assign roles to the user, and the corresponding permissions are automatically populated. This is due to the presence of a custom UserDetailsService that knows how to perform this mapping, and all it needs to do is initial map from the database. (See Article for scheme.)

You can then define your authorization rules in terms of permissions instead of roles.

Hope this helps.

+60
Jan 27 '12 at 6:44
source share

The main steps:

  • Use custom authentication provider

     <bean id="myAuthenticationProvider" class="myProviderImplementation" scope="singleton"> ... </bean>

  • Make your custom provider return custom UserDetails . This UserDetailsImpl will have getAuthorities() as follows:

     public Collection<GrantedAuthority> getAuthorities() { List<GrantedAuthority> permissions = new ArrayList<GrantedAuthority>(); for (GrantedAuthority role: roles) { permissions.addAll(getPermissionsIncludedInRole(role)); } return permissions; }

Of course, here you can apply many optimizations / settings for your specific requirements.

+5
Jun 16 2018-11-11T00:
source share

This is the easiest way to do this. Allows group authorities as well as user privileges.

 -- Postgres syntax create table users ( user_id serial primary key, enabled boolean not null default true, password text not null, username citext not null unique ); create index on users (username); create table groups ( group_id serial primary key, name citext not null unique ); create table authorities ( authority_id serial primary key, authority citext not null unique ); create table user_authorities ( user_id int references users, authority_id int references authorities, primary key (user_id, authority_id) ); create table group_users ( group_id int references groups, user_id int referenecs users, primary key (group_id, user_id) ); create table group_authorities ( group_id int references groups, authority_id int references authorities, primary key (group_id, authority_id) );

Then in META-INF / applicationContext-security.xml

 <beans:bean class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" id="passwordEncoder" /> <authentication-manager> <authentication-provider> <jdbc-user-service data-source-ref="dataSource" users-by-username-query="select username, password, enabled from users where username=?" authorities-by-username-query="select users.username, authorities.authority from users join user_authorities using(user_id) join authorities using(authority_id) where users.username=?" group-authorities-by-username-query="select groups.id, groups.name, authorities.authority from users join group_users using(user_id) join groups using(group_id) join group_authorities using(group_id) join authorities using(authority_id) where users.username=?" /> <password-encoder ref="passwordEncoder" /> </authentication-provider> </authentication-manager>
+4
Jul 14 '13 at 23:10
source share


More articles:


All Articles