I have a question about changing role dynamically in runtime. Suppose that we have a social network application (like Facebook) and we are using Spring security for authentication/authorization purpose.
When a person open his Homepage this person has the ADMIN role and can do everything with his Homepage. However, when he is visiting another friend's Homepage he should only have the role USER which can only do some restricted actions (he cannot delete posts in the Homepage of his friend, for example).
If we use AuthenticationManagerBuilder then we can only set one fixed role for each user.
Can anyone help me with this question?
Thank you.
I think you should overthink your concept. Users are always users.
Users with homepages are userWithHomepage
and real admins are admins.
You need to check on the page, whether the currentUser is privileged for the current page - and give him his roles on this site.
So "UserWithHomepage" comes to his own Homepage, you check: is this user privileged on this site? If yes: activate admin things on this site. If you add a role to his userContext, he could get access as this role to other sites, too. I think, this is a security flaw.
So simply set a marker on your controller or check each time, something happens (instantiation, button click etc.) if the user has the privilege to do so.
You shouldn't change your user roles based on what page they are visiting. In your case, when visiting the homepage, you should check if the user is the owner of the homepage, and if so, give him the option to edit/delete and if not, just don't give them the option (don't show the links for editing/deletion, throw an exception if they try to execute that request anyway).
Thanks all, actually checking if the user is the owner of the Homepage is exactly what we need to do!
Related
I am working on an application with several roles. Changing this role to admin user should log out the target user.
My first lead was to set up data tables to retrieve the list of active tokens by taking an example from this site:
https://javadeveloperzone.com/spring-boot/spring-boot-oauth2-jdbc-token-store-example/#3_Source_Code
Except that at the connection, the data information is not saved in my tables.
Is it possible to log out a user "by force"?
Yes, there are several ways how you do it.
At the end of the day it invalidates the Authentication object in Spring's security context.
In database I have table authorities and inside I have column authority, that column is populated and in this case with ROLE_MANAGER, also I have this inside my configure method in extends class WebSecurityConfigurerAdapter
.antMatchers("/leaders/**").hasRole("MANAGER") I also have more of this but that is not important. As you can see, MANAGER which I also have in mysql. This is on my home page.
<security:authorize access="hasRole('MANAGER')">
<!-- Add a link to point to /leaders ... this is for the managers -->
<p>
Leadership Meeting
(Only for Manager peeps)
</p>
</security:authorize>
This is that leaders mapping:
#GetMapping("/leaders")
public String showLeaders() {
return "leaders";
}
But when I log in with user which have role manager program send me on my page which says Im not authorized to view that content, but If I log in with user which has both role, ROLE_MANAGER and ROLE_ADMIN I can see that /leaders page.
What can be a problem? I dont know what to try, everything seems fine, idk why wont work. I figured out that just users which has all roles can acess, If user have just one role that user cant access page that he should
I shared project on git
Please check the following page, someone asked a question like yours before:
Spring security doesn't match a given role
Im using Java, CDI, JSF.
In my LoginModule implementation i authenticate user and in commit() method assigning user principals to Subject object.
Now, when user is logged in I would like to change its principals without re-logging and then show some other content/options - how can I do that? Is it possible?
I have tried to get current Subject object, it froced me to enable SecurityManager and provide security grants, otherwise Subject is null.
AccessControlContext acc = AccessController.getContext();
Subject thisSubject = Subject.getSubject(acc);
So first - i dont want to enable SecurityManager to get Subject object(am I really need it? maybe theres some kind of bypass?).
Second - how can I change principals programmatically when user is already logged in?
Thank you.
first post here, hope im doing right.
In a project, we have a scenario where we have a single web application with multiple entities. Currently, the login is managed via default JDBC Spring Security provider, working fine.
For a new requirement, we need that each entity can have their own login method (currently 2 methods would be available, the JDBC one, which is the current one, and the second method would be authentication via SAML, with each entity defining their own IdP, but this is another story)
I need some guidelines on how this can be achieved, I have done some search and I have found providers for different URL's, etc... But not different login methods for the same app and url's depending on the user type or entity.
Is a good approach to have a custom single entry point where we can check the entity user and then use the suitable authentication provider?
Kind regards,
Alex
As each of your users might be using a different IDP you will in any case need to determine the username before proceeding with initialization of the authentication process - but you already know this.
One approach to take (similar to what Microsoft is using with the Office 365 for corporate users) is:
display a login page with fields for standard username + password
once user enters username and blurs the input field, you make an AJAX call (to your custom API made for this purpose) and fetch information about authentication type + IDP to use for this user
in case the type is password you simply let user continue with filling in the password field and POST to the same place as you're used to for processing with the JDBC provider
in case the type is federated authentication you initialize authentication with the correct IDP by redirecting to /saml/login?idp=xyz and continue with the SAML flow
It's possible to avoid any APIs by submitting the form once user enters the username, or let user click a "Continue" button. It would then make sense to use a custom EntryPoint which:
redirects user to the main login page in case it wasn't provided with a username
displays either login page with username/password or redirects to the correct IDP, once username was provided
Is it possible to allow users to access a specific page in Alfresco Share? Which user or user group can access to which page for example.
Not really, unless you can map your users to the fixed set of (site independent) roles (none, guest, user, admin) baked into spring surf.
These roles are wired into various classes (i.e. org.springframework.extensions.surf.mvc.PageView,org.springframework.extensions.webscripts.connector.User,org.springframework.extensions.webscripts.Description).
If you can map your users to these roles, just set the authentication value accordingly in the pages xml descriptor.
For example:
To see the document-library, share requires you to be logged in, and hence, in site-data/pages/documentlibrary.xml it reads <authentication>user</authentication>.
If you cannot map your users in this way, things can get a bit messy.