I already have the spring security working for user and admin. Access is granted only for authenticated users, with some pages allowed only for admin. But that's nearly the default configuration.
Now I want to add a third role (let's name it crip) in spring security. The 3 roles are like russian nesting dolls : user has access to 3 pages, crip has access to theses 3 pages + 2 others and the admin is a super user so he has access to everything.
On the hibernate/ JPA side, is it better to use a set of roles for a user with onetomany relation between autorities and user table or just one Role ? This role would be defined hierarchical : Admin > crip > user.
If the definition of roles is the best way to do this, on the spring security side, how do I configure the role inclusion : Admin > crip > user?
I've found #manytoone and #manytomany relationship between users and roles, that's why I'm asking this.
From your question I understood, you already have basic configuration and got it working.
so just add this to intercept url list
if you want to allow access for roles - Admin, crisp or user
<intercept-url pattern="/pagesForCrispAndAdminAndUser**" access="hasAnyAuthority('Admin', 'crisp', 'user')" />
Allow only Admin
<intercept-url pattern="/pagesForAdmin**" access="hasAuthority('Admin')" />
Allow Admin and user
<intercept-url pattern="/pagesForAdminAndUser**" access="hasAnyAuthority('Admin', 'user')" />
documentation here
Related
I am working on an application with several roles. Changing this role to admin user should log out the target user.
My first lead was to set up data tables to retrieve the list of active tokens by taking an example from this site:
https://javadeveloperzone.com/spring-boot/spring-boot-oauth2-jdbc-token-store-example/#3_Source_Code
Except that at the connection, the data information is not saved in my tables.
Is it possible to log out a user "by force"?
Yes, there are several ways how you do it.
At the end of the day it invalidates the Authentication object in Spring's security context.
In database I have table authorities and inside I have column authority, that column is populated and in this case with ROLE_MANAGER, also I have this inside my configure method in extends class WebSecurityConfigurerAdapter
.antMatchers("/leaders/**").hasRole("MANAGER") I also have more of this but that is not important. As you can see, MANAGER which I also have in mysql. This is on my home page.
<security:authorize access="hasRole('MANAGER')">
<!-- Add a link to point to /leaders ... this is for the managers -->
<p>
Leadership Meeting
(Only for Manager peeps)
</p>
</security:authorize>
This is that leaders mapping:
#GetMapping("/leaders")
public String showLeaders() {
return "leaders";
}
But when I log in with user which have role manager program send me on my page which says Im not authorized to view that content, but If I log in with user which has both role, ROLE_MANAGER and ROLE_ADMIN I can see that /leaders page.
What can be a problem? I dont know what to try, everything seems fine, idk why wont work. I figured out that just users which has all roles can acess, If user have just one role that user cant access page that he should
I shared project on git
Please check the following page, someone asked a question like yours before:
Spring security doesn't match a given role
I'm working with a cas implementation and want to extend it by adding a separate spring-webflow. The webflow will be used to manage user specific data that is hosted in a separate web-service. This webflow will be restricted such that a user must first be authenticated in order to access it.
I've added a new flow to cas-servlet.xml as follows:
<webflow:flow-registry id="flowRegistry" flow-builder-services="builder">
...
<webflow:flow-location id="profile" path="/WEB-INF/profile-webflow.xml" />
...
</webflow:flow-registry>
The first state in my profile-webflow.xml is a view to a page that should display the users username ...
<view-state id="accessView" view="profileAccessView" />
The profileAccessView refers to profileAccessView.jsp which I want to display the username of the CAS authenticated user.
<h2>USERNAME</h2>
Is there a way to display the logged in users username here?
I've tried accessing and binding the user info via spring, but I get a null result, i.e. ...
SecurityContextHolder.getContext().getAuthentication()
In the CAS server, users are not authenticated by Spring Security. This question has been asked several times on the CAS mailing lists, I advice you to seek through them, like this one : https://groups.google.com/forum/#!searchin/jasig-cas-dev/username/jasig-cas-dev/-vMzR51b5S0/wbjpdMItHLMJ.
I have a question about spring security and it´s regarding to:
<authentication-manager>
<authentication-provider>
<user-service>
I need that user´s name can make some operations that it´s not same to other operations for other user, that is,
User Admin can make: create, read, delete, update.
User A can make: create, read, update.
User B can make: read, delete.
Each user is a different profile with different operations.
Can I make with spring-security?
In database is similar to:
Both users go to same pages but with different oprations, for example, www.myApp.com/pageOperation.
Thanks.
In Spring Security, permission for some action invoking is stored as GrantedAuthority object within current Authentication object in "authorities" collection
So, you should provide different authorities collection for different users by checking user name. You can hardcode them into <user-service> section or provide own implementation of UserDetailService, which resolve user authorities basing on user name. UserDetailsService has method loadUserByUsername which acepts username and returns UserDetails entity which contains user authorities collection. You can check user authority while he invoking some action by applying #PreAuthorize annotation to target method or by interception appropriate url. Hope this helps.
I am using Spring Security 3.0.3 for a project.My user info is loaded from the database. I have following interceptor
<intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
<intercept-url pattern="/**" access="ROLE_USER"/>
I want to add interceptor to user data. When I logging with user1(requester as role) he can see only specific user1 data.
http://localhost:7009/Test/requester//30351?menuId=app.requester.new
but when I logging with another user2(requester as role) and Enter above URL in browser.
http://localhost:7009/Test/requester//30351?menuId=app.requester.new.
he can see user1 data.
How can I add interceptor so that it restrict another user data.
Following is scenario
1>
login with user1 and he can see following list of data
101
102
103
when i clicks on 102 data it opens details of 102 data.
http://localhost:7009/Test/requester//102?menuId=app.requester.new.
2> login with user2 and he can see following list of data
104
105
106
when i clicks on 105 data it opens details of 105 data.
http://localhost:7009/Test/requester//105?menuId=app.requester.new.
but when i copy user1 link
http://localhost:7009/Test/requester//102?menuId=app.requester.new.
and paste into browser . user2 can see details of user1 data.
You don't filter everything in the spring security configuration but rather do it in view or controller. Here is a very good tutorial which shows you how to use spring security in your case.
http://static.springsource.org/spring-security/site/petclinic-tutorial.html
If you use JSP for your view, you can use spring security taglib to handle the view of user own data and, for other user's data, you will need to put the filtering logic inside the controller and pass them as model to the view. However, the exact solution depends on your application.
One option to do this is to use the Spring Expression Language and a custom Permission Evaluator. Here's what we did to implement a department/sub-department authorization scheme how to control the user authentication using spring mvc. This will allow you to create custom logic to identify what user1 is allowed to see, etc.
Check out http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html. Take a look at the #PostFilter annotation - if your data set is returned as a collection or an array Spring Security can automatically filter out data elements based on your custom Permission Evaluator.