Spring Book – Chapter 15 – Web Application Security with Spring

Authorization

Authorization as we explained earlier is the process which makes sure that the authenticated user has the necessary privileges and access rights to access a secured resource.

To do this, Spring Security uses access decision managers. There are three implementations of access decision manager which the Spring Security provides by default as summarized below:

  • Affirmative Based
  • Consensus Based
  • Unanimous Based

Figure 15-10 below shows the various classes linked with the authorization module of the Spring Security.

Figure 15-10. Access decision manager classes in Spring Security

Figure 15-10. Access decision manager classes in Spring Security

Authorization works in Spring Security by invoking Voters and then tallying those votes. In affirmative based access decision manager, if at least one voter votes, grant is accessed to the secured resource. In consensus based access decision manager, if a consensus of voters votes, grant is accessed to the secured resource and in unanimous based access decision manager, if all the configured voters votes, access if granted to the secured resource.

Web URL Authorization

By mere configuration in the Spring configuration file, you can achieve the URL authorization. In the following sections we will see these in more details. Listing 15-5 below shows a sample by which you can achieve the URL authorization by doing appropriate XML configurations in the Spring configuration file.

Listing 15-5. URL authorization using Spring configuration file

In Listing 15-5 shown above all the URL’s having a pattern “/admin*” should have role of “ROLE_ADMIN”. Similarly according to your application you have a provision to add any URL’s and give appropriate roles separated by comma.

Method invocation authorization

Spring Security uses Aspect Oriented Programming (AOP) to secure method invocations from intrusions. Spring allows you to do this by two methods as summarized below:

  • XML Configuration using Spring Security namespace – It uses AOP to have the necessary security put into appropriate method invocations. Listing 15-6 below shows how you can configure authorization checks for method invocation using a pattern of the method signature. In this listing, all the methods in the application ending with “Service” need to have a role namely “ROLE_USER” for accessing.

Listing 15-6. Method invocation authorization using XML configuration – Approach 1

Listing 15-7 below show a different approach of configuring method security in which the required class and its methods can be controlled and assigned appropriate user roles.

Listing 15-7. Method invocation authorization using XML configuration – Approach 2

Listing 15-8 again shows how we can have method security by different way of XML configuration.

Listing 15-8. Method invocation authorization using XML configuration – Approach 3

  • Annotation method invocation – By annotating method invocations with annotations can also make your methods secured. Listing 15-10 below shows a sample listing in which a method is secured using annotations and to be invoked you require either “ROLE_ADMIN” or “ROLE_SUPER_ADMIN” roles. Before using the Security annotations, you will have to enable scanning of these annotations in the XML configuration file as shown in Listing 15-9 below.

Listing 15-9. Enabling scanning of security annotations in Spring XML configuration

Listing 15-10. Annotations used in method invocation to secure the method invocation

Annotations which can be used in the method invocation can be categorized as below:

  • JSR-250 security annotations – Also called as EJB 3 security annotations. In the XML configuration you will have to enable scanning of these annotations as shown in Listing 15-11 and Listing 15-12 below.

Listing 15-11. Configuring scanning of JSR-250 based annotation in method invocation

Listing 15-12. Sample showing usage of JSR-250 based annotation

  • Expression based annotations – annotation based on @Pre and @Post fall into this category of security annotations. In the XML configuration you will have to enable scanning of these annotations as shown in Listing 15-13 and Listing 15-14 below.

Listing 15-13. Configuring scanning of expression based annotation in method invocation

Listing 15-14. Sample showing usage of expression based annotation

  • Voting based annotations – Spring Security annotation @Secured fall into this category, which we have already covered earlier.

Page Visitors: 8751

The following two tabs change content below.
Tomcy John

Tomcy John

Blogger & Author at javacodebook
He is an Enterprise Java Specialist holding a degree in Engineering (B-Tech) with over 10 years of experience in several industries. He's currently working as Principal Architect at Emirates Group IT since 2005. Prior to this he has worked with Oracle Corporation and Ernst & Young. His main specialization is on various web technologies and acts as chief mentor and Architect to facilitate incorporating Spring as Corporate Standard in the organization.
Tomcy John

Latest posts by Tomcy John (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *