Authorization
Authorization as we explained earlier is the process which makes sure that the authenticated user has the necessary privileges and access rights to access a secured resource.
To do this, Spring Security uses access decision managers. There are three implementations of access decision manager which the Spring Security provides by default as summarized below:
- Affirmative Based
- Consensus Based
- Unanimous Based
Figure 15-10 below shows the various classes linked with the authorization module of the Spring Security.
Figure 15-10. Access decision manager classes in Spring Security
Authorization works in Spring Security by invoking Voters and then tallying those votes. In affirmative based access decision manager, if at least one voter votes, grant is accessed to the secured resource. In consensus based access decision manager, if a consensus of voters votes, grant is accessed to the secured resource and in unanimous based access decision manager, if all the configured voters votes, access if granted to the secured resource.
Web URL Authorization
By mere configuration in the Spring configuration file, you can achieve the URL authorization. In the following sections we will see these in more details. Listing 15-5 below shows a sample by which you can achieve the URL authorization by doing appropriate XML configurations in the Spring configuration file.
Listing 15-5. URL authorization using Spring configuration file
1 2 3 4 5 6 7 8 9 10 11 |
<beans:beans xmlns="http://www.springframework.org/schema/security" … > <http auto-config="true"> <intercept-url pattern="/admin*" access="ROLE_ADMIN" /> </http> … </beans:beans> |
In Listing 15-5 shown above all the URL’s having a pattern “/admin*” should have role of “ROLE_ADMIN”. Similarly according to your application you have a provision to add any URL’s and give appropriate roles separated by comma.
Method invocation authorization
Spring Security uses Aspect Oriented Programming (AOP) to secure method invocations from intrusions. Spring allows you to do this by two methods as summarized below:
- XML Configuration using Spring Security namespace – It uses AOP to have the necessary security put into appropriate method invocations. Listing 15-6 below shows how you can configure authorization checks for method invocation using a pattern of the method signature. In this listing, all the methods in the application ending with “Service” need to have a role namely “ROLE_USER” for accessing.
Listing 15-6. Method invocation authorization using XML configuration – Approach 1
1 2 3 4 5 6 7 8 9 10 11 12 13 |
<beans:beans …> … <global-method-security> <protect-pointcut expression="execution(* *Service(..))" access="hasRole('ROLE_USER')"/> </global-method-security> … </beans:beans> |
Listing 15-7 below show a different approach of configuring method security in which the required class and its methods can be controlled and assigned appropriate user roles.
Listing 15-7. Method invocation authorization using XML configuration – Approach 2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
<beans:beans …> … <beans:bean id="methodInterceptor" class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor"> … <beans:property name="securityMetadataSource"> <value> package.SampleService.secureMethod1 ROLE_ADMIN package.SampleService.secureMethod2 ROLE_USER </value> </beans:property> … </beans:bean> … </beans:beans> |
Listing 15-8 again shows how we can have method security by different way of XML configuration.
Listing 15-8. Method invocation authorization using XML configuration – Approach 3
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
<beans:beans …> … <beans:bean id="sampleService" class="package.SampleService"> <intercept-methods> <protect access="ROLE_ADMIN" method="secureMethod1"/> <protect access="ROLE_USER" method="secureMethod2"/> </intercept-methods> </beans:bean> … </beans:beans> |
- Annotation method invocation – By annotating method invocations with annotations can also make your methods secured. Listing 15-10 below shows a sample listing in which a method is secured using annotations and to be invoked you require either “ROLE_ADMIN” or “ROLE_SUPER_ADMIN” roles. Before using the Security annotations, you will have to enable scanning of these annotations in the XML configuration file as shown in Listing 15-9 below.
Listing 15-9. Enabling scanning of security annotations in Spring XML configuration
1 2 3 4 5 6 7 8 9 10 11 12 13 |
<beans:beans …> … <global-method-security secured-annotations="enabled"> … </global-method-security> … </beans:beans> |
Listing 15-10. Annotations used in method invocation to secure the method invocation
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
package com.mybook.sample.services; public class ImportantService{ … @Secured("ROLE_ADMIN") @Secured("ROLE_SUPER_ADMIN") public void callThisImportantMethod(Object obj){ … } … } |
Annotations which can be used in the method invocation can be categorized as below:
- JSR-250 security annotations – Also called as EJB 3 security annotations. In the XML configuration you will have to enable scanning of these annotations as shown in Listing 15-11 and Listing 15-12 below.
Listing 15-11. Configuring scanning of JSR-250 based annotation in method invocation
1 2 3 4 5 |
<global-method-security jsr250_annotations="enabled"> … </global-method-security> |
Listing 15-12. Sample showing usage of JSR-250 based annotation
1 2 3 |
@RolesAllowed({"ROLE_USER"}) public void securedMethod(); |
- Expression based annotations – annotation based on @Pre and @Post fall into this category of security annotations. In the XML configuration you will have to enable scanning of these annotations as shown in Listing 15-13 and Listing 15-14 below.
Listing 15-13. Configuring scanning of expression based annotation in method invocation
1 2 3 4 5 |
<global-method-security pre_post_annotations="enabled"> … </global-method-security> |
Listing 15-14. Sample showing usage of expression based annotation
1 2 3 4 5 6 7 8 9 10 11 |
@PreAuthorize("hasRole('ROLE_USER')") public void securedMethod1(); @PreAuthorize("hasRole('ROLE_USER') and hasRole('ROLE_ADMIN')") public void securedMethod2(); @PreAuthorize("hasAnyRole('ROLE_USER','ROLE_ADMIN')") public void securedMethod3(); |
- Voting based annotations – Spring Security annotation @Secured fall into this category, which we have already covered earlier.
Page Visitors: 11024
Tomcy John
Latest posts by Tomcy John (see all)
- A Guide to Continuous Improvement for Architects - February 2, 2023
- Cloud-first Architecture Strategy - January 26, 2023
- Architecture Strategy and how to create One - January 24, 2023