I am using role hierarchy in spring security my spring-securityConfig.xml
is
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<property name="hierarchy">
<value>
ROLE_ADMIN > ROLE_WORKFLOW
ROLE_ADMIN > ROLE_ISBN_INSERTION
ROLE_ADMIN > ROLE_PERMISSION_UPDATE
ROLE_ADMIN > ROLE_ASSIGNMENT
ROLE_ADMIN > ROLE_CALIBRATION
</value>
</property>
</bean>
<bean id="expressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<property name="roleHierarchy" ref="roleHierarchy" />
</bean>
<bean id="webExpressionHandler" class="org.springframework.security.web.access.expression.WebExpressionVoter">
<property name="expressionHandler">
<ref bean="expressionHandler" />
</property>
</bean>
<bean id="roleVoter"
class="org.springframework.security.access.vote.RoleHierarchyVoter">
<constructor-arg>
<ref bean ="roleHierarchy"/>
</constructor-arg>
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<constructor-arg>
<list>
<ref bean="roleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
<ref bean="webExpressionHandler"/>
</list>
</constructor-arg>
</bean>
<bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="/login.htm" />
</bean>
<security:http entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true" access-decision-manager-ref="accessDecisionManager">
<security:session-management>
<security:concurrency-control error-if-maximum-exceeded="true" max-sessions="1"/>
</security:session-management>
<security:custom-filter position="FORM_LOGIN_FILTER"
ref="cdlAuthenticationProcessingFilter" />
<security:intercept-url pattern="/displayGroupRoleEditView.htm" access="ROLE_PERMISSION_UPDATE" />
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:access-denied-handler ref="accessDeniedHandler" />
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="cdlLdapAuthenticationProvider"/>
<security:authentication-provider user-service-ref="cdlUserDetailService"/>
</security:authentication-manager>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="cdlLdapAuthenticationProvider"/>
<security:authentication-provider user-service-ref="cdlUserDetailService"/>
</security:authentication-manager>
<bean name="commonPropertyBean" class="com.qait.cdl.commons.domain.CommonPropertyBean"
abstract="true">
<property name="userDao" ref="userDao"/>
</bean>
<bean name="commonAuthoritiesPopulator" class="com.qait.cdl.authentication.customfilter.AuthoritiesPopulator" parent ="commonPropertyBean" />
<bean id="cdlLdapAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg ref="customLdapBindAuthenticator"/>
<constructor-arg ref="cdlAuthoritiesPopulator"/>
</bean>
<bean id="customLdapBindAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="cdlLdapContextSource" />
<property name="userDnPatterns">
<list>
<value>${ldap.userDnPatterns}</value>
</list>
</property>
</bean>
<bean id="cdlLdapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="${ldap.url}"/>
</bean>
<bean id="cdlAuthoritiesPopulator" class="com.qait.cdl.authentication.customfilter.CdlUserAuthoritiesPopulator" parent="commonAuthoritiesPopulator"/>
<bean id="cdlUserDetailService" class="com.qait.cdl.authentication.service.impl.UserDetailsServiceImpl" parent="commonAuthoritiesPopulator"/>
<bean id="cdlAuthenticationProcessingFilter" class="com.qait.cdl.authentication.customfilter.CustomAuthenticationProcessingFilter" parent="commonPropertyBean">
<property name="authenticationManager" ref="authenticationManager" />
<property name="notificationService" ref="notificationService"/>
<property name="userGroupDao" ref="userGroupDao"/>
</bean>
<bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<property name="errorPage" value="/cdlAccessDenied.htm" />
</bean>
<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" />
<bean name="/cdlAccessDenied.htm" class="com.qait.cdl.authentication.web.CDLAccessDeniedHandler"/>
</beans>
In a service method i have used @Secured({ "ROLE_PERMISSION_UPDATE"})
if user with role ROLE_ADMIN is logging into application and try to access this secured method then it throws Access denied exception.
I found the solution
<security:global-method-security secured-annotations="enabled"
pre-post-annotations="enabled">
<security:expression-handler ref="defaultMethodSecurityExpressionHandler"/>
</security:global-method-security>
add this in dispatcher-servlet.xml
. There should be different context for spring security
Add
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
WEB-INF/applicationContext.xml
WEB-INF/dispatcher-servlet.xml
</param-value>
</context-param>
to your web.xml and import spring-security.xml
in applicationContext.xml
Sole purpose to do this is to have separate context for spring security.
To apply method based security to work with role hierarchy use @PreAuthorize("SpEL")
in place of @Secured({})
You have enable roleHierarchy only for DefaultWebSecurityExpressionHandler, it will work on your http requests but not on @Secured annotations. Add it to DefaultMethodSecurityExpressionHandler as well
<global-method-security ...>
<expression-handler ref = "methodSecurityExpressionHandler" />
</global-method-security>
<beans:bean id = "methodSecurityExpressionHandler"
class = "org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name = "roleHierarchy" ref="roleHierarchy"/>
</beans:bean>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.