Spring security @secure not working with role hierarchy
Question
I am using role hierarchy in spring security my spring-securityConfig.xml is
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<property name="hierarchy">
<value>
ROLE_ADMIN > ROLE_WORKFLOW
ROLE_ADMIN > ROLE_ISBN_INSERTION
ROLE_ADMIN > ROLE_PERMISSION_UPDATE
ROLE_ADMIN > ROLE_ASSIGNMENT
ROLE_ADMIN > ROLE_CALIBRATION
</value>
</property>
</bean>
<bean id="expressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<property name="roleHierarchy" ref="roleHierarchy" />
</bean>
<bean id="webExpressionHandler" class="org.springframework.security.web.access.expression.WebExpressionVoter">
<property name="expressionHandler">
<ref bean="expressionHandler" />
</property>
</bean>
<bean id="roleVoter"
class="org.springframework.security.access.vote.RoleHierarchyVoter">
<constructor-arg>
<ref bean ="roleHierarchy"/>
</constructor-arg>
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<constructor-arg>
<list>
<ref bean="roleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
<ref bean="webExpressionHandler"/>
</list>
</constructor-arg>
</bean>
<bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="/login.htm" />
</bean>
<security:http entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true" access-decision-manager-ref="accessDecisionManager">
<security:session-management>
<security:concurrency-control error-if-maximum-exceeded="true" max-sessions="1"/>
</security:session-management>
<security:custom-filter position="FORM_LOGIN_FILTER"
ref="cdlAuthenticationProcessingFilter" />
<security:intercept-url pattern="/displayGroupRoleEditView.htm" access="ROLE_PERMISSION_UPDATE" />
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:access-denied-handler ref="accessDeniedHandler" />
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="cdlLdapAuthenticationProvider"/>
<security:authentication-provider user-service-ref="cdlUserDetailService"/>
</security:authentication-manager>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="cdlLdapAuthenticationProvider"/>
<security:authentication-provider user-service-ref="cdlUserDetailService"/>
</security:authentication-manager>
<bean name="commonPropertyBean" class="com.qait.cdl.commons.domain.CommonPropertyBean"
abstract="true">
<property name="userDao" ref="userDao"/>
</bean>
<bean name="commonAuthoritiesPopulator" class="com.qait.cdl.authentication.customfilter.AuthoritiesPopulator" parent ="commonPropertyBean" />
<bean id="cdlLdapAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg ref="customLdapBindAuthenticator"/>
<constructor-arg ref="cdlAuthoritiesPopulator"/>
</bean>
<bean id="customLdapBindAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="cdlLdapContextSource" />
<property name="userDnPatterns">
<list>
<value>${ldap.userDnPatterns}</value>
</list>
</property>
</bean>
<bean id="cdlLdapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="${ldap.url}"/>
</bean>
<bean id="cdlAuthoritiesPopulator" class="com.qait.cdl.authentication.customfilter.CdlUserAuthoritiesPopulator" parent="commonAuthoritiesPopulator"/>
<bean id="cdlUserDetailService" class="com.qait.cdl.authentication.service.impl.UserDetailsServiceImpl" parent="commonAuthoritiesPopulator"/>
<bean id="cdlAuthenticationProcessingFilter" class="com.qait.cdl.authentication.customfilter.CustomAuthenticationProcessingFilter" parent="commonPropertyBean">
<property name="authenticationManager" ref="authenticationManager" />
<property name="notificationService" ref="notificationService"/>
<property name="userGroupDao" ref="userGroupDao"/>
</bean>
<bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<property name="errorPage" value="/cdlAccessDenied.htm" />
</bean>
<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" />
<bean name="/cdlAccessDenied.htm" class="com.qait.cdl.authentication.web.CDLAccessDeniedHandler"/>
</beans>
In a service method i have used @Secured({ "ROLE_PERMISSION_UPDATE"}) if user with role ROLE_ADMIN is logging into application and try to access this secured method then it throws Access denied exception.
2 answers
solution1
2 2013-10-23 10:38:31
I found the solution
<security:global-method-security secured-annotations="enabled"
pre-post-annotations="enabled">
<security:expression-handler ref="defaultMethodSecurityExpressionHandler"/>
</security:global-method-security>
add this in dispatcher-servlet.xml . There should be different context for spring security
Add
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
WEB-INF/applicationContext.xml
WEB-INF/dispatcher-servlet.xml
</param-value>
</context-param>
to your web.xml and import spring-security.xml in applicationContext.xml Sole purpose to do this is to have separate context for spring security.
To apply method based security to work with role hierarchy use @PreAuthorize("SpEL") in place of @Secured({})
solution2
1 2013-10-23 09:47:49
You have enable roleHierarchy only for DefaultWebSecurityExpressionHandler, it will work on your http requests but not on @Secured annotations. Add it to DefaultMethodSecurityExpressionHandler as well
<global-method-security ...>
<expression-handler ref = "methodSecurityExpressionHandler" />
</global-method-security>
<beans:bean id = "methodSecurityExpressionHandler"
class = "org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name = "roleHierarchy" ref="roleHierarchy"/>
</beans:bean>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Spring Security Hierarchy Role system
Spring Security Role Hierarchy not working using Java Config
Spring Security Role Hierarchy not working with Thymeleaf sec:authorize
Spring Security role hierarchy @Secured JavaConfig
Spring Security 3.2 - configuring global method security to use role hierarchy
Spring Security hasRole() for Unauthenticated Users, Considering Role Hierarchy
Role hierarchy and OAuth2 Security using Spring Boot
spring security redirect based on role not working
Secure REST with Spring Security
Remove spring security role
Related Tags