Spring security framework with fine grained permissions

How to implement Spring security framework with fine grained permissions?
Working with Eclipse/Tomcat;
Are there any recommended examples around?


Regards

Imre Tokai wrote:How to implement Spring security framework with fine grained permissions?
Working with Eclipse/Tomcat;
Are there any recommended examples around?


Regards

What do you mean by fine grained?

Mark

Here is an example of the idea:
Fine Grained Permissions

How to implement this via Spring security framework? Is there any other idea?

When this module is ready, i want to integrate it to Struts web-application.

This is what i collected so far:
Struts + Spring

Spring Example

Looking forward for your guidelines on this complex issue!


Regards

Ah, you mean role-based permissions.

Yes, Spring Security authorization is completely based on role-based permission. It is built in and you have to have it, so it isn't a complex issue at all.

When you define your UserDetailsService you point to where you get the user ad role data and Spring does the rest.

To secure a URL, you use a spring configuration file and define <url-intercept> tags where youd efine the url and the Role the user must have to access that url.

Check out the Spring Security documentation for more.

Mark

Thank you for you answers, Mark!


Precisely, belove is what i need: check Converting to Permission-Based Security in the pdf, please.
http://greybeardedgeek.net/wordpress/wp-content/uploads/2009/03/spring-security-whitepaper.pdf

There is an example, that i plan to rework, on
http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html?page=1#resources

Haven't used Spring inside of Struts yet, so any guidelines are welcome! I suppose that i can put all together with my Struts app using web.xml


Regards

So far, i have been able to set ROLE based permission;

Application Context:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd"> <beans> <!-- ======================== FILTER CHAIN ======================= --> <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy"> <property name="filterInvocationDefinitionSource"> <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /j_acegi_security_check*=httpSessionContextIntegrationFilter,authenticationProcessingFilter /**/*=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor </value> </property> </bean> <!-- ======================== AUTHENTICATION ======================= --> <bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"> </bean> <bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter"> <constructor-arg value="/index.jsp" /> <!-- URL redirected to after logout --> <constructor-arg> <list> <bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler" /> </list> </constructor-arg> </bean> <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter"> <property name="authenticationManager"> <ref bean="authenticationManager" /> </property> <property name="authenticationFailureUrl"> <value>/login.jsp?login_error=1</value> </property> <property name="defaultTargetUrl"> <value>/</value> </property> <property name="filterProcessesUrl"> <value>/j_acegi_security_check</value> </property> </bean> <bean id="securityContextHolderAwareRequestFilter" class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter" /> <bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter"> <property name="key"> <value>foobar</value> </property> <property name="userAttribute"> <value>anonymousUser,ROLE_ANONYMOUS</value> </property> </bean> <bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter"> <property name="authenticationEntryPoint"> <ref local="authenticationProcessingFilterEntryPoint" /> </property> <property name="accessDeniedHandler"> <bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl"> <property name="errorPage" value="/accessDenied.jsp" /> </bean> </property> </bean> <!-- Note the order that entries are placed against the objectDefinitionSource is critical. The FilterSecurityInterceptor will work from the top of the list down to the FIRST pattern that matches the request URL. Accordingly, you should place MOST SPECIFIC (ie a/b/c/d.*) expressions first, with LEAST SPECIFIC (ie a/.*) expressions last --> <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> <property name="authenticationManager"> <ref bean="authenticationManager" /> </property> <property name="accessDecisionManager"> <ref local="httpRequestAccessDecisionManager" /> </property> <property name="objectDefinitionSource"> <value> PATTERN_TYPE_APACHE_ANT /index.jsp=ROLE_ADMIN,ROLE_TECHNICIAN /order/createOrder.jsp=ROLE_TECHNICIAN /order/authorizeOrder.jsp=ROLE_ADMIN /login.jsp=ROLE_ANONYMOUS,ROLE_TECHNICIAN,ROLE_ADMIN </value> </property> </bean> <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> <property name="providers"> <list> <ref local="daoAuthenticationProvider" /> <ref local="anonymousAuthenticationProvider" /> </list> </property> </bean> <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> <property name="userDetailsService"> <ref bean="jdbcDaoImpl"/> </property> </bean> <bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> <property name="userProperties"> <bean class="org.springframework.beans.factory.config.PropertiesFactoryBean"> <property name="location" value="/WEB-INF/users.properties" /> </bean> </property> </bean> <bean id="anonymousAuthenticationProvider" class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider"> <property name="key"> <value>foobar</value> </property> </bean> <!-- Automatically receives AuthenticationEvent messages --> <bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener" /> <!-- ===================== HTTP REQUEST SECURITY ==================== --> <bean id="authenticationProcessingFilterEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint"> <property name="loginFormUrl"> <value>/login.jsp</value> </property> <property name="forceHttps"> <value>false</value> </property> </bean> <bean id="httpRequestAccessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased"> <property name="allowIfAllAbstainDecisions"> <value>false</value> </property> <property name="decisionVoters"> <list> <ref bean="roleVoter" /> </list> </property> </bean> <bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter" /> <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> <property name="driverClassName"> <value>com.mysql.jdbc.Driver</value> </property> <property name="url"> <value>jdbc:mysql://localhost:3306/acegi?autoReconnect=true</value> </property> <property name="username"> <value>root</value> </property> <property name="password"> <value></value> </property> </bean> <!-- specify the JDBC DAO Impl, note the reference to "dataSource" --> <bean id="jdbcDaoImpl" class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl"> <property name="dataSource"> <ref bean="dataSource"/> </property> <property name="usersByUsernameQuery"> <value>SELECT USER_ID AS USERNAME, PASSWORD, IS_ENABLED AS ENABLED FROM USER WHERE USER_ID = ?</value> </property> <property name="authoritiesByUsernameQuery"> <value>SELECT a.USER_ID AS USERNAME, ROLE_ID AS AUTHORITY FROM USER a, USERROLE b WHERE b.USER_KEY = a.USER_KEY AND USER_ID = ?</value> </property> </bean> </beans>

Database:
/*==============================================================*/ /* DBMS name: MySQL 5.0 */ /* Created on: 3/26/2010 12:04:23 PM */ /*==============================================================*/ drop table if exists USER; drop table if exists USERROLE; /*==============================================================*/ /* Table: USER */ /*==============================================================*/ create table USER ( USER_KEY varchar(32) not null, USER_ID varchar(20) not null, PASSWORD varchar(20) not null, FIRST_NAME varchar(20), LAST_NAME varchar(20), IS_ENABLED varchar(1) not null, primary key (USER_KEY) ); /*==============================================================*/ /* Table: USERROLE */ /*==============================================================*/ create table USERROLE ( USER_KEY varchar(32), ROLE_ID varchar(20) not null ); alter table USERROLE add constraint FK_RELATIONSHIP_1 foreign key (USER_KEY) references USER (USER_KEY) on delete restrict on update restrict;

How to convert attched applicationContext-acegi-security.xml to support fine grained permissions? PERM_?


Regards

First off based on that long xml file, it looks like you aren't using the Spring Security namespace and making it not need all those filter declaration.

If you just add the DelegatingFilterProxy in your web.xml

then you security xml using the security namespace would be something like this

<security:http access-denied-page="/accounts/denied.htm"> <security:form-login login-page="/accounts/login.htm" authentication-failure-url="/accounts/login.htm?login_error=true" /> <security:intercept-url pattern="/accounts/denied.htm" filters="none"/> <security:intercept-url pattern="/accounts/login.htm*" filters="none"/> <security:intercept-url pattern="/accounts/edit*" access="ROLE_ADMIN" /> <security:intercept-url pattern="/accounts/account*" access="ROLE_ADMIN,ROLE_MEMBER" /> <security:intercept-url pattern="/accounts/**" access="IS_AUTHENTICATED_FULLY" /> <security:logout/> </security:http>

Much simpler.

Mark

Thanks for persistent help, Mark!


Can you post a simple working example of applicationContext.xml and web.xml that regards your approach, please?
I've found a lot around on the web, but still struggling to put all together...


Regards