Spring Security with roles and permissions

Question

I m trying to set up role-based Security with permissions  I m trying to do this together with  Spring-Security   I don t want to set up ACL as it seems it s an overkill for my requirements   I just want to have simple permissions and roles as described in this article  Unfortunately the article does not describe how to implement the given solution    Has someone already tried this and can point me in the right direction  Maybe there is another blog entry that describes the implementation    Thank you very much

User · Answer

I m the author of the article in question   No doubt there are multiple ways to do it  but the way I typically do it is to implement a custom UserDetails that knows about roles and permissions  Role and Permission are just custom classes that you write   Nothing fancy--Role has a name and a set of Permission instances  and Permission has a name   Then the getAuthorities   returns GrantedAuthority objects that look like this   PERM CREATE POST  PERM UPDATE POST  PERM READ POST  instead of returning things like  ROLE USER  ROLE MODERATOR  The roles are still available if your UserDetails implementation has a getRoles   method   I recommend having one    Ideally you assign roles to the user and the associated permissions are filled in automatically  This would involve having a custom UserDetailsService that knows how to perform that mapping  and all it has to do is source the mapping from the database   See the article for the schema    Then you can define your authorization rules in terms of permissions instead of roles   Hope that helps

User · Answer

This is the simplest way to do it  Allows for group authorities  as well as user authorities   -- Postgres syntax  create table users     user id serial primary key    enabled boolean not null default true    password text not null    username citext not null unique     create index on users  username    create table groups     group id serial primary key    name citext not null unique     create table authorities     authority id serial primary key    authority citext not null unique     create table user authorities     user id int references users    authority id int references authorities    primary key  user id  authority id      create table group users     group id int references groups    user id int referenecs users    primary key  group id  user id      create table group authorities     group id int references groups    authority id int references authorities    primary key  group id  authority id       Then in META-INF applicationContext-security xml   lt beans bean class  org springframework security crypto bcrypt BCryptPasswordEncoder  id  passwordEncoder    gt    lt authentication-manager gt       lt authentication-provider gt            lt jdbc-user-service                 data-source-ref  dataSource                   users-by-username-query  select username  password  enabled from users where username                     authorities-by-username-query  select users username  authorities authority from users join user authorities using user id  join authorities using authority id  where users username                     group-authorities-by-username-query  select groups id  groups name  authorities authority from users join group users using user id  join groups using group id  join group authorities using group id  join authorities using authority id  where users username                       gt              lt password-encoder ref  passwordEncoder    gt        lt  authentication-provider gt   lt  authentication-manager gt

User · Answer

To implement that  it seems that you have to    Create your model  user  role  permissions  and a way to retrieve permissions for a given user  Define your own  org springframework security authentication ProviderManager and configure it  set its providers  to a custom org springframework security authentication AuthenticationProvider  This last one should return on its authenticate method a Authentication  which should be setted with the org springframework security core GrantedAuthority  in your case  all the permissions for the given user    The trick in that article is to have roles assigned to users  but  to set the permissions for those roles in the Authentication authorities object   For that I advise you to read the API  and see if you can extend some basic ProviderManager and AuthenticationProvider instead of implementing everything  I ve done that with org springframework security ldap authentication LdapAuthenticationProvider setting a custom LdapAuthoritiesPopulator  that would retrieve the correct roles for the user   Hope this time I got what you are looking for  Good luck

User · Answer

ACL was overkill for my requirements also  I ended up creating a library similar to  Alexander s  to inject a GrantedAuthority list for Role- Permissions based on the role membership of a user     For example  using a DB to hold the relationships -     Autowired  RolePermissionsRepository repository   public void setup      String roleName    ROLE ADMIN     List lt String gt  permissions   new ArrayList lt String gt       permissions add  CREATE      permissions add  READ      permissions add  UPDATE      permissions add  DELETE      repository save new RolePermissions roleName  permissions        When an Authentication object is injected in the current security session  it will have the original roles granted authorities     This library provides 2 built-in integration points for Spring Security  When the integration point is reached  the PermissionProvider is called to get the effective permissions for each role the user is a member of  The distinct list of permissions are added as GrantedAuthority items in the Authentication object     You can also implement a custom PermissionProvider to store the relationships in config for example     A more complete explanation here - https   stackoverflow com a 60251931 1308685  And the source code is here -  https   github com savantly-net spring-role-permissions

User · Answer

Just for sake of completeness  maybe someone else won t have to implement it from scratch    We ve implemented our own small library  as everyone else  It s supposed to make things easier  so that our developers don t have to reimplement it each time  It would be great if spring security would provide support of rbac out of the box  as this approach is much better than the default permission based one    Have a look at Github  OSS  MIT license  to see if it suits your needs  It s basically only addressing the role  lt -  privileges mapping  The missing piece  you ll have to provide on your own is basically the user  lt -  roles mapping  e g  by mapping groups  racf ad groups  to roles  1 1  or by implementing an additional mapping  That one s different in each project  so it doesn t make sense to provide some implementation   We ve basically used this internally  so that we can start with rbac from the beginning  We can still replace it with some other implementation later on  if the application is growing  but it s important for us to get the setup right at the beginning   If you don t use rbac  there s a good chance  that the permissions are scattered throughout the codebase and you ll have a hard time to extract group those  into roles  later on  The generated graphs do also help to reason about it restructure it later on

User · Answer

The basic steps are    Use a custom authentication provider   lt bean id  myAuthenticationProvider  class  myProviderImplementation  scope  singleton  gt       lt  bean gt           Make your custom provider return a custom UserDetails implementation  This UserDetailsImpl will have a getAuthorities   like this   public Collection lt GrantedAuthority gt  getAuthorities         List lt GrantedAuthority gt  permissions   new ArrayList lt GrantedAuthority gt         for  GrantedAuthority role  roles            permissions addAll getPermissionsIncludedInRole role              return permissions       Of course from here you could apply a lot of optimizations customizations for your specific requirements

User · Answer

After reading this post  from Baeldung  I found that the solution is pretty simple  What I have done  is to add the role and permissions into the GrantedAuthority  I was able to access both methods hasRole   and hasAuthority

[java] Spring Security with roles and permissions

Examples related to java

Examples related to spring-security