Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to do rule-based authorization with Spring Security in Grails?

Tags:

grails

spring-security

spring-el

Spring Security is great for doing role-based authorization, but it seems to fall short when it comes to rule-based authorization. Sure, there are ways to do it via SpEL, but going that route seems to lock your authorization logic inside the annotations when it would be much better to pull that logic out into a service so that multiple places can use the same logic.

There seem to be some ways to go about adding in your own SpEL expressions, but noting is particularly clear, and even those that make sense to me seem to fall short. I would think, given how flexible Groovy is, that there must be some way to not have to hard-code the dependencies together, but to have the security rules (or SpEL extensions) picked up at run-time.

While not ideal, even something as seemingly simple as defining all of the desired new rules and injecting the as mixins (ie. SecurityExpressionRoot.mixin MyRule1) would be a good start, but that doesn't seem to work.

Does anyone know of an example that does this? If not, how might I go about doing this myself?

One (simplified) example : A user can only take a particular action (ie. execute a service method) with an object if 3 of 4 fields have values over a particular threshold, but only if the object is less than 3 days old:

class MyRule {

    boolean canTakeAction(Person person, MyThing myThing) {
        int numFieldsWithValues = 0
        if (myThing.field1 != null) { numFieldsWithValues++ }
        if (myThing.field2 != null) { numFieldsWithValues++ }
        if (myThing.field3 != null) { numFieldsWithValues++ }
        if (myThing.field4 != null) { numFieldsWithValues++ }

        return (numFieldsWithValues > 3) && (ageInDays(myThing) < 3)
    }

    int ageInDays(MyThing myThing) {
        ...
    }
}

And that is one of the simpler rules.

like image 264
cdeszaq Avatar asked Dec 18 '12 22:12

cdeszaq

1 Answers

Role based authorization is the easiest but less flexible way. The contrast to this is the Spring security ACL system. ACLs are let you define exaclty who is allowed to do what on which object at runtime. On the other side this requires a much more complicated setup. There is also a grails plugin for this.

The way of using annotions with SpEL expressions is somewhere between these both alternatives. They are more flexible than simple roles and easier than ACLs. If you are looking for an introduction to method security in Grails maybe this blog post I wrote some time ago can help you.

like image 162
micha Avatar answered Sep 21 '22 15:09

micha
Sign in to Comment

Related questions

Grails + How to add months to a Date
grails app root context
Grails application root path
Grails accessing H2 TCP server hangs
How to delete an index in Grails with Liquibase
Connection Pool Exception: Cannot get a connection, pool error Timeout waiting for idle object
How to print a receipt through Receipt Printer from Web Page(.aspx)? [duplicate]
Show grails test results in Netbeans IDE
Ehcache, Redis and Gemfire which Cache for which Scenario?
Grails GORM where method not recognised by IntelliJ
Grails Controller / Integration Test succeeds but hangs forever
Grails CORS not enabled because no origin
How to do concurrent modification testing for grails application
map existing mysql database with gorm
How do you expose a Grails domain model using OData?
Grails quartz plugin is not working when deployed in Tomcat
how to obtain a list of all currently logged-in users (including rememberme cookies) in grails with spring security
Headers disappear in integration test on REST service
How to select a service implementation in a Grails application?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!