Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Role-based access control with Spring MVC

I would like to know the best practices for the role based access control with spring.

My requirements are,

I will have set of roles assigned to users say,

user1=admin, user2=expert

user1 will have the accesses write like

/admin/member-management

/admin/project-management

......

for user2....

/myproject1/*

so if user2 tries to access the url

/admin/member-management

will be redirect to authorization failure page.

like image 991
Kamrul Hassan Avatar asked Aug 24 '11 10:08

Kamrul Hassan


People also ask

What is hasRole and hasAnyRole?

Description. hasRole([role]) Returns true if the current principal has the specified role. hasAnyRole([role1,role2]) Returns true if the current principal has any of the supplied roles (given as a comma-separated list of strings)


2 Answers

The standard framework to use with Spring MVC is Spring Security. While it can be very complex, here's a minimal version of what you need: 4.2.2 A Minimal Configuration

In your case, the config would be something like this:

<http auto-config='true'>
    <intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
</http>
like image 183
Sean Patrick Floyd Avatar answered Nov 03 '22 02:11

Sean Patrick Floyd


Spring Security has the concept of roles but out of the box it does not have a concept of permissions. It does have a concept of ACLs but this ACLs are a lot more complicated than permissions, and they are tied to acting on specific objects, versus authorizing actions in general.

Take a look at Apache Shiro. It has roles and permissions that look very similar to what you gave as an example (using wildcards). It is also easy to use with Spring.

like image 27
sourcedelica Avatar answered Nov 03 '22 00:11

sourcedelica