Spring Security, Customizing Authorization, AccessDecisionManager vs Security Filter

Question

I'm going to implement a custom authorization based on ([User<-->Role<-->Right]) model and Rights should be compared to controller and method name (e.g. "controller|method").

I used customizing UserDetails and AuthenticationProvider to adjust granted authority (here), but as checked source codes and docs about how customizing the compare of authority I found there is a filter SecurityContextHolderAwareRequestWrapper) that implements isGranted and isUserInRole to compare authority, while the documents say using AccessDecisionManager voters to customize (As I understood). Which one should be used ? Where I have controller and method(action) name to compare authority with them ?

I got confused about Spring security a little. Is there any other resource than official docs that illustrate how it works, I mean sequence of actions and methods and how customize them.

Answer 1

There are several approaches:

1. Role based, where you assign each user a role and check the role before proceeding
2. Using Spring security expressions
3. There is also a new spring acl components which lets you perform acl control on class level and are stored in a database. My personal usage so far has been 1 and 2, where you only assign roles to users. But option 3 allows you to create finer grained security model, without having to rebuild your webapp when chaning the security model

Role Based

A role based security mechanism can be realised implementing the UserDetailsService interface and configuring spring security to use this class.

To learn on how to such a project can be realized, take a look at the following tutorials:

• Form based login with in memory user database Link
• Form based login with custom userdetails service Link

In short spring security performs the following behind the scenes:

1. Upon authentication (e.g. submitting a login form) an Authentication Object is created which holds the login credentials. For example the UsernamePasswordAuthenticationFilter creates an UsernamePasswordAuthenticationToken
2. The authentication object is passed to an AuthenticationManager, which can be thought of as the controller in the authentication process. The default implementation is the ProviderManager
3. The AuthenticationManager performs authentication via an AuthenticationProvider. The default implementation used is the DaoAuthenticationProvider.
4. The DaoAuthenticationProvider performs authentication by retrieving the UserDetails from a UserDetailsService. The UserDetails can be thought of as a data Object which contains the user credentials, but also the Authorities/Roles of the user! The DaoAuthenticationProvider retrieves the credentials via its loadUserByUsername method and then compare it to the supplied UsernamePasswordAuthenticationToken.
5. UserDetailsService collects the user credentials, the authorities and builds an UserDetails object out of it. For example you can retrieve a password hash and authorities out of a database. When configuring the website url-patterns you can refer to the authorities in the access attribute. Furthermore, you can retrieve the Authentication object in your controller classes via the SecurityContextHolder.getContext().getAuthentication().

Furthemore to get a better understanding of the inner workings of these classes you can read the javadocs:

• UserDetails - how the user credentials are stored and accessed
• AuthenticationManager.authenticate(..) - contract on how AuthenticationExceptions are handled
• UserDetailsService.loadUserByUsername(..)- contact on how username lookup failures are handled, e.g. user does not exist

Spel

Instead of checking authorities, SPEL enables you also to check other properties of a user. You can use these in the URL patterns, but also annotate methods with @Preauthorize. This way securing the business layer is less intrusive.

ACL Based

The ACL based model was introduced in spring security 3.0, but hasn't been well documented. Their suggestion is to look at the Contacts XML example, since this one uses their new acl component.

Last this book contains great examples on how to further customize your security wishes.