Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring Security - how can I ask invoke access control methods directly?

Tags:

java

authorization

spring-security

There's a lot of documentation on how to use jsp tags, aop, annotations, the application context, and all of these sorts of things... but how do I access the access control methods directly? What class do I need to create, if any? Is there hidden bean I need to be aware of? It doesn't seem like SecurityContextHolder is the right place to look.

What I'd like to do is something like this:

if(springSecurityObject.isAuthorized("hasAnyRole('DIRECTOR', 'ADMIN')")) {
    // ... do something
}

Or even better:

if(springSecurityObject.hasAnyRole('DIRECTOR', 'ADMIN')) {
    // ... do something
}

Thanks!

EDIT: It seems like the spring security people are using the granted authorities on the user object itself:

https://fisheye.springsource.org/browse/spring-security/taglibs/src/main/java/org/springframework/security/taglibs/authz/AbstractAuthorizeTag.java?r=fc399af136492c6c37cdddca6d44e5fe57f69680

I think it would probably have been helpful if they abstracted out a ton of this code and put it into a nice set of classes instead - something that both the tag libraries and actual users could use. They are private helper methods after all... a common smell that they should probably exist in some classes instead.

Since they are doing the plumbing manually, I guess I have to assume that what I want doesn't exist.

like image 259
egervari Avatar asked Dec 22 '25 14:12

egervari

1 Answers

The only thing I can think of is invoking your UserDetailsService manually, calling getAuthorities() on the returned Authentication and then calling contains() or containsAll() on the returned collection.

So you'd have something like:

final UserDetails jimmyDetails = myDetailsService.loadUserByUsername("Jimmy");
final Collection<GrantedAuthority> jimmyAuthorities = jimmyDetails.getAuthorities();

// make it a Collection<String> by iterating and calling .getAuthority()

plainAuthorities.contains("ROLE_YOU_NEED_TO_CHECK_FOR");

Writing your own helper methods that do this would not be too hard, although I agree that having them in the API would be nice.

like image 139
Simeon Avatar answered Dec 24 '25 02:12

Simeon
Sign in to Comment

Related questions

getResource() to a file at runtime
Google search via Java Api - Multiple requests

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!