Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security Role Hierarchy not working using Java Config

First of all, I am new to Java Spring Framework. So forgive me if I did not provide enough info. I have tried to add RoleHierarchy into my app but it did not work. Below are the codes I have tried.


SecurityConfig.java

// These config is try to set up a user Role Hierarchy
@Bean
public RoleHierarchy roleHierarchy() {
  System.out.println("arrive public RoleHierarchy roleHierarchy()");
  RoleHierarchyImpl r = new RoleHierarchyImpl();
  r.setHierarchy("ROLE_ADMIN > ROLE_STAFF");
  r.setHierarchy("ROLE_STAFF > ROLE_USER");
  r.setHierarchy("ROLE_DEVELOPER > ROLE_USER");
  r.setHierarchy("ROLE_USER > ROLE_GUEST"); 
  return r;
}

@Bean
public AffirmativeBased defaultAccessDecisionManager(RoleHierarchy roleHierarchy){
  System.out.println("arrive public AffirmativeBased defaultAccessDecisionManager()");
  List<AccessDecisionVoter> decisionVoters = new ArrayList<>();

  // webExpressionVoter
  WebExpressionVoter webExpressionVoter = new WebExpressionVoter();
  DefaultWebSecurityExpressionHandler
      expressionHandler = new DefaultWebSecurityExpressionHandler();
  expressionHandler.setRoleHierarchy(roleHierarchy);
  webExpressionVoter.setExpressionHandler(expressionHandler);

  decisionVoters.add(webExpressionVoter);
  decisionVoters.add(roleHierarchyVoter(roleHierarchy));
  // return new AffirmativeBased(Arrays.asList((AccessDecisionVoter) webExpressionVoter));
  return new AffirmativeBased(decisionVoters);
}

@Bean
public RoleHierarchyVoter roleHierarchyVoter(RoleHierarchy roleHierarchy) {
  System.out.println("arrive public RoleHierarchyVoter roleHierarchyVoter");
  return new RoleHierarchyVoter(roleHierarchy);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
  // skipping some codes
  http
    // skipping some codes
    .accessDecisionManager(defaultAccessDecisionManager(roleHierarchy()))
  // skipping some codes
}

MethodSecurityConfig.java

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {

  @Inject
  private SecurityConfig securityConfig;

  @Override
  protected AuthenticationManager authenticationManager() throws Exception {
    return securityConfig.authenticationManagerBean();
  }

  @Override
  protected MethodSecurityExpressionHandler createExpressionHandler() {
    System.out.println("arrive protected MethodSecurityExpressionHandler createExpressionHandler()");
    DefaultMethodSecurityExpressionHandler d = new DefaultMethodSecurityExpressionHandler();
    d.setRoleHierarchy(securityConfig.roleHierarchy());
    return d;
  }

}

And I have a UserDetailsServiceImpl implements UserDetailsService that provide the principal, Authentication and GrantedAuthority

Finally I have some APIs:

@PreAuthorize("hasRole('ROLE_STAFF')")
@RequestMapping(value = "/api/v1/contactUs", method = RequestMethod.GET)

@PreAuthorize("hasRole('ROLE_DEVELOPER')")
@RequestMapping(value = "/api/v1/system", method = RequestMethod.GET)

The problem is now if I login as ROLE_STAFF, ROLE_DEVELOPER, ROLE_ADMIN, I got the following result.

| API       | ROLE_STAFF | ROLE_DEVELOPER | ROLE_ADMIN |
|-----------|------------|----------------|------------|
| contactUs | 200        | 403            | 403        |
| system    | 403        | 200            | 403        |

As you can see ROLE_STAFF and ROLE_DEVELOPER work just fine. But I want ROLE_ADMIN as a super role of both and it didn't work.

FYI, I am using spring-security 3.2.5.RELEASE

like image 940
mingchuno Avatar asked Apr 27 '15 06:04

mingchuno


People also ask

What are three main entities in user Role and Privilege?

User, Role and PrivilegeThe Role represents the high-level roles of the user in the system. Each role will have a set of low-level privileges. The Privilege represents a low-level, granular privilege/authority in the system.

What is Spring Security HasRole?

HasRole checks the granted authorities for the currently authenticated principal. So really when you see hasRole("blah") really means hasAuthority("blah"). In the case I've seen, you do this with a class that Implements UserDetails which defines a method called getAuthorities.


2 Answers

The issue is in the RoleHierachy, which should be like this:

@Bean
public RoleHierarchy roleHierarchy() {
  RoleHierarchyImpl r = new RoleHierarchyImpl();
  r.setHierarchy("ROLE_ADMIN > ROLE_STAFF and ROLE_ADMIN > ROLE_DEVELOPER and ROLE_STAFF > ROLE_USER and ROLE_DEVELOPER > ROLE_USER");
  return r;
}

keep calling setHierarchy() will override the setting before

like image 93
mingchuno Avatar answered Sep 19 '22 13:09

mingchuno


Everytime I want to implement a hierarchy of roles with Spring Security and Java config, I use the following approach:

  1. We have to add a RoleHierarchyImpl bean into context (You see, that I use multiple roles to build a hierarchy):

    @Bean
    public RoleHierarchyImpl roleHierarchy() {
        RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
        roleHierarchy.setHierarchy("ROLE_ADMIN > ROLE_DBA ROLE_DBA > ROLE_USER ");
        return roleHierarchy;
    }
    
  2. Then we need to create web expression handler to pass obtained hierarchy to it:

    private SecurityExpressionHandler<FilterInvocation> webExpressionHandler() {
        DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
        defaultWebSecurityExpressionHandler.setRoleHierarchy(roleHierarchy());
        return defaultWebSecurityExpressionHandler;
    }
    
  3. The final step is to add expressionHandler into http.authorizeRequests():

            @Override
            protected void configure(HttpSecurity http) throws Exception {
                http
                   .authorizeRequests()
                        .expressionHandler(webExpressionHandler())
                        .antMatchers("/admin/**").access("(hasRole('ROLE_ADMIN') or hasRole('ROLE_DBA')) and isFullyAuthenticated()")
                        .antMatchers("/dba").access("hasRole('ROLE_DBA') and isFullyAuthenticated()")
                        .antMatchers("/dba/**").access("hasRole('ROLE_USER')")
                        .and()
                   .requiresChannel()
                        .antMatchers("/security/**").requiresSecure()
                        .anyRequest().requiresInsecure()
                        .and()
                   .formLogin()
                        .loginPage("/login")
                        .failureUrl("/login?auth=fail")
                        .usernameParameter("username")
                        .passwordParameter("password")
                        .defaultSuccessUrl("/admin")
                        .permitAll()
                        .and()
                   .logout()
                            .logoutUrl("/logout")
                            .deleteCookies("remember-me")
                            .invalidateHttpSession(true)
                            .logoutSuccessUrl("/index")
                            .permitAll()
                            .and()
                   .csrf()
                            .and()
                   .rememberMe().tokenValiditySeconds(1209600)
                            .and()
                   .exceptionHandling().accessDeniedPage("/403")
                            .and()
                   .anonymous().disable()
                   .addFilter(switchUserFilter());
            }
    

Result: in this particular example we try to visit /dba section after we have logged in using admin user (ROLE_ADMIN). Before we created a hierarchy, we had an access denied result, but now we can visit this section without any problems.

like image 30
Lord Nighton Avatar answered Sep 18 '22 13:09

Lord Nighton