Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security 'Roles' and 'Privileges' and Thymeleaf 'hasRole' and 'hasAuthority'

Using this approach, I had some troubles with the Front-End (Thymeleaf). An example:

  • A user has role admin (the role is assigned with two privileges read and write)
  • A user has role user (the role is assigned with only the read privilege)

In the Front-End I will secure different divs. If I login with an admin:

<li sec:authorize="hasRole('admin')">Entry 1</li>
<li sec:authorize="hasAnyRole('admin', 'user')">Entry 2</li>

shows nothing, while

<li sec:authorize="hasAuthority('read')">Entry 3</li>
<li sec:authorize="hasAnyAuthority('read', 'write')">Entry 4</li>

works perfectly.

Now as I am using the role as container for my privileges, is there no way to allow access to a div for a "whole" role? Do I really have to list all privileges? Or am I mixing something up here? Thanks.

The main idea is:

  • user1

    with Role 'admin'
    
            with Privilege 'read' / 'write'
    
  • user2

    with Role 'user'
    
            with Privilege 'read'
    

And in Thymeleaf:

Showing a div for all users with role admin with

<li sec:authorize="hasRole('ROLE_ADMIN')">Entry 1</li>

and showing div for all uses with privilege write with

<li sec:authorize="hasAuthority('READ_PRIVILEGE')">Entry 1</li>

Is this even possible / 'the way to go?' I mean what is the sense of grouping privileges to a group (role) if I cannot give access to a page for the whole group?

like image 939
manu Avatar asked May 08 '18 12:05

manu


People also ask

What is the difference between hasrole and hasauthority in Spring Security?

Using Granted Authority vs Role in Spring Security Spring security use the hasRole () and hasAuthority () interchangeably.With Spring security 4, it is more consistent and we should also be consistent with our approach while using the hasRole () and hasAuthority () method. Let’s keep in mind the following simple rules.

How to design the spring security roles and permissions?

There are multiple way to design the spring security roles and permissions but one of the most common and flexible way is to build and roles and privileges module around user groups. As part of any application, put the users in some groups, let’s take the following example for better understanding: A frontend user should go to CUSTOMER Group.

How do I create a rolehierarchy in Spring Security?

However, a user with the role STAFF can only perform STAFF and USER role actions. Let's create this hierarchy in Spring Security by simply exposing a bean of type RoleHierarchy: As the example shows, we use the ‘ >' symbol in the expression to define the role hierarchy.

What is the use of grantedauthority in Spring Security?

This interface is also responsible to provide the User’s GrantedAuthority list, which is used to derive our spring security roles and permissions for the user. Let’s change spring security custom UserDetailsService to return list of GrantedAuthority based on user groups.


1 Answers

Normally, you don't need to include the ROLE_ prefix.

However, when it comes to Thymeleaf, not only do you have to include it, it is also case-sensitive:

<li sec:authorize="hasRole('ROLE_ADMIN')">Admin</li>
<li sec:authorize="hasRole('ROLE_USER')">User</li>

Also, an alternative to ROLE_USER (granted all authenticated users are given that role by default) would be to use isAuthenticated() instead, like so:

<li sec:authorize="isAuthenticated()">Authenticated users can see this</li>

If you'd like to see what kind of roles are attributed to the current user, you can add the following to your page:

<span sec:authentication="principal.authorities"></span>

It should render an array of roles upon loading the page, e.g. [ROLE_USER, ROLE_ADMIN]

Reference

like image 168
TwiN Avatar answered Sep 30 '22 09:09

TwiN