Menu
I have a role convention mechanism in my application for which each role follows a syntax:
APP_DEPARTMENT1_USER
APP_DEPARTMENT1_AUDITOR
APP_DEPARTMENT1_WHATEVER
APP_DEPARTMENT2_...
I want to configure Spring security in order to allow all roles that match a given suffix to be granted access to a section of my web application. I blindly tried <intercept-url pattern="/secure/audit/**" access="APP_*_AUDITOR,APP_ADMINISTRATOR" /> (where APP_ADMINISTRATOR is my default administrator role) but it didn't work. When I log in as administrator I can access the page, but when I try to log in with a profile with the APP_DEPARTMENT1_AUDITOR I can't obtain access to the page.
I think wildcard expressions are not supported, and I don't believe Spring EL expressions could be of help (or I just don't master them enough).
Is there any way I can configure a role pattern for Spring Security within <intercept-url> tag?
419
The main difference is that roles have special semantics. Starting with Spring Security 4, the 'ROLE_' prefix is automatically added (if it's not already there) by any role related method. So hasAuthority('ROLE_ADMIN') is similar to hasRole('ADMIN') because the 'ROLE_' prefix gets added automatically.
By default, Spring Security uses a thread-local copy of this class. This means each request in our application has its security context that contains details of the user making the request. To use it, we simply call the static methods in SecurityContextHolder: Authentication auth = SecurityContextHolder.
In Spring Boot 2, if we want our own security configuration, we can simply add a custom WebSecurityConfigurerAdapter. This will disable the default auto-configuration and enable our custom security configuration. Spring Boot 2 also uses most of Spring Security's defaults.
Most web applications using Spring Security only have a couple of intercept-url s because they only have very basic security requirements. You need to have unauthenticated access to the login and login-error screens and usually some aspect of the public site, so that can be a few URL patterns.
One solution could be to use Spring Security's built-in support for role hierarchies, and specify a generic APP_AUDITOR role that "includes" auditor roles of the individual departments.
An alternative would be to create your own improved role voter that can work with patterns, because the existing implementation only performs a simple equality test. Based on this existing class, it should be easy to do some pattern matching instead. Once you have that in place, you can wire up the custom voter with the security infrastructure this way:
<http access-decision-manager-ref="myAccessDecisionManager">
...
</http>
<bean id="myAccessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<constructor-arg name="decisionVoters">
<list>
<bean id="patternBasedRoleVoter"
class="com.example.PatternBasedRoleVoter"/>
<bean id="authenticatedVoter"
class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</list>
</constructor-arg>
</bean>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
