• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How can i map an access path in Spring Security for a single .html page inside a folder

 
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm working in a web application using spring mvc 4 (version: 4.0.9.RELEASE) and spring security 3 (version: 3.2.5.RELEASE), my problem is that i can't restrict access to specific view (.html page) inside a folder.

I have three (3) modules in my web application: Roles, Permissions, Users. Each module have CRUD operations (insert, create, read, delete). I have created twelve (12) permissions in forms of roles in my spring secuirty configuration, each permission would be in charge of a CRUD operation, i would have a permission to create users another one to delete roles and so on until i have 12 permissions.

I said that i created those permissions as roles is because in my web application i have a create role requeriment and in this requeriment i can create a new role and this new role can have permissions mixed from modules, i mean i can create a role that have a create user permission and also delete a role permission.

Beacuse of this i canĀ“t have harcoded the access to the modules using roles in my spring security configuration , but since is not a requeriment to create new permissions i used the permissions to be hardcoded instead of the roles in my spring security configuration.

Even if i use this Spring EL expressions "hasRole", in my bussines logic the string i pass to that expression is a name of a permission that i have stored in my data base.

I have 3 folders: Roles, Permissions, Users; and each folder contains a page for each crud operation like this:



My problem is that i want to create my spring secuirty configuration to restrict access per page and not per folder, i would like to need to have a specific permission to access a page like this



But when i do this if i log-in with a user that have PERM_ADD_ROLE this user have access to all the ROLE pages ( deleteRole, readRole an insertROle) and this shouldn't happen, the user should have only access to the addRole page since his permission is "PERM_ADD_ROLE", but since the other pages i mention are in the same folder Roles i believe thats why he access them but this shouldn't happen.

My project in spring mvc is configured using java config and no XMLs, i have my application configured with classes and not XML

Here is my spring security class configuration.


And here is my AuthenticationProvider class


and here is some of my controllers as and example the Role COntroller


In resume if i give a specifc permission to a user like PERM_ADD_ROLE with this permission the user have access to all the pages in the Roles folder and this shouldn't happen.
 
Ranch Hand
Posts: 662
Eclipse IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm just copy pasting from one of my documents. I used Spring security extensively for the web application built on the same ground (Spring MVC, Spring Security)

Add the tag:
Add this line to the JSP page.
<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>

Show/Hide Contents in JSP:
<security:authorize access="hasRole('ROLE_ADMIN')">
<!-- Add HTML, JSP contents what you want to show in the page -->
</security:authorize>

If the user is directly accessing the page via the URL - Then you can have a generic content which says, that you are not permitted to view this page.
Also are you not using @Secured annotations in your spring code?
 
Jhon Parker
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Arun Kumarr wrote:I'm just copy pasting from one of my documents. I used Spring security extensively for the web application built on the same ground (Spring MVC, Spring Security)

Add the tag:
Add this line to the JSP page.
<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>

Show/Hide Contents in JSP:
<security:authorize access="hasRole('ROLE_ADMIN')">
<!-- Add HTML, JSP contents what you want to show in the page -->
</security:authorize>

If the user is directly accessing the page via the URL - Then you can have a generic content which says, that you are not permitted to view this page.
Also are you not using @Secured annotations in your spring code?



thanks for the info, but the problem is this i will give you a example:

i give a user the permission to create a role, but this not mean that this user have the permission to acces to the pages that: delete, read or insert a role, but since those pages are in the same folder as create role, the user can access to those pages but the idea is that he shouldn't access those pages.

i can use the show and hide content in the part of html where i have the menu but i want to add that extra layer of security. i want to have those url mapped in my spring security configuration class, but i dont know how to mapped, i 'm very bad with path directions hehe.
 
Arun Kumarr
Ranch Hand
Posts: 662
Eclipse IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Did you take a look at "hasPermission(...)" of spring security?
 
Jhon Parker
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Arun Kumarr wrote:Did you take a look at "hasPermission(...)" of spring security?



i haven't tried with that, but i think it would be the same, I'm having troubles is with the path mapping, i think that i need to remove some "*" from my path or a "/" but I'm not to sure since I'm not to good with maping paths, can you check the "paths" that i put in my spring secuirty configuratcion class maybe i'm missing something, i think that the problem could be solved if i create a folder for every single page in the application but that don't seems to be a good practice, i should be able to have a gropud of similar pages in one folder.
 
Arun Kumarr
Ranch Hand
Posts: 662
Eclipse IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What's the difference between insert and add?
The issue because if you do ** it simply means all files under "/foldername/" can be accessed by the given role.

That said, if you want to control access to individual files by varying roles,
1. You can try using hasRoles(...) instead of hasRole(...).
2. Explicitly do a mapping for all pages and permissions like /foldername/addRole.html instead of /foldername/**. This is bad design, you can't have NxR lines added to your security configuration. (N - number of users, R - number of roles).
There are also other annotations like @PreAuthorize, which I prefer you should try first.
Another question is say if a user is accessing a wrong page, what is that you want to do? Do you want to take him to different page or simply send HTTP 403 message?

I can write something and give you the direct answer, but I'd rather let you think and make the changes. We can guide you, of course along the way.

 
Jhon Parker
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Arun Kumarr wrote:What's the difference between insert and add?
The issue because if you do ** it simply means all files under "/foldername/" can be accessed by the given role.

That said, if you want to control access to individual files by varying roles,
1. You can try using hasRoles(...) instead of hasRole(...).
2. Explicitly do a mapping for all pages and permissions like /foldername/addRole.html instead of /foldername/**. This is bad design, you can't have NxR lines added to your security configuration. (N - number of users, R - number of roles).
There are also other annotations like @PreAuthorize, which I prefer you should try first.
Another question is say if a user is accessing a wrong page, what is that you want to do? Do you want to take him to different page or simply send HTTP 403 message?

I can write something and give you the direct answer, but I'd rather let you think and make the changes. We can guide you, of course along the way.



thanks for the answer i apreciate it, i change the path like you said

/foldername/addRole.html

, but why did you said this is a bad design, doing this i can add permissions to a Role without having to giving it all the permissions over a module, i can create a role XYZ and give this role only a crud operation over a module, without having to give it all the control over that module.

But i wanted to learn the annotation to use it in my controllers but i'm having a null pointer exception when i deploy my application beacuse i read that if you wan to use the tag you need to add this other tag to your app calss configuration


this is my app configuration class since i'm not using XML




but when i add that tag i get a nullpointer exception when i deply my app

i'm trying to use the PreAuthorize tag like this in the top of my controllers :


this is the actual exception



 
Arun Kumarr
Ranch Hand
Posts: 662
Eclipse IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

This is bad design, you can't have NxR lines added to your security configuration. (N - number of users, R - number of roles).


- What was I thinking!! I meant, N - number of pages and R- number of roles/permissions. Not users. I stand corrected.
having each page mapped to each permission is a bad design. That's what I wanted to convey.
 
Arun Kumarr
Ranch Hand
Posts: 662
Eclipse IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Caused by: java.lang.IllegalArgumentException: An AuthenticationManager is required
at org.springframework.util.Assert.notNull(Assert.java:112)



- You have not configured your authentication manager in your code.
You need to define a authentication manager in your code. Authentication Manager is linked to a (Pre) Authentication Provider in Spring in which you can customize the way your user details are loaded via a service.
The reason I suggested that first is you need to clean up the way you are creating the users and grant permissions. It's hard coded now and not in a way where you can plug-in spring components.

Another simpler way is in your @Preauthorize you can call a custom service using spring EL.
Here is link from spring which can help you understand how to call a custom service.

e.g.,
 
Jhon Parker
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Arun Kumarr wrote:

Caused by: java.lang.IllegalArgumentException: An AuthenticationManager is required
at org.springframework.util.Assert.notNull(Assert.java:112)



- You have not configured your authentication manager in your code.
You need to define a authentication manager in your code. Authentication Manager is linked to a (Pre) Authentication Provider in Spring in which you can customize the way your user details are loaded via a service.
The reason I suggested that first is you need to clean up the way you are creating the users and grant permissions. It's hard coded now and not in a way where you can plug-in spring components.

Another simpler way is in your @Preauthorize you can call a custom service using spring EL.
Here is link from spring which can help you understand how to call a custom service.

e.g.,



I know is harcoded, but i need to create new roles with mix ups permissions and this is the only way i think i can do this, i'm going to do it using the 3 ways for a bettter security using this access path restriction, using the hide and show function, and i know i wanted to use the technique, but i'm having problems configuring an AuthenticationManager in what class should i put that new method or do i need to create a new class to use the AuthenticationManager
 
Arun Kumarr
Ranch Hand
Posts: 662
Eclipse IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you are calling a custom service (could be any service which is configured via spring), you can directly use that.
If you re not using it, then spring searches for a default authentication manager and so you need to add an authentication manager to your spring configuration.

1. Add inside your spring security configuration file.
2. Add inside any of your spring classes and you should be able to access the authentication manager from your code.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic