Spring security @secure not working with role hierarchy

2
votes

I am using role hierarchy in spring security my spring-securityConfig.xml is 

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans 
              http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
              http://www.springframework.org/schema/security 
              http://www.springframework.org/schema/security/spring-security-3.1.xsd">

     <bean id="roleHierarchy"  class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
        <property name="hierarchy">
            <value>
                ROLE_ADMIN > ROLE_WORKFLOW
                ROLE_ADMIN > ROLE_ISBN_INSERTION
                ROLE_ADMIN > ROLE_PERMISSION_UPDATE
                ROLE_ADMIN > ROLE_ASSIGNMENT
                ROLE_ADMIN > ROLE_CALIBRATION
            </value>
        </property>
    </bean>

    <bean id="expressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
        <property name="roleHierarchy" ref="roleHierarchy" />
    </bean>

    <bean id="webExpressionHandler" class="org.springframework.security.web.access.expression.WebExpressionVoter">
        <property name="expressionHandler">
            <ref bean="expressionHandler" />
        </property>
    </bean>

    <bean id="roleVoter"
          class="org.springframework.security.access.vote.RoleHierarchyVoter">
        <constructor-arg>
            <ref bean ="roleHierarchy"/>
        </constructor-arg>
    </bean> 

    <bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
        <constructor-arg>
            <list>
                <ref bean="roleVoter" />
                <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
                <ref bean="webExpressionHandler"/>  
            </list>
        </constructor-arg>
    </bean>

     <bean id="authenticationEntryPoint"
          class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <property name="loginFormUrl" value="/login.htm" />
    </bean>





    <security:http entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true" access-decision-manager-ref="accessDecisionManager">

        <security:session-management>
            <security:concurrency-control error-if-maximum-exceeded="true" max-sessions="1"/>
        </security:session-management>

        <security:custom-filter position="FORM_LOGIN_FILTER"
                                ref="cdlAuthenticationProcessingFilter" />


        <security:intercept-url pattern="/displayGroupRoleEditView.htm" access="ROLE_PERMISSION_UPDATE" />

        <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />

        <security:access-denied-handler ref="accessDeniedHandler" />

    </security:http>


    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="cdlLdapAuthenticationProvider"/> 
        <security:authentication-provider user-service-ref="cdlUserDetailService"/>
    </security:authentication-manager>


    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="cdlLdapAuthenticationProvider"/> 
        <security:authentication-provider user-service-ref="cdlUserDetailService"/>
    </security:authentication-manager>

    <bean name="commonPropertyBean" class="com.qait.cdl.commons.domain.CommonPropertyBean"
          abstract="true">
        <property name="userDao" ref="userDao"/>
    </bean> 

    <bean name="commonAuthoritiesPopulator" class="com.qait.cdl.authentication.customfilter.AuthoritiesPopulator" parent ="commonPropertyBean"  />

    <bean id="cdlLdapAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
        <constructor-arg ref="customLdapBindAuthenticator"/>
        <constructor-arg ref="cdlAuthoritiesPopulator"/>
    </bean>

    <bean id="customLdapBindAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
        <constructor-arg ref="cdlLdapContextSource" />
        <property name="userDnPatterns">
            <list>
                <value>${ldap.userDnPatterns}</value>
            </list>
        </property>
    </bean>

    <bean id="cdlLdapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
        <constructor-arg value="${ldap.url}"/>
    </bean>

    <bean id="cdlAuthoritiesPopulator" class="com.qait.cdl.authentication.customfilter.CdlUserAuthoritiesPopulator" parent="commonAuthoritiesPopulator"/>

    <bean id="cdlUserDetailService" class="com.qait.cdl.authentication.service.impl.UserDetailsServiceImpl" parent="commonAuthoritiesPopulator"/>

    <bean id="cdlAuthenticationProcessingFilter" class="com.qait.cdl.authentication.customfilter.CustomAuthenticationProcessingFilter" parent="commonPropertyBean">
        <property name="authenticationManager" ref="authenticationManager" />
        <property name="notificationService" ref="notificationService"/>
        <property name="userGroupDao" ref="userGroupDao"/>
    </bean>

    <bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
       <property name="errorPage" value="/cdlAccessDenied.htm" />
    </bean>

    <security:global-method-security secured-annotations="enabled"  pre-post-annotations="enabled" />
   <bean name="/cdlAccessDenied.htm" class="com.qait.cdl.authentication.web.CDLAccessDeniedHandler"/>
</beans>

In a service method i have used @Secured({ "ROLE_PERMISSION_UPDATE"}) if user with role ROLE_ADMIN is logging into application and try to access this secured method then it throws Access denied exception.

2
javaspringsecurityspring-mvcspring-security

2 Answers

2
votes

I found the solution 

<security:global-method-security secured-annotations="enabled"  
                                             pre-post-annotations="enabled">
          <security:expression-handler ref="defaultMethodSecurityExpressionHandler"/>
</security:global-method-security>

add this in dispatcher-servlet.xml. There should be different context for spring security

Add 

<context-param>
     <param-name>contextConfigLocation</param-name>
     <param-value>
         WEB-INF/applicationContext.xml
         WEB-INF/dispatcher-servlet.xml
     </param-value>
</context-param>

to your web.xml and import spring-security.xml in applicationContext.xml Sole purpose to do this is to have separate context for spring security.

To apply method based security to work with role hierarchy use @PreAuthorize("SpEL") in place of @Secured({})

1
votes

You have enable roleHierarchy only for DefaultWebSecurityExpressionHandler, it will work on your http requests but not on @Secured annotations. Add it to DefaultMethodSecurityExpressionHandler as well

<global-method-security ...>
    <expression-handler ref = "methodSecurityExpressionHandler" />
</global-method-security>

<beans:bean id = "methodSecurityExpressionHandler" 
    class = "org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
    <beans:property name = "roleHierarchy" ref="roleHierarchy"/>
</beans:bean>