I would like to know, how can I modify the hasIpAddress method in the Spring Security, so that it verify the X-Forwarded-For header in the request, instead of remote ip address?
You can choose to create a custom class with the logic that you want. Then, maybe extend DefaultWebSecurityExpressionHandler and override createEvaluationContextInternal where you can instantiate your custom class and set it as a variable in the StandardEvaluationContext. See OAuth2WebSecurityExpressionHandler to see how spring-security-oauth2 extended DefaultWebSecurityExpressionHandler to add oauth2-specific validation logic for example. Then in your http security rule, set the expression handler to use your custom expression handler. In xml, this would look something like:
<security:http>
<security:expression-handler ref="yourCustomExpressionHandler"/>
</security:http>
Related
Spring Security provides some convinent method-control annotations:
#PreAuthorize("hasRole('ADMIN')")
#PreAuthorize("hasAuthority('ROLE_ADMIN')")
#PreAuthorize("hasPermission('ADD')")
I want to extend it with some custom method like
#PreAuthorize("hasCompany('XX')")
and its validation data should come from a JWT token.
Can anyone help?
There are a few ways to do it, but what #Andrew mentioned would be easier. Just pointing out that you said you want to check if your JWT token has specific company "XX", then it will be
#PreAuthorize("#yourBeanName.customMethod(authentication)")
and inside of yourBeanName instance, you need to implement a method to extract company information from it and compare those two,
Or, probably you can do something like
#PreAuthorize("#oauth2.hasCompany('XX')")
same as what normal SpringEL can do with oauth2 access token.
To do that,
you need to implement your own DefaultMethodSecurityExpressionHandler ( check OAuth2MethodSecurityExpressionHandler for comparison )
and when you implement createEvaluationContextInternal() method, you need new OAuth2 expression handler, not OAuth2SecurityExpressionMethods since it doesn't have "hasCompany()" custom method. Just create a new class that extends OAuth2SecurityExpressionMethods and add hasCompany() method, and plug it in your new DefaultMethodSecurityExpressionHandler.
You may create a method in custom bean implementation #PreAuthorize("#yourBeanName.customMethod(authentication.principal.username)")
I am using Spring security rest plugin to authenticate the user. In this, there is a class named RestAuthenticationFilter. Now I want to call the methods of some custom class say CustomRestAuthenticationFilter (which extends RestAuthenticationFilter) instead of RestAuthenticationFilter. How to do this?
Is there any way that we define in resources.groovy or somewhere else that to use CustomRestAuthenticationFilter instead of RestAuthenticationFilter ?
I believe the filtering is nicely described ... in the documentation!
https://grails-plugins.github.io/grails-spring-security-core/guide/filters.html
Just amend the grails.plugin.springsecurity.filterChain.filterNamesvalue in the Config.groovy file so it contains your RestAuthenticationFilter instead of RestAuthenticationFilter and you should be good to go.
I am using Grails 2.3.3 and spring-security-core:2.0-RC4 plugin.
I am trying to protect a controller action by securing it depending on the result of a method call from a service that takes a parameter. This parameter should be something inside the request parameters.
I'd like to be able to do the following:
#Secured("#mySecurityService.myCustomCheck(params.id)")
def myAction(){
//do some things
}
I managed to be able to do the following:
#Secured("#mySecurityService.myCustomCheck()")
but now I have no idea how to access the request parameters that are sent to the controller.
Is it even architecturally possible to reference params variables inside the #Secured notation?
PS: I know you'll ask me to use spring-security-acl plugin. My problem is that it also adds a bunch of other things that I don't think I require.
In 2.0 you can use a closure as the annotation's check; there's a brief writeup and example in the docs: https://grails-plugins.github.io/grails-spring-security-core/v2/guide/newInV2.html
You'd express your example as this:
#Secured(closure={
ctx.mySecurityService.myCustomCheck(
request.getParameter('id'))
})
Return true to allow access.
Note that the ApplicationContext is available as the ctx variable, and the request as request; this is in addition to the other variables and methods that are available when using SpEL (see the Spring Security docs for details). params isn't available, but you can access values using request.getParameter
I'm using Grails 2.1.5 and the Spring Security Core plugin.
I've overridden the WebSecurityExpressionRoot to add 2 signatures of a hasPermission method to the web expression paradigm.
This method delegates to classes by name in the applicationContext calling them with the request as an argument and an arbitrary string to provide further details if any are ever required.
In my delegate class I need to be able to access the parameters to assess whether or not the user may access the requested resource and this is fine but the request does not yet contain the variables defined from the UrlMappings.
I have tried acquiring the grailsUrlMappingsHolder from the applicationContext but when I call it's match method with a valid uri I get nothing.
I'm running out of time and may have to parse the request.getRequestURI() myself to try to infer the id if no request parameters are valid but this will not get urls mapped where the id is not last.
I really hate to re-invent the wheel here and I hate to miss out on using the UrlMappings to their fullest potential but the variables they define (in my circumstance) aren't available until I'm in the controller.
Take a look at what I do in AnnotationFilterInvocationDefinition - there's a bit of setup that you need to do: https://github.com/grails-plugins/grails-spring-security-core/blob/master/src/java/grails/plugin/springsecurity/web/access/intercept/AnnotationFilterInvocationDefinition.java
Is it possible to assign the value to the bean property by implementing ModelDriven interface but having different name in request and bean
for eg Ajax request
DemoStruts.Action?param_a=649
the value of param_a parameter must set to the property paramAR in the bean. For doing this is there any xml configuration or annotation to specify this mapping
The normal mechanism is the alias interceptor, although I haven't used it for deep aliasing.
There are some pretty hideous games you can play with this technique. I've never been entirely sure if it's a good idea or not, though; another option is to just map parameters manually in the action itself. This is often easier to understand.