I'm working on an app that has to do object level security checks, and the checks will be made by a service because it will need to make REST calls to a separate application. Because of this I'm not able to use Spring Security roles or ACLs because none of this information will be stored locally in the app. I'm trying to find an elegant way to handle this, and here are two options I can think of:
1) Create a custom annotation that will check permissions
2) Extend a Spring security annotation permission check (possibly with Permission Evaluator?) that lets me write the logic for checking access
For #1 I've created a custom annotation and am using filters to read the annotation and check access, although this seems to be more brittle and will only give me protection for controller actions, and it would be nice to also secure other services as well.
I've found bits an pieces of this information, but nothing complete.
THIS talks about customizing ACL but only for a new permission, not controlling the logic
THIS talks about using SpEL, but I'd like to have checks before a method runs, to make sure that no effect takes place that would be unauthorized.
THIS appears to be the closest to what I want to do, but is specific to Spring Security and not Grails - my biggest challenge is converting the information in applicationContext.xml into resources.groovy
Thanks in advance for any suggestions or advice you may have!
You should be able to do this with spring security and grails without much trouble.
I used the following 2 ways in the past for similar tasks. Both require the spring security ACL plugin which provides the #PreAuthorize and #PostAuthorize annotations.
Custom PermissionEvaluator
You can use the hasPermission() methods within security annotations and create a custom PermissionEvaluator. Within code this looks like this:
#PreAuthorize("hasPermission(#myObject, 'update')")
public void updateSomething(myObject) {
..
}
The hasPermission() calls are routed to a PermissionEvaluator by spring security. To write your own implementation you have to implement the PermissionEvaluator interface:
class MyPermissionEvaluator implements PermissionEvaluator {
#Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
// your custom logic..
}
#Override
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
// your custom logic
}
}
To register your PermissionEvaluator you have to override the bean named expressionHandler. You do this by adding the following lines in conf/spring/resources.groovy:
beans = {
expressionHandler(MyExpressionHandler) {
parameterNameDiscoverer = ref('parameterNameDiscoverer')
permissionEvaluator = ref('myPermissionEvaluator') // your PermissionEvaluator
roleHierarchy = ref('roleHierarchy')
trustResolver = ref('authenticationTrustResolver')
}
myPermissionEvaluator(MyPermissionEvaluator)
}
Within resources.groovy you can define beans like you would do in applicationContext.xml when using spring. The above lines create a bean of type MyPermissionEvaluator with the bean name myPermissionEvaluator. Spring securities expressionHandler bean is overridden with a bean of type MyExpressionHandler. The other dependencies are copied from the configuration file of the spring security ACL plugin.
Service calls in security annotations
If the design of the hasPermission() methods does not achive all you requirements you can use simple service calls instead. The #PostAuthorize and #PreAuthorize annotations use SPEL to evaluate the expression. Within SPEL you can use the # symbol to access beans. For example:
#PreAuthorize("#securityService.canAccess(#myObject)")
public void doSomething(myObject) {
..
}
This calls the canAccess method of the bean named securityService and passes the method argument to it.
To use this approach you have to register a BeanResolver on the EvaluationContext. To do this you have to override the DefaultMethodSecurityExpressionHandler which is configured by the spring security ACL plugin.
This can look like the following:
class MyExpressionHandler extends DefaultMethodSecurityExpressionHandler {
BeanResolver beanResolver
#Override
public EvaluationContext createEvaluationContext(Authentication auth, MethodInvocation mi) {
StandardEvaluationContext ctx = (StandardEvaluationContext) super.createEvaluationContext(auth, mi)
ctx.setBeanResolver(beanResolver) // set BeanResolver here
return ctx;
}
}
BeanResolver is a simple interface that resolves a bean name to a bean instance:
class GrailsBeanResolver implements BeanResolver {
GrailsApplication grailsApplication
#Override
public Object resolve(EvaluationContext evaluationContext, String beanName) throws AccessException {
return grailsApplication.mainContext.getBean(beanName)
}
}
And finally add the beans to resources.groovy:
expressionHandler(MyExpressionHandler) {
parameterNameDiscoverer = ref('parameterNameDiscoverer')
permissionEvaluator = ref('permissionEvaluator')
roleHierarchy = ref('roleHierarchy')
trustResolver = ref('authenticationTrustResolver')
beanResolver = ref('beanResolver') // this is your BeanResolver
}
// This is the service called within security expressions
// If you place your service in the grails service folder you can skip this line
securityService(MySecurityService)
// this is your BeanResolver
beanResolver(GrailsBeanResolver) {
grailsApplication = ref('grailsApplication')
}
Update (2013-10-22): Recently I wrote a blog post about exactly this which provides some additional information.
Related
Assuming we got an annotated rest controller method with:
#PreAuthorize("hasPermission(#username, 'USER_PROFILE', 'WRITE')")
In Spring MVC we would implement a PermissionEvaluator to implement the authorization hidden behind the following method signature
boolean hasPermission(
Authentication authentication,
Serializable targetId,
String targetType,
Object permission
)
This still seems to work when using Spring WebFlux as long as you do not need to call a reactive service/method inside of the hasPermission method, which I guess is rarely the case since you would typically like to use the reactive interface for your database layer as well. If you would call a reactive service inside this method anyway you would need to call block() on some Mono at some time and thereby run into trouble since you are called from within a reactive pipeline.
In the tutorial from Josh Long about Security with Spring WebFlux he explains how to implement authorization directly on the SecurityWebFilterchain using path matchers by providing custom ReactiveAuthorizationManagers. But there is no explanation of how to use the PreAuthorize annotation in Spring WebFlux.
I was expecting to implement some ReactivePermissionEvaluator
Mono<Boolean> hasPermission(
Authentication authentication,
Serializable targetId,
String targetType,
Object permission
)
that would allow using reactive services in the implementation as well but I wasn't able to find any implementation of the ReactiveAuthorizationManager that would scan for the PreAuthorize annotation and dispatch the evalutation to a reactive PermissionEvaluator nor does the ReactivePermissionEvaluator interface exist.
So finally the question is, how to implement a reactive PermissionEvaluator that allows calling a reactive service, e.g. to query the database for the autorization information without blocking?
Sadly... this is not yet supported by Spring Security in https://github.com/spring-projects/spring-security/issues/5046
Here is how you should do it. Just get DefaultMethodSecurityExpressionHandler bean from applicationContext and explicitly replace permissionsEvaluator.
#Configuration
#EnableWebFluxSecurity
#EnableReactiveMethodSecurity
public class SecurityConfiguration {
#Autowire
private ApplicationContext applicationContext;
#Bean
#DependsOn({"methodSecurityExpressionHandler"})
public SecurityWebFilterChain springSecurityFilterChain(
ServerHttpSecurity http) {
DefaultMethodSecurityExpressionHandler defaultWebSecurityExpressionHandler = this.applicationContext.getBean(DefaultMethodSecurityExpressionHandler.class);
defaultWebSecurityExpressionHandler.setPermissionEvaluator(permissionEvaluator());
return http.csrf().disable()
.httpBasic().disable()
.formLogin().disable()
.logout().disable()
.securityContextRepository(NoOpServerSecurityContextRepository.getInstance())
.addFilterAt(tokenAuthenticationFilter(), SecurityWebFiltersOrder.AUTHENTICATION)
.authorizeExchange()
.anyExchange().authenticated()
.and().build();
}
PermissionEvaluator permissionEvaluator() {
return new PermissionEvaluator() {
#Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
//Custom logic to evaluate #PreAuthorize("hasPermission('123', '123')")
return false;
}
#Override
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
//Custom logic to evaluate #PreAuthorize("hasPermission('123', '123','123')")
return false;
}
};
}
I want to write some kind of unit test which depends on Spring Security.
For example, I have some service method which uses some repository and marked with #PreAuthorize annotation. Repository I can mock with Mockito, there is no problem. Also I can mock Security Context by #WithSecurityContext annotation. But when I run test, the #PreAuthorize annotation is just ignored. Of course I can run that test with #SpringBootTest annotation as an integration test and in this case the Security Context is up but this way is heavy and slow.
Is there a way to run unit test with only Spring Security Context raised?
UPDATE
Made an example of such kind of test. Thanks to #Sam Brannen for giving right direction.
#ActiveProfiles("method-security-test")
#RunWith(SpringRunner.class)
#SpringBootTest(classes = {ExampleService.class, ExampleServiceTest.MethodSecurityConfiguration.class})
public class ExampleServiceTest {
private ExampleService service;
#Autowired
public void setService(ExampleService service) {
this.service = service;
}
#Test
#WithMockUser(username = "john_doe")
public void testAuthenticated() {
String actualMessage = service.example();
Assert.assertEquals("Message of john_doe", actualMessage);
}
#Test(expected = AuthenticationException.class)
public void testNotAuthenticated() {
service.example();
Assert.fail();
}
#TestConfiguration
#EnableGlobalMethodSecurity(prePostEnabled = true)
static class MethodSecurityConfiguration extends GlobalMethodSecurityConfiguration {
}
}
#Service
class ExampleService {
#PreAuthorize("isAuthenticated()")
String example() {
Principal principal = SecurityContextHolder.getContext().getAuthentication();
return "Message of " + principal.getName();
}
The #PreAuthorize annotation from Spring Security will only be honored if Spring Security proxies your component (e.g., service bean).
The simplest way to make that happen is by annotating an #Configuration class with #EnableGlobalMethodSecurity(prePostEnabled = true), having your component registered as a bean (e.g., via component scanning or an #Bean method), and including your AuthenticationManager setup.
You can then create a focused integration test using #ContextConfiguration (without Spring Boot testing support) to load an ApplicationContext from your #Configuration class. And you can use #Autowired to get access to your proxied component which will be advised with the #PreAuthorize security check support.
You might find this old blog post useful as well for background information: https://spring.io/blog/2013/07/04/spring-security-java-config-preview-method-security/
I want to using #PreAuthorize with SpEL within Spring Security like the example at http://forum.spring.io/forum/spring-projects/security/100708-spel-and-spring-security-3-accessing-bean-reference-in-preauthorize
but this is not work for me while using it in Spring Security 4.1.4. Below is my sample code:
A bean class:
package com.service.spel;
import org.springframework.stereotype.Component;
#Component(value="accessBean")
public class AccessCheckBean {
public String getPermision(){
/**
* return the api permision
*/
String scope = "#oauth2.hasScope('resource.Update')";
return scope;
}
}
In controller:
#PreAuthorize("accessBean.getPermision()")
#GetMapping("/perm")
public #ResponseBody String getPerm(){
return "Perm";
}
Error message:
Failed to evaluate expression 'accessBean.getPermision()'
seems I can't use SpEL like above, then if I am using this version of Spring Security, how can I proceed?
You have to use #, see Spring Security Reference:
Referring to Beans in Web Security Expressions
If you wish to extend the expressions that are available, you can easily refer to any Spring Bean you expose. For example, assuming you have a Bean with the name of webSecurity that contains the following method signature:
public class WebSecurity {
public boolean check(Authentication authentication, HttpServletRequest request) {
...
}
}
You could refer to the method using:
<http>
<intercept-url pattern="/user/**"
access="#webSecurity.check(authentication,request)"/>
...
</http>
or in Java configuration
http
.authorizeRequests()
.antMatchers("/user/**").access("#webSecurity.check(authentication,request)")
...
I'm trying to return some User data after a successful login in a Spring Boot application.
To do so, I need to serialize my Principal with the Jackson mapper that is already set-up at bootstrap via a factory.
Is there a way to inject it into the authentication handler?
#Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
response.setStatus(HttpServletResponse.SC_OK);
UserDetails me = (UserDetails) authentication.getPrincipal();
PrintWriter writer = response.getWriter();
/*mapper.writeValue(writer, user); <- how to get the mapper?
writer.flush();*/
}
tl;dr;
Instead of using a Factory, make the ObjectMapper a Spring bean. That way it can be injected into both Spring and Jersey components.
#Bean
public ObjectMapper mapper() {
ObjectMapper mapper = new ObjectMapper();
return mapper;
}
When you use an HK2 (Jersey's DI framework) Factory to create the ObjectMapper, the injection is only available to components that are retrieved through the HK2 ServiceLocator, which is the HK2 analogue of the Spring ApplicationContext.
When you use Spring-Boot with Jersey, how the two interact under the hood, is through the HK2 spring-bridge. So for example, say the AuthenticationSuccessHandler is registered in the ApplicationContext. With the spring-bridge configured, we can also get the AuthenticationSuccessHandler through the ServiceLocator
ServiceLocator l = ...
AuthenticationSuccessHandler handler = l.getService(AuthenticationSuccessHandler.class);
That should work. If you have the ObjectMapper binded through an HK2 Factory, and you were to #Inject the mapper into the AuthenticationSuccessHandler, it would be injected, when retrieved through the ServiceLocator.
That being said, Spring Security doesn't go through HK2, so it never has a chance to get the ObjectMapper through HK2. But if you register the mapper as a Spring bean, then Spring can inject it into the AuthenticationSuccessHandler. And the mapper is still available through HK2 ServiceLocator (because of the spring-bridge), so you can still use it with Jersey, same way as if it were binded with a Factory.
I'm using the spring security (core 2.0-SNAPSHOT and ldap 2.0-RC2) plugins in my Grails 2.4.RC1 project. I'd like to be able to reuse the LdapTemplate that has been configured for use in spring security but I'm not sure how to inject the LdapTemplate into my service class.
Here's my simple service:
#Transactional
class EmployeeSynchronizationService implements EmployeeSynchronizer {
LdapTemplate ldapTemplate
void syncEmployees() {
// do work with ldapTemplate... but ldapTemplate is null
println ldapTemplate
sync(getUsernameToEmployeeMap(), getEmployeeLdapInfo())
}
...
And based on this stackoverflow post, my resources.groovy file looks like this:
beans = {
employeeSynchronizer(employee.EmployeeSynchronizationService) {
ldapTemplate=ref(ldapTemplate)
}
}
However, when I inject the EmployeeSynchronizer into a controller and invoke its syncEmployees method I see that the LdapTemplate is null.
Note: this same question was asked (but not answered) here.