I am applying spring security on my jsp page, I need to show different parts of the page to users with different roles all the roles are as following.
All authenticated users >> Edit and Add New
Admin > Delete and Edit and Add New
Anonymous > Add New
<sec:authorize
access="isAuthenticated()">
Code of add new and edit buttons
</sec:authorize>
<sec:authorize
access="hasAnyRole('ADMIN')">
Code to add new, edit and delete buttons
</sec:authorize>
<sec:authorize
access="isAnonymous()">
Code to add new
</sec:authorize>
I am wondering if there is any easier method, in this case, if I want to modify access of a specific role I have to change its access rules in security.xml file and every page that I have set the role access.
For example, lets say I want to unable Admin role to access delete button then I have to change the code of security.xml and all the JSP pages that admin role was authenticated to view delete button.
Is there any easier method to do it!?
There can be a solution by using rights set which can be contained in role object as a collection.
After this implementation you can check the right permission for showing buttons and if you want to change anything in your security architecture, you can easily manage this by granting or revoking the rights from related role.
An example of this can bee seen in the link below.
http://en.tekstenuitleg.net/blog/spring-security-with-roles-and-rights
I don't think there is a built in solution for this. You could set up a fine grained role system assinging like a edit role, a delete role and so on. Then you can assign these roles more freely.
If you want to keep it easy for the user (like still only showing admin and user role) you might have to mask the actual roles behind a mapping between the roles and the titles shown to users.
Another approach would be to set up global parameters for each action (edit, delet, etc.) in which you specify the roles that shall be allowed for the action. This way you wouldn't hardcode the roles into your application but map them through the global parameters.
Looking forward to see if someone else comes up with a better idea.
Edit to specify the approach of mapping by global parameters (refined the mapping would be stored in a db but that is getting from an ad hoc solution to implementing an ACL):
With global parameters I just meant something like a rightsMapping.properties. In this file you would map something like that:
right.edit=ROLE_USER, ROLE_ADMIN
right.edit=ROLE_ADMIN
etc...
After that you can just insert the rights into the jsf pages using something like this:
<f:loadBundle basename="rightsMapping" var="rights"/>
....
<f:CommandButton name="edit" .... rendered="hasRole(rights.edit)"/>
This is a pretty easy hands on solution which can be refined by using for example a mappings table in the DB, a Bean evaluating access rights, etc. But the basic idea of mapping the fine grained rights to the roles stays the same.
I suppose that you have the same rights for Edit buttons everywhere in your app. In this case you can extract autorization code into some custom tag (I recommend JSP tag files). For each edit button you will use your custom tag:
<customtags:hasEditPermission>
Edit button code goes here
<customtags:hasEditPermission>
All permissions will be declared once in your hasEditPermission.tag:
<%#tag description="Edit permission tag" pageEncoding="UTF-8"%>
<sec:authorize access="hasAnyRole('ADMIN')">
<jsp:doBody/>
</sec:authorize>
So in a case of new POWER_USER role you need to modify just one file:
<%#tag description="Edit permission tag" pageEncoding="UTF-8"%>
<sec:authorize access="hasAnyRole('ADMIN', 'POWER_USER')">
<jsp:doBody/>
</sec:authorize>
You can prepare and use tags for "Add new" and "Delete" buttons too. Hope this helps.
This is probably what you are looking for, with sample code
In your case, you would have BF_ADD_XXX, BF_EDIT_XXX and BF_DELETE_XXX etc.
This allows you to grant/revoke particular permissions (or BFs or business functions or whatever you want to call them) to/from particular roles.
Related
I'm looking for a way to prevent HTML form user modifications, based on this example:
"User" entity has an enum Role (User, Administrator etc.) and there's a UserController that displays a g:form for first, last and email. Controller's action does user.properties = params.
How, a user can modify the HTML form with Firebug or Chrome Webdeveloper and rename textfield firstname to role and enter "Administrator" and will be granted Administrator rights.
There's useToken="true" and the withForm-closure, but this just seems to prevent the user to double-submit the same form. Beside this works with sessions and it's therefore not really scalable over multiple servers.
I'm using Grails 2.3.6. Is there a way to prevent such things except not using xxx.properties = params?
You can give a list of allowed properties. For your example:
user.properties['first', 'last', 'email'] = params
You should always give the list for security. Search in the grails documentation for 'Data Binding and Security Concerns'.
I'm using the ASP.NET MVC 5 built in authentication methods. I would like to show and hide links (in the menu navbar) based on the role the user is in.
Has anyone acheived this?
Where would be a starting point?
Just wrap your links in:
#if (User.IsInRole("SomeRole"))
{
...
}
You can use MvcSiteMap for this. It has a feature called SecurityTrimming which uses the [Authorize] attribute on your action methods to decide whether or not to display the menu item.
I know it's frowned upon to post a links in answers but I found this blog post very useful.
In addition to the role-based menu visibility, I added custom attributes to the MvcSiteMapNodes to determine visibility of links that were accessible to users but I didn't want shown in the menu (e.g. Edit pages), and I also added icon attributes which allowed me to use the bootstrap menu icons e.g:
<mvcSiteMapNode title="Till" controller="Home" action="Index" area="Till" iconClass="icon-home" visibility="true">
I went a bit off-topic there, but I just wanted to highlight how flexible MvcSiteMap is.
Two things I do. Either
User.IsInRole(admin)
{link somewhere}
Or what I personally do is because I use areas I have a viewstart in area admin which links to admin shared viewmodel then in admin shared view that links to the public view.
In the admin shared view. I set up a section. Inside this section I define extra nav details what that specific role will see and add them in a list tag
Then inside public shared view I then use (on phone can't remember exact name something like)
Html.IsSectionDefined
I personally like the second method using areas and sections both would work fine but with the second I find it much cleaner and you can be so much more specific and much simpler
N2 CMS has the following roles by default: Everyone, Members, Writers, Editors and Administrators. It allows you to assign users to these roles and offers role assignments for each editable page.
Is there a way to easily create additional roles for specifying which groups of users can edit certain pages? Maybe a configuration option in the n2 section of the web.config?
Click on settings, set "show non pages in navigation" to checked. Open Users node for editing. You will see one row per line. Add your role on a new line.
Next, change web config to add your new role as editors
<editors dynamic="true" roles="Editors,NewRole" />
This is a bit of a puzzle for me.
I need to capture the URI Query string passed to the Home page.
As a user travels to different pages on the web site, I have a partial view that needs that URI query string.
I need a dynamicly created link in the partial view, that equals the original call to the home page.
Example -
If the user goes to - http://www.mysite.com?mode=Joe , I need the dynamicly created link to equal - Http://www.mysite.com?mode=Joe
If the user goes to - http://www.mysite.com?mode=Tommy , I need the dynamicly created link to equal - Http://www.mysite.com?mode=Tommy
FYI - The partial view is used in the _Layout.cshtml file. the call inside - _Layout.cshtml looks like this -
#Html.Partial("MyPartial")
Thanks!
There are a number of ways to do this, but probably the simplest would be to save it to the session on your home page, and then access that session variable from your partial.
You will need to decide what to do if the session expires.
Another possible way would be to write it to a cookie on the home page request and then access the request cookie in your partial. Again, you'd need to decide on an approach for cookies disabled, or wiped out during browsing.
Alternatively, you could look at something like the approach being used in the link below to set a language across the site. Exact implementation would differ, but concept is the same:
Howto automatically add a specific value from current route to all generated links?
I am new to struts2. I am working on the struts2 with spring application.
I developed user registration functionality. In this registration process have the 3 steps(3forms). First page is step1 contains some fields, second page is step2 contain some other fields and step3 contains some other fields.I used session map in the action class to put the all field values of all forms.After submission form in step3 it goes to call rest service and give the response.If the response is OK then i am redirecting to success page step4. In some cases if user is already exits then it gives response existed user then am redirecting to step5 page. In this page i used one message " Sorry the user is already exists" and with one link "Home Page".
I used this link <s:a id="next" href="/sample/register/user.action"> Homepage </s:a> in step5 page. After clicking on this link it goes to homepage(means step1 page) fine,but it doesn't contain user entered values. I have to maintain all field values in the step1,step2,step3 process. How to achieve this problem.
Please any one can give suggestion.
IF you are using session map to persist values being entered by the user, i believe they should be available in the session until you have not removed them from the session or session expired.more over when you do redirect a new request -response cycle started by the framework and a new value stack will be created that means all old values will be lost.
From your description i believe you are creating a wizard like functionality and if this is the case i believe struts2 provide a more elegant and flexible solution
ScopeInterceptor
This is designed to solve a few simple issues related to wizard-like functionality in Struts
Still you need to show how you trying to show the values in the form being filled by the user if something fails or when user is already exists in the system as described in your case.In this case you need to fetch object/data from the session.