Spring Security Role Hierarchy issues

自古美人都是妖i 提交于 2019-12-01 01:02:48

Managed to fix my issues which was down to an omission in my http namespace configuration which I found from hours of debugging the spring security source.

The issue was how the DefaultWebSecurityExpressionHandler was created. In the snipped above it had created it as inner bean inside the bean definition of the accessDecisionManager:

<bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
    <property name="expressionHandler">
        <bean class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
            <property name="roleHierarchy" ref="roleHierarchy"/>
        </bean>
    </property> 
</bean>

With this the role heirachies are used to determine whether access should be granted when processing rules defined as intercept urls such as:

<sec:intercept-url pattern="/**" access="isAuthenticated()" requires-channel="any"/>

But if you want to check authorisation using the JSP Authorize taglib as below (this is in freemarker) it will not work as the roleHeirachies do not get taken into account:

<@security.authorize access="hasRole('ROLE_TEST_1)">
    <p>You have role 1</p>
</@security.authorize>

<@security.authorize access="hasRole('ROLE_TEST_4')">
    <p>You have role 4</p>
</@security.authorize>

This is because the DefaultWebSecurityExpressionHandler created as an inner bean is only used within the access decision manager but for taglib expressions a NEW default bean will be created (which doesn't use the RoleHierarchy) unless an security http namespace expression-handler is defined.

So, to resolve my issues I created the bean DefaultWebSecurityExpressionHandler and referenced it within my WebExpressionVoter bean definition and also used it as the expression handler as follows:

<sec:http ... >

    .
    . access denied handlers, concurrency control, port mappings etc
    .

    <sec:expression-handler ref="defaultWebSecurityExpressionHandler" />

</sec:http>

<bean id="defaultWebSecurityExpressionHandler"
      class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
      <property name="roleHierarchy" ref="roleHierarchy"/>
</bean>

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    <property name="decisionVoters">
        <list>
            <ref bean="roleHierarchyVoter" />
            <bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
                <property name="expressionHandler" ref="defaultWebSecurityExpressionHandler"/>
            </bean>
        </list>
    </property>
</bean>

Making these changes ensures the roleHeirarchies are taken into account for both Web Security Expressions defined as intercept URLs via the http namespace and also expressions using the JSP Authorize taglib.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!