Recently I came across a problem of integrating spring-security into a project that already handled authentication using very application specific approach and also authorization that was very unique to organization needs. Most of the authorization work was done on presentation layer so that according to certain rules links, buttons and forms became visible or invisible. Of course this approach is not safe enough.
The task was to integrate spring-security to secure DAO methods using method level security authorization mechanism that spring-security provides. As you probably know, spring-security uses a concept of "roles" so that each user is assigned one or more roles and each resource to be protected contains information about which roles can access the resource. This can be done using XML or directly in a code using @Secured annotation. But what about cases where application requires different authorization logic? What if organization has hierarchical structure of roles? And what if we need to provide "user" specific authorization rules?
Although this scenario is not very common in certain situations is desirable. In such situations I recommend not to use spring-security even if people have feeling that it solves their problems by just including jars and providing few configuration options. In many cases this can be true but in some having to customize and bend spring-security to certain needs is just overhead. Other example is App Engine. I've also seen instructions of how to use spring-security in Google App Engine. As shown there it's possible, but till now I was able to implement authorization mechanism in a simpler way. Google App Engine recognizes authenticated and unauthenticated users, and for authenticated users there are two roles: "admin" and "user".
Let's have an application that uses spring-mvc with @Controller and @RequestMapping annotations. What we want to achieve is that method "showAllUsers(...)" will be protected and enabled to administrator users only. This is what the code would look like:
This looks pretty simple, let's have a look at @Secured annotation (note: this is application specific Secure annotation, has nothing to do with annotation present in spring-security):
Also quite straightforward, nothing extraordinary here. Spring itself uses "proxy" intensively. For example if you use transactions in your spring application a proxy is created that wraps the code and handles transaction management for you. We'll use the same for the authorization. What we need is a proxy to be created for each controller that has @Secured annotated methods so that we can enable/disable method invocation according to authorization policy. Easiest way to do this? Using @AspectJ, let's see the code of such aspect:
Now we need to add our new aspect into spring context, using xml configuration:
This is enough to secure method invocations. Users need to be authenticated prior invoking any method annotated with @Secured and optionally need to be among administrators if required.
Entire demo application is deployed on GAE and publicly accessible. You'll have to login to be able to access "protected" page, unfortunately you won't be able to access "admin protected" page at all (let me know if you do). All the source code with build and run instructions is also available at GitHub.
This post is also published on GTUG.sk
Good effort and This is a very valuable concept. I expected more different ideas and Keep well...
ReplyDeleteExcel Training in Chennai
Advanced Excel Training in Chennai
Unix Training in Chennai
corporate training in chennai
Tableau Training in Chennai
Oracle Training in Chennai
Primavera Training in Chennai
Power BI Training in Chennai
Excel Training in Chennai
Advanced Excel Training in Chennai
ReplyDeleteGet inspired by your blog. Keep doing like this....
Selenium Training in Chennai
Selenium Training in Bangalore
Selenium Training in Coimbatore
Best Selenium Training in Bangalore
Selenium Training Institute in Bangalore
Selenium Classes in Bangalore
selenium training in marathahalli
Selenium training in Btm
Ielts coaching in bangalore
German classes in bangalore
Nice blog was really feeling good to read it. Thanks for this information.
ReplyDeleteSpoken English Classes in Chennai
English Speaking Course in Chennai
french classes
pearson vue test center in chennai
IoT Training in Chennai
Xamarin Training in Chennai
Node JS Training in Chennai
spanish language in chennai
content writing training in chennai
Spoken English Classes in OMR
Spoken English Classes in Porur
This Blog is really informative!! keep update more about this…
ReplyDeleteAviation Courses in Bangalore
Air Hostess Training in Bangalore
Airport Management Courses in Bangalore
Ground Staff Training in Bangalore
Aviation Institute in Bangalore
Air Hostess Academy Bangalore
Airport Management in Bangalore
Great experience for me by reading this blog. Thank you for the wonderful article.
ReplyDeleteAngularjs Training institute in Chennai
Angular 4 Training in Chennai
angularjs training institute in bangalore
Angular Training in hyderabad
best angularjs training in bangalore
angular training in bangalore
Salesforce Training in Bangalore
Hadoop training in bangalore
angular course in bangalore
angularjs training in marathahalli
More valuable post!!! Thanks for sharing this great post with us.
ReplyDeleteJAVA Training in Chennai
JAVA Course in Chennai
java institute in chennai
Best JAVA Training institute in Chennai
java training in Thiruvanmiyur
JAVA Training in Velachery
Python Training in Chennai
Software testing training in chennai
Python Training in Chennai
Selenium Training in Chennai
This blog is really nice and informative blog, The explanation given is really comprehensive and informative.
ReplyDeletePHP Training in Bangalore
PHP Course in Bangalore
PHP Training Institute in Bangalore
PHP Classes in Bangalore
Best PHP Training Institute in Bangalore
PHP Training Institute in Chennai
php training institute in coimbatore
Best php training institute in chennai
Spoken English Classes in Bangalore
ielts coaching in bangalore
Awesome Blog!!! Thanks for it, it is more useful for us.
ReplyDeleteIOS Training in Chennai
ios training institute in chennai
mobile application development training in chennai
Best ios Training institutes in Chennai
IOS training in porur
IOS training in OMR
Big data training in chennai
Android Training in Chennai
JAVA Training in Chennai
Selenium Training in Chennai
The blog you shared is very good. I expect more information from you like this blog. Thank you.
ReplyDeletemvc training in chennai
mvc course in chennai
mvc chennai
mvc classes in chennai
HR course in chennai
ccnp course in chennai
silk test training in chennai
jbpm training in chennai
writing is very creative work , blog writing is creative work in modern time . your points of views about blog is very unique . keep writing like this this link for the students that is very helpful for the writing services.
ReplyDeleteIELTS Coaching in chennai
German Classes in Chennai
GRE Coaching Classes in Chennai
TOEFL Coaching in Chennai
spoken english classes in chennai | Communication training
I was really impressed to see this blog, it was very interesting and it is very useful for all.
ReplyDeletelist to string python
python tuples
what is polymorphism in python
what is the use of numpy in python
python interview questions and answers for experienced
python linked list
I read your post and this is very helpful for me. Thank you for your sharing with us...!
ReplyDeleteLinux Course in Chennai
best linux training in chennai
Unix Training in Chennai
JMeter Training in Chennai
Tableau Training in Chennai
MVC Training in Chennai
Great blog and Keep doing...!
ReplyDeleteselenium with java training
Selenium with c# training
Selenium with java course
Selenium with python Training