1

I am trying to understand some Spring security code. I am new to Spring Security as well and I guess I am missing here something basic.

I have that annotation on one of the classes:

@Controller
@RequestMapping("/download-resource")
@PreAuthorize(value="hasRole('LINKS_ADMIN')")
public class DownloadResourcesController extends BaseHtmlController 
 {..}

I read about the @PreAuthorize and it's logic. I still couldnt understand from where Spring security retrieves that defined role string : 'LINKS_ADMIN'. Where is it defined?

thanks, ray.

rayman
  • 20,786
  • 45
  • 148
  • 246
  • 1
    It can be whatever you want... Those are the roles that are used within your application and can be chosen by you. In general they are assigned to a user. – M. Deinum Sep 30 '13 at 12:02
  • But I looked in the whole project for this term - 'LINKS_ADMIN. couldnt find any declaration of it. – rayman Sep 30 '13 at 12:50
  • A user has roles, spring security checks these roles. The content inside the `@PreAuthorize` tag is the metadata to check against the current user. If the user doesn't have that role it denies the access. There is no compile-time checking only runtime, if you don't have that role in your system it compiles and deployes fine, however noone would have access. – M. Deinum Sep 30 '13 at 12:59
  • I guess I miss something basic here. How the user could have this role in the system? Where does the user define it? – rayman Sep 30 '13 at 13:02
  • Depends on your system. In general I would say the database. But it could be files, LDAP, XML, some custom mechanism. – M. Deinum Sep 30 '13 at 13:19
  • I am asking where the user holds that role name(in our case - LINKS_ADMIN) ? In its session? How it's being retrieved under the hood from there – rayman Sep 30 '13 at 16:52
  • @rayman updated my answer now, think I answered how it is retrieved under the hood. – Matsemann Oct 11 '13 at 08:31

1 Answers1

4

Those roles are the roles (authorities) you assign to the UserDetails when a user logs in. These will be returned by an Authentication implementation.

They are one the form Collection<? extends GrantedAuthority>, normally SimpleGrantedAuthority is used.

For instance, in my application everyone is assigned to groups. So when a user logs in, I check all groups that user is a member of and add those to his user details.

    for (Group group : groups) {
        grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_" + group.getName().toUpperCase()));
    }

So if I have groups named "Admin", "User" and "Reporter" I can now check for has_role('ROLE_ADMIN'), has_role('ROLE_USER') and has_role('ROLE_REPORTER')

 

Under the hood it is retrieved from

SecurityContextHolder.getContext().getAuthentication().getAuthorities();

where getAuthentication() returns the an instance of Authentication I linked to above, and you grab the authorities from that object.

Matsemann
  • 21,083
  • 19
  • 56
  • 89
  • 1
    As a note, these role names are ideally defined in compile-time constants, such as `public static final String`s on subclasses of different `Role` classes, or as `enum` values. This prevents lots of headaches from string typos. – chrylis -cautiouslyoptimistic- Sep 30 '13 at 12:22
  • 1
    @chrylis yes, having a `stringly typed` application can lead to some bugs. Ideally authorities will also not be based directly on group names, since they change and it's hard to extend access later. It's often better to have `privileges` that can be granted to groups, and have them as constants in the code. – Matsemann Sep 30 '13 at 12:28
  • I have a class with enums which contains the LINKS_ADMIN role. but how Spring security does the link?? where is it defined? I have edited my question – rayman Sep 30 '13 at 12:43