9

I am working on a Spring web application that uses:

  • Spring MVC
  • Spring Core
  • Spring Roo
  • Spring Security
  • Spring Data JPA
  • Mysql

The issue I have is as follows: for each access from the web layer to the application's entities/objects I want to be able to check whether or not they do indeed belong to the current user.

Let me illustrate: users of the application have advertisements, curriculums (referred to as entities/objects). I frequently perform GETs or POSTs on those objects/entities using the PK/ID in order to retrieve, update or delete those objects. As of now, I have not found a clean and flexible way to prevent a user from retrieving, updating or deleting someone else's objects.

I use Spring Security and I know at any time who is the current user (currently logged-in user/principal) but I am not sure where (which layer) and how to perform the check.

I have tried advising the service and controller methods with AspectJ but the way I implemented it is far from ideal as a mere change in the method signature causes the advice not to be applied.

I could use ACLs with Spring Security but it adds an unnecessary layer of complexity: I just need to grant or reject access to the entities given on whether or not they belong to an account/user.

Can anyone who has already met this issue please provide a clean, flexible and DRY solution?

balteo
  • 23,602
  • 63
  • 219
  • 412

1 Answers1

9

In my mind this is an authorisation problem. Essentially you want to confirm that the current user has the correct permissions to perform actions on the entities/objects. Therefore I would suggest that your solution is applied at the service layer (mid-tier).

A big part of the Spring Security architecture is dealing with authorisation decisions. It is worth taking your time to read that section of the documentation to ensure you understand the general architecture.

Broadly, Spring Security delegates pre-invocation access decisions to a AccessDecisionManager. The AccessDecisionManager typically consults a list of registered AccessionDecisionVoters who, as the name would suggest, "vote" on whether to allow the invocation to proceed based upon the current state of execution e.g. who is logged in, what data is the user requesting.

How a AccessDecisionVoter decides whether or not to give access is completely up to the implementation. So in theory you can do just about anything to decide whether or not to authorise a specific request.

Thankfully (and as you would expect) Spring provides some fairly sensible default implementations that let you achieve a lot of what you want out of the box. In particular I believe Method Security Expressions should let you achieve what you want (it will depend a little on how your services are implemented).

As per the documentation you can use Spring Security's @PreAuthorise annotation in combination with some expressions that look at the parameters of current method call or execution context. For example:

@PreAuthorise("#u == principal.id")
public List<Foo> loadFoos(@P("u")String userId);

In this example, the method invocation will only be allowed to proceed if the value of the userId parameter matches exactly the id of the currently authenticated user.

Your exact approach/expressions will depend on how your services are implemented, but hopefully this gives you a good starting point.

Rob Lockwood-Blake
  • 4,688
  • 24
  • 22
  • 1
    Hi Rob! Your reply is very useful an interesting indeed!! Let me please check some aspects of my code and I'll come back to you with additional comments... – balteo Mar 17 '14 at 13:28
  • One first point that comes to mind: the official documentation seems to suggest that one can also place the `@PreAuthorize` annotations on repository methods (as opposed to service methods) and I use spring data together with spring roo. Repository methods are autogenerated by roo and the default finder methods are not "visible". How can I then place my `@PreAuthorize` methods on those methods? – balteo Mar 17 '14 at 13:37
  • I don't know the answer to that unfortunately. I have never used Spring Roo before, so I don't know where to start in terms of customising the behaviour for auto-generated implementations. – Rob Lockwood-Blake Mar 17 '14 at 14:30
  • No worries. I have added another question [here](http://stackoverflow.com/questions/22456280/applying-postfilter-annotation-to-a-generic-spring-data-jpa-repository-method) that is more relevant to my comment above. Marking this one as accepted. – balteo Mar 17 '14 at 14:34
  • 1
    Hi Rob, Very useful information. @balteo , As you added that, PreAuthorize annotations on repository methods (as opposed to service methods) , This can limit the access to resources accessed by resources only, it will be more flexible if authorization is performed at service layer, regard less from where data is accessed. As, in some scenarios services may interact with solr and other data storage. – Nitul Nov 09 '18 at 17:37
  • Very nice ! - especially for readers from search engines as a first hit ;-) Great ! – inrandomwetrust Jan 13 '22 at 19:43