0

I am looking for a solution where I could use spring boot security to manage user access with specifics from below:

  1. Every user is tied to a list of groups. Groups are dynamic, meaning that a new group can be assigned/removed to/from the user at any point.

  2. There are dynamically created entities. For example let's think of them as "articles" on some blog website :) Similarly like users, those "articles" are tired to a list of groups that can access it.

In summary: a system where groups and access list are known at runtime.

I do not know much about spring security, so I was looking for some answers on the web, but couldn't find anything. All snippets are based on static antMatchers and roles, like this:

@Configuration
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.httpBasic().and().authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/something_else_instead_of_this").hasRole("ROLE_and_instead_of_this_static_role");
    }

    (...)

}

Is there any way of creating your own custom Authenticator or something like that, which based on (1) URL would find the "article", therefore the groups allowed to access, and (2) the user logged, therefore the assigned groups => would determine if I can proceed with processing the request or return 401 immediately ;)

Thanks in advance for your help!

localhost
  • 93
  • 8
  • did you get the answer of your problem, I am facing the same problem, if you found any solution then please tell me that how I can resolve it – Naveen kumawat Jan 06 '22 at 19:06

1 Answers1

0

I don't think you can do this solely in the WebSecurityConfigurerAdapter but here is a similar set-up that takes advantage of Spring Security and demonstrates how to add the access checks to controller methods.

Additional pom.xml dependencies:

    ...
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    ...
    <dependency>
      <groupId>org.thymeleaf.extras</groupId>
      <artifactId>thymeleaf-extras-springsecurity5</artifactId>
    </dependency>
    ...

(The latter only if you're using Thymeleaf.)

The WebSecurityConfigurerAdapter:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@NoArgsConstructor @Log4j2
public class WebSecurityConfigurerImpl extends WebSecurityConfigurerAdapter {
    @Autowired private UserDetailsService userDetailsService;
    @Autowired private PasswordEncoder passwordEncoder;

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService)
            .passwordEncoder(passwordEncoder);
    }

    @Override
    public void configure(WebSecurity web) {
        web.ignoring()
            .antMatchers("/css/**", "/js/**", "/images/**",
                         "/webjars/**", "/webjarsjs");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests().anyRequest().permitAll()
            .and().formLogin().loginPage("/login").permitAll()
            .and().logout().permitAll();
    }
}

In the web MVC @Controller, anyone can read an article (whether logged-in or not):

    @RequestMapping(method = { GET }, value = { "/article/{slug}/" })
    @PreAuthorize("permitAll()")
    public String article(Model model, @PathVariable String slug) {
        ...
    }

But only AUTHORs may use the preview feature:

    @RequestMapping(method = { GET }, value = { "/preview/" })
    @PreAuthorize("hasAuthority('AUTHOR')")
    public String preview(Model model) {
        ...
    }

    @RequestMapping(method = { POST }, value = { "/preview/" })
    @PreAuthorize("hasAuthority('AUTHOR')")
    public String previewPOST(Model model,
                              Principal principal, HttpSession session,
                              HttpServletRequest request,
                              @Valid PreviewForm form, BindingResult result) {
        ...
    }

This is also supported in the Thymeleaf template where the menu is conditionally displayed if the user is an AUTHOR.

              <li th:ref="navbar-item" sec:authorize="hasAuthority('AUTHOR')">
                <button th:text="'Author'"/>
                <ul th:ref="navbar-dropdown">
                  <li><a th:text="'Preview'" th:href="@{/preview/}"/></li>
                </ul>
              </li>

And handling Login/Logout menus to demonstrate other available security predicates:

              <li th:ref="navbar-item" sec:authorize="!isAuthenticated()">      
                <a th:text="'Login'" th:href="@{/login}"/>                      
              </li>                                                             
              <li th:ref="navbar-item" sec:authorize="isAuthenticated()">       
                <button sec:authentication="name"/>                             
                <ul th:ref="navbar-dropdown">                                   
                  <li><a th:text="'Change Password'" th:href="@{/password}"/></\
li>                                                                             
                  <li><a th:text="'Logout'" th:href="@{/logout}"/></li>         
                </ul>                                                           
              </li>

(The rest are implementation details that may be helpful for illustration but not necessarily specific to your question. Specifically, I suggest this is where your logic would be for "dynamic' groups.)

The UserDetailsService implementation relies on JpaRepository implementations and sets the user's grants:

@Service
@NoArgsConstructor @ToString @Log4j2
public class UserDetailsServiceImpl implements UserDetailsService {
    @Autowired private CredentialRepository credentialRepository;
    @Autowired private AuthorRepository authorRepository;
    @Autowired private SubscriberRepository subscriberRepository;

    @Override
    @Transactional(readOnly = true)
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = null;
        Optional<Credential> credential =
            credentialRepository.findById(username);

        if (credential.isPresent()) {
            HashSet<GrantedAuthority> set = new HashSet<>();

            subscriberRepository.findById(username)
                .ifPresent(t -> set.add(new SimpleGrantedAuthority("SUBSCRIBER")));

            authorRepository.findById(username)
                .ifPresent(t -> set.add(new SimpleGrantedAuthority("AUTHOR")));

            user = new User(username, credential.get().getPassword(), set);
        } else {
            throw new UsernameNotFoundException(username);
        }

        return user;
    }
}

And an example of one of JpaRepository:

@Repository
@Transactional(readOnly = true)
public interface AuthorRepository extends JpaRepository<Author,String> {
    public Optional<Author> findBySlug(String slug);
}
Allen D. Ball
  • 1,916
  • 1
  • 9
  • 16
  • Thanks for the answer, it cleared some thinks for me. Unfortunately, I this is not the answer I am looking for. The `@PreAuthorize("hasAuthority('AUTHOR')")` need to be hardcoded and I want to check if article access group matches to user groups dynamically. Because as I mentioned it all can change at any moment. I guess spring boot security is not the way to go with it :) Probably I will need to intercept the request and write some generic method for that. – localhost Aug 16 '20 at 11:44