Grails + spring-security-core: How to assign a role after user has logged in?

Question

I have a grails application that uses spring-security-core and spring-security-ldap, with authentication against Active Directory. I have a custom UserDetails and UserDetailsContextMapper.

I have a use case where a user can temporarily take on additional responsibilities for a single session. I would like to be able to assign a role to the user after they have already logged in (i.e. mid-session), and then remove that role when the session expires.

I have a user_role database table that stores relationships between users and roles. In this case, it does not matter whether the relationship is added to the database and then removed when the session expires, or simply exists in memory only. Either way, I am looking for a way to assign the role (and have it immediately apply) at a point after the user has logged in. Is this possible?

Roadrunner · Accepted Answer · 2011-09-30T21:03:38.390

The UserDetails.getAuthorities() holds all roles of currently logged in user. As You already have a custom UserDetails ~~You only need to add the additional role to the values returned by getAuthorities() on the mid-session start, and then remove it on the mid-session end.~~ (see edit below)

ie:

public class MyUserDetails implements UserDetails {
    // holds the authorities granted to the user in DB
    private List<GrantedAuthority> authorities;
    // holds the temporarily added authorities for the mid-session
    private List<GrantedAuthority> extraAuthorities;

   public GrantedAuthority[] getAuthorities() {
       List<GrantedAuthority> auths = new ArrayList<GrantedAuthority>();
       auths.addAll(this.authorities);
       auths.addAll(this.extraAuthorities);
       return auths;
   }

   public void addExtraAuthorities(GrantedAuthority...auths) {
       for (GrantedAuthority a : auths) {
           this.extraAuthorities.add(a);
       }
   }

   public void clearExtraAuthorities() {
       this.extraAuthorities.clear();
   }
}

Or You could create a wrapper around the original UserDetails that will hold the extra authorities and wrap it and set to the current Authentication object on the mid-session start and unwrap on the mid-session end.

Edit:

As Ben pointed out in the comment the UserDetails.getAuthorities() does get called only once, at the login, when the Authentication object is created - I forgot about that. But that brings us to the right answer, and this time I'm sure it's gonna work, cause I did it myself this way. The Authentication.getAuthorities() is the method to attend to, not the UserDetails.getAuthorities(). And I really recommend a wrapper for that, not the custom implementaion of Authentication interace, as it'll be more flexible and allow to transparentlysupport diffrent authentication mechanisms underneath.

ie:

public class MidSessionAuthenticationWrapper implements Authentication {

    private Authentication wrapped;
    private List<GrantedAuthority> authorities;

    public MidSessionAuthenticationWrapper(
            Authentication wrapped, Collection<GrantedAuthority> extraAuths) {
        this.wrapped = wrapped;
        this.authorities = new ArrayList<GrantedAuthority>(wrapped.getAuthorities());
        this.authorities.addAll(extraAuths);
    }

    public Authentication getWrapped() {
        return this.wrapped;
    }

    @Override
    public Collection<GrantedAuthority> getAuthorities() {
        return this.authorities;
    }

    // delegate all the other methods of Authentication interace to this.wrapped
}

Then all You need to do is on the mid-session start:

Authentication authentication = 
    SecurityContextHolder.getContext().getAuthentication();
Collection<GrantedAuthority> extraAuths = 
    null; // calculate the extra authorities
MidSessionAuthenticationWrapper midSessionAuthentication =
    new MidSessionAuthenticationWrapper(authentication, extraAuths);
SecurityContextHolder.getContext().setAuthentication(midSessionAuthentication);

And on the mid-session end:

MidSessionAuthenticationWrapper midSessionAuthentication =
    (MidSessionAuthenticationWrapper) SecurityContextHolder.getContext().getAuthentication();
Authentication authentication = midSessionAuthentication.getWrapped();
SecurityContextHolder.getContext().setAuthentication(authentication);

Thanks Roadrunner. I have tried your approach, however it appears that getAuthorities() is not being called when a security check occurs, either using or a controller annotation. As far as I can tell, that method only gets called when a user first logs in. Is that different from your experience? — Ben, Sep 29 '11 at 17:34
@Ben You're right. I corrected my answer to reflect that. Now I remember why I changed the `Authentication` and not the `UserDetails` last time myself :). Sorry for misleading You at first. — Roadrunner, Sep 30 '11 at 21:11
That works perfectly, thank you! (Sorry for the delayed response, I was sidetracked for a while). — Ben, Oct 05 '11 at 23:54

score 3 · Answer 2 · answered Sep 11 '13 at 15:18

3

I just had the same problem and found a shorter solution. I use a "before"-Filter to check if the LDAP user has a local (db) user, findOrCreate it if necessary, add roles to the user and then reauthenticate the user via:

springSecurityService.reauthenticate(user.username)

The user will then have a current list of authorities.

answered Sep 11 '13 at 15:18

Jörg Rech

1,339
2
13
25

This worked great for me. Assign a new role to the user, reauthenticate and done! – Sergio del Amo Oct 18 '14 at 10:02
1

Can you add a link to a tutorial or documentation how to exactly do this? E.g. with the Grails 3.x Interceptors. Thanks – Mexx Apr 04 '16 at 07:04

Grails + spring-security-core: How to assign a role after user has logged in?

2 Answers2