How to generate permission matrix from spring mvc security configuration?

Question

In our project we're mixing xml and annotations based spring mvc security configuration. We've got quite a few lot of roles, a lot of controlers and frequently changing requirements about who should be able to do what. I thought it would be nice to have util class which will generate permission matrix like this.

What I've done so far is wrote simple classpath scanner which looks for all classes marked with @Controller and extract values of @PreAuthorize. Naming convention for controllers is straightforward: {Action}{Type}Controller (eg. NewOrderController) so its easy to generate human(and by human I mean non-programmer) readable csv file.

The problem is classpath scanning for annotation doesn't cover what we've got in xml config.

I was wondering if there is any other way to query metadata used for access resolution by spring mvc itself.

EDIT:

Example xml configuration (largely simplified):

<security:http pattern="/static/**" security="none" />

<security:http auto-config="false"
               use-expressions="true"
               entry-point-ref="entryPoint"
               security-context-repository-ref="securityContextRepository">
    <security:intercept-url pattern="/product/**" access="hasAnyRole('PRODUCT_USER')" />
    <security:intercept-url pattern="/admin/**" access="hasAnyRole('ADMIN_USER')" />
    <!-- No security configuration for /order/** -->
</security:http>

Example of annotation driven configuration:

@Controller
@RequestMapping("/order/new/{id}")
public class NewOrderController {

    @Autowired
    public NewOrderController() {
    }

    @RequestMapping(method = RequestMethod.GET)
    @PreAuthorize("hasRole('ORDER_USER')")
    public ModelAndView display() {
        return new ModelAndView(/*...*/);
    }

    @RequestMapping(method = RequestMethod.POST)
    @PreAuthorize("hasRole('ORDER_USER')")
    public RedirectView process() {
        return new RedirectView(/*...*/);
    }

}

Can you provide parts of the XML config that you need to cover? — nobeh, Jun 06 '12 at 12:10
I've added extract from security config. I can't post production code but that should give an idea how we configure this stuff. — Petro Semeniuk, Jun 07 '12 at 00:58

score 1 · Accepted Answer · edited May 23 '17 at 10:09

1

I suppose this answer will help you construct the solution to parse and load the meta data on URL interceptors in order to gather the configured roles.

edited May 23 '17 at 10:09

Community

1
1

answered Jun 07 '12 at 07:47

nobeh

9,784
10
49
66

Thanks Nobeh, I'll take a look on weekend if I can craft something based on security meta data. – Petro Semeniuk Jun 07 '12 at 10:53
I tried to prototype this solution but it seems to be a bit more complex than so I decided to go with class scanning. Thanks for the answer anyway. I'd use FilterInvocationSecurityMetadataSourceParser, but for different purpose. – Petro Semeniuk Jul 03 '12 at 07:07

How to generate permission matrix from spring mvc security configuration?

1 Answers1