5

I am applying spring security on my jsp page, I need to show different parts of the page to users with different roles all the roles are as following.

All authenticated users >> Edit and Add New

Admin > Delete and Edit and Add New

Anonymous > Add New

<sec:authorize
        access="isAuthenticated()">
          Code of add new and edit buttons
 </sec:authorize>

 <sec:authorize 
         access="hasAnyRole('ADMIN')">
   Code to add new, edit and delete buttons
 </sec:authorize>

  <sec:authorize 
         access="isAnonymous()">
     Code to add new
  </sec:authorize>

I am wondering if there is any easier method, in this case, if I want to modify access of a specific role I have to change its access rules in security.xml file and every page that I have set the role access.

For example, lets say I want to unable Admin role to access delete button then I have to change the code of security.xml and all the JSP pages that admin role was authenticated to view delete button.

Is there any easier method to do it!?

J888
  • 1,944
  • 8
  • 42
  • 76
  • 1
    in component based framework you could devide the page into multiple components and define the access for each of them in java code part, for example: JSF, tapestry – jmj Jun 04 '13 at 00:17

4 Answers4

2

I don't think there is a built in solution for this. You could set up a fine grained role system assinging like a edit role, a delete role and so on. Then you can assign these roles more freely. If you want to keep it easy for the user (like still only showing admin and user role) you might have to mask the actual roles behind a mapping between the roles and the titles shown to users.

Another approach would be to set up global parameters for each action (edit, delet, etc.) in which you specify the roles that shall be allowed for the action. This way you wouldn't hardcode the roles into your application but map them through the global parameters.

Looking forward to see if someone else comes up with a better idea.

Edit to specify the approach of mapping by global parameters (refined the mapping would be stored in a db but that is getting from an ad hoc solution to implementing an ACL):

With global parameters I just meant something like a rightsMapping.properties. In this file you would map something like that:

right.edit=ROLE_USER, ROLE_ADMIN
right.edit=ROLE_ADMIN
etc...

After that you can just insert the rights into the jsf pages using something like this:

<f:loadBundle basename="rightsMapping" var="rights"/>
....
<f:CommandButton name="edit" .... rendered="hasRole(rights.edit)"/>

This is a pretty easy hands on solution which can be refined by using for example a mappings table in the DB, a Bean evaluating access rights, etc. But the basic idea of mapping the fine grained rights to the roles stays the same.

Carsten
  • 1,511
  • 2
  • 13
  • 24
2

There can be a solution by using rights set which can be contained in role object as a collection.

After this implementation you can check the right permission for showing buttons and if you want to change anything in your security architecture, you can easily manage this by granting or revoking the rights from related role.

An example of this can bee seen in the link below.

http://en.tekstenuitleg.net/blog/spring-security-with-roles-and-rights

talipkorkmaz
  • 332
  • 2
  • 7
  • It seems I should have different jsp files for each role, then find out their role in back-end and display the jsp page that is associated to that role am I correct? – J888 May 26 '13 at 23:38
  • No not like that.You should define your roles as rights and your user domain class should contain a collection of rights.If you specify your role's definitions as rights, you can just check in jsp's the related options with – talipkorkmaz May 27 '13 at 07:18
  • this is method security, but I need to know how not to show a button on jsp page if user is not authorized. – J888 May 28 '13 at 01:16
  • I do something similar to this. What Spring calls a role is actually a right in your db. So in your case, you would use `hasAnyRole(["new","edit","delete"])` in your tag. Roles would group these rights within your app. An admin user (assigned the admin role) might have all 3 of these rights, but an editor user (assigned the editor role) might have only the edit right. Spring would know nothing about your roles, only the rights for that user, which Spring refers to as roles. It all comes down to the fact that Spring does not support hierarchical permissions management (and probably shouldn't). – Luke Jun 03 '13 at 17:23
1

I suppose that you have the same rights for Edit buttons everywhere in your app. In this case you can extract autorization code into some custom tag (I recommend JSP tag files). For each edit button you will use your custom tag:

<customtags:hasEditPermission>
     Edit button code goes here
<customtags:hasEditPermission>

All permissions will be declared once in your hasEditPermission.tag:

<%@tag description="Edit permission tag" pageEncoding="UTF-8"%>
<sec:authorize  access="hasAnyRole('ADMIN')">
    <jsp:doBody/>
</sec:authorize>

So in a case of new POWER_USER role you need to modify just one file:

<%@tag description="Edit permission tag" pageEncoding="UTF-8"%>
<sec:authorize  access="hasAnyRole('ADMIN', 'POWER_USER')">
    <jsp:doBody/>
</sec:authorize>

You can prepare and use tags for "Add new" and "Delete" buttons too. Hope this helps.

Community
  • 1
  • 1
Maksym Demidas
  • 7,707
  • 1
  • 29
  • 36
0

This is probably what you are looking for, with sample code

In your case, you would have BF_ADD_XXX, BF_EDIT_XXX and BF_DELETE_XXX etc.

This allows you to grant/revoke particular permissions (or BFs or business functions or whatever you want to call them) to/from particular roles.

Jukka
  • 4,583
  • 18
  • 14