9

I have a role convention mechanism in my application for which each role follows a syntax:

APP_DEPARTMENT1_USER
APP_DEPARTMENT1_AUDITOR
APP_DEPARTMENT1_WHATEVER
APP_DEPARTMENT2_...

I want to configure Spring security in order to allow all roles that match a given suffix to be granted access to a section of my web application. I blindly tried <intercept-url pattern="/secure/audit/**" access="APP_*_AUDITOR,APP_ADMINISTRATOR" /> (where APP_ADMINISTRATOR is my default administrator role) but it didn't work. When I log in as administrator I can access the page, but when I try to log in with a profile with the APP_DEPARTMENT1_AUDITOR I can't obtain access to the page.

I think wildcard expressions are not supported, and I don't believe Spring EL expressions could be of help (or I just don't master them enough).

Is there any way I can configure a role pattern for Spring Security within <intercept-url> tag?

usr-local-ΕΨΗΕΛΩΝ
  • 26,101
  • 30
  • 154
  • 305

2 Answers2

6

One solution could be to use Spring Security's built-in support for role hierarchies, and specify a generic APP_AUDITOR role that "includes" auditor roles of the individual departments.

An alternative would be to create your own improved role voter that can work with patterns, because the existing implementation only performs a simple equality test. Based on this existing class, it should be easy to do some pattern matching instead. Once you have that in place, you can wire up the custom voter with the security infrastructure this way:

<http access-decision-manager-ref="myAccessDecisionManager">
  ...
</http>

<bean id="myAccessDecisionManager"
    class="org.springframework.security.access.vote.AffirmativeBased">
  <constructor-arg name="decisionVoters">
      <list>
        <bean id="patternBasedRoleVoter" 
            class="com.example.PatternBasedRoleVoter"/>
        <bean id="authenticatedVoter"
            class="org.springframework.security.access.vote.AuthenticatedVoter"/>            
      </list>
  </constructor-arg>
</bean>
zagyi
  • 17,223
  • 4
  • 51
  • 48
4

As an option you can switch your conf to use web security expressions and then introduce your custom web security expression that will be able to handle regex input. Switching to security expressions:

<http use-expressions="true">
    <intercept-url pattern="/secure/audit/**" access="
        hasRole('APP_DEPARTMENT1_AUDITOR') 
        and hasRole('APP_DEPARTMENT2_AUDITOR') 
        or hasRole('APP_ADMINISTRATOR')" />

Introducing your custom hasRegexRole('regex_input') web security expression as described here:

<http use-expressions="true">
    <intercept-url pattern="/secure/audit/**" access="
        hasRegexRole('APP_*_AUDITOR') 
        or hasRole('APP_ADMINISTRATOR')" />

You can use the source code of org.springframework.security.access.expression.SecurityExpressionRoot.hasRole(String role) method to see how you can get authorities. Then you need apply regex pattern matching and that's all. Hope this helps.

Community
  • 1
  • 1
Maksym Demidas
  • 7,707
  • 1
  • 29
  • 36