2

Greetings all i am using spring security 3.0.2 and i want after login to get user authorities and add another role to him so he can access some page that requires the new role how to do so ?

Mahmoud Saleh
  • 33,303
  • 119
  • 337
  • 498

4 Answers4

2

i played around with the method in here:

User Granted Authorities are always : ROLE_ANONYMOUS?

and it did the trick.

Community
  • 1
  • 1
Mahmoud Saleh
  • 33,303
  • 119
  • 337
  • 498
0

You have to create your authentication provider loading the authorities data from a database. In this stackoverflow question you can see the way to do it. Whenever you need to change the user authorities you'll only have to change the data in the database.

Community
  • 1
  • 1
Javi
  • 19,387
  • 30
  • 102
  • 135
0

@Javi: I didn't know how to comment on your answer, so i had to create a new one.

The problem of your solution would be that the user has to logout and re-login to get the new role. I think what sword101 is trying to accomplish is to dynamically add a new role to a user without needing to re-login.

This is however an issue I'm looking into aswell and didn't find a suitable solution so far.

I tried to implement it with a flag within my (custom) UserDetails object. This flag is read by the voter and voted accordingly. But this didn't really work out as intended. But I'll may look into that again to see what went wrong.

Robert M.
  • 1,339
  • 1
  • 12
  • 34
0

Just stumbled upon this and will answer it, even though it's a bit old.

A clean way to this would be to retrieve the users Authentication Object (along with this authorities) and construct a new Authentication Object. This can than set back into the Context like so:

Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
List<GrantedAuthority> combinedAuthorities = new ArrayList<>();
combinedAuthorities.addAll(authentication.getAuthorities());
combinedAuthorities.add(new SimpleGrantedAuthority("BRAND_NEW_ROLE"));

UsernamePasswordAuthenticationToken newAuthenticationWithAddedRole = new UsernamePasswordAuthenticationToken(authentication.getPrincipal(), authentication.getCredentials(), combinedAuthorities);
SecurityContextHolder.getContext().setAuthentication(newAuthenticationWithAddedRole);

(written like this for clarity, could be shortened).

Now obviously this only works within the Context of a Request made by the User (otherwise (SecurityContextHolder.getContext() won't get the right Authentication), but I am assuming this is no problem, since this is done as part of the login triggered by the user.

I used the simple UsernamePasswordAuthenticationToken in this example, but there are other default implementations from Spring of course. You should probably use the same implementation your code is already using at the moment. But in my experience you usually end up writing your own Implementation for the "Authentication" interface anyway, so hopefully it's not a problem.

Mario B
  • 2,102
  • 2
  • 29
  • 41