4

Spring Security ACL plugin for grails by default uses the BasePermission class with 4 basic permissions. And uses DefaultFactory to assign this permissions. And AclPermissionEvaluator where this DefaultFactory is assigned.

When use this approach all is fine. I can use

    @PreAuthorize("hasPermission(#report, read)")

Here I provided one of the basic permissions called READ which is defined in BasePermission class.

What I need is my own custom permissions. I've done:

     public class MyPermission extends AbstractPermission{

        public static final Permission APPROVE= new MyPermission(1 << 0, 'a');

        //constructors here..  
     }

1) How correctly assign my custom permission to use it like I used permissions from BasePermission? 2)Should I define my CustomFactory or its possible to use DefaultFactory? 3)If yes, how to set it to existing permission evaluator?

Also another open question. I've played around with subclass of BasePermission, but in that case I should use

    @PreAuthorize("hasPermission(#report, 'approve')")

instead of just

    @PreAuthorize("hasPermission(#report, approve)")

4)Why in case of no single quotes I got the error?

     Class:org.springframework.expression.spel.SpelEvaluationException
     Message:EL1008E:(pos 28): Field or property 'approve' cannot be found on object of type 'org.springframework.security.access.expression.method.MethodSecurityExpressionRoot'

Thanks in advance!

muffin
  • 45
  • 5

1 Answers1

3

You're better off extending org.springframework.security.acls.domain.BasePermission since that way you have all the standard permissions plus yours:

package com.mycompany.myapp.MyPermission;

public class MyPermission extends BasePermission {

   public static final Permission APPROVE = new MyPermission(1 << 5, 'V'); // 32

   protected MyPermission(int mask) {
      super(mask);
   }

   protected MyPermission(int mask, char code) {
      super(mask, code);
   }
}

You need to register it with the permission factory to make it available in expressions; override the aclPermissionFactory bean in grails-app/conf/spring/resources.groovy, passing your class as the constructor argument:

import org.springframework.security.acls.domain.DefaultPermissionFactory
import com.mycompany.myapp.MyPermission

beans = {
   aclPermissionFactory(DefaultPermissionFactory, MyPermission)
}

The reason it works unquoted with standard permissions is that MethodSecurityExpressionRoot has constants for the standard permissions:

public final String read = "read";
public final String write = "write";
public final String create = "create";
public final String delete = "delete";
public final String admin = "administration";

but there isn't one for yours, so you need to quote it to force a lookup in your permission class.

Burt Beckwith
  • 75,342
  • 5
  • 143
  • 156
  • Thanks for you answer! It helpful. But may clarify, where is correct to override the `aclPermissionFactory` bean? Directly in plugin in `SpringSecurityAclGrailsPlugin.groovy`? Because, by default all plugins stored in `%USER_HOME%/...` and that means if somebody else checkout this project he will get default configuration. – muffin Feb 15 '12 at 18:08
  • No - avoid editing plugin code. Do this in grails-app/conf/spring/resources.groovy - I edited the answer to clarify this. – Burt Beckwith Feb 15 '12 at 18:25
  • Is there a way to extend MethodSecurityExpressionRoot so I don't have to use the quotes? I do not like that it is not consistent and you have to know that some permissions need quotes and some don't – Matt N Nov 29 '12 at 21:19