Login/Register
How to create custom methods for use in spring security expression language annotations
Asked Answered
Solved javaspringspring-security
C

3

99

I would like to create a class that adds custom methods for use in spring security expression language for method-based authorization via annotations.

For example, I would like to create a custom method like 'customMethodReturningBoolean' to be used somehow like this:

  @PreAuthorize("customMethodReturningBoolean()")
  public void myMethodToSecure() { 
    // whatever
  }

My question is this. If it is possible, what class should I subclass to create my custom methods, how would I go about configuring it in the spring xml configuration files and come someone give me an example of a custom method used in this way?

Convene answered 9/7, 2011 at 5:33 Comment(1)
I don't have time to type an answer right now but I followed this guide and it worked brilliantly: baeldung.com/… I'm using Spring Security 5.1.1.Sen
C
36

You'll need to subclass two classes.

First, set a new method expression handler

<global-method-security>
  <expression-handler ref="myMethodSecurityExpressionHandler"/>
</global-method-security>

myMethodSecurityExpressionHandler will be a subclass of DefaultMethodSecurityExpressionHandler which overrides createEvaluationContext(), setting a subclass of MethodSecurityExpressionRoot on the MethodSecurityEvaluationContext.

For example:

@Override
public EvaluationContext createEvaluationContext(Authentication auth, MethodInvocation mi) {
    MethodSecurityEvaluationContext ctx = new MethodSecurityEvaluationContext(auth, mi, parameterNameDiscoverer);
    MethodSecurityExpressionRoot root = new MyMethodSecurityExpressionRoot(auth);
    root.setTrustResolver(trustResolver);
    root.setPermissionEvaluator(permissionEvaluator);
    root.setRoleHierarchy(roleHierarchy);
    ctx.setRootObject(root);

    return ctx;
}
Caprifoliaceous answered 9/7, 2011 at 11:24 Comment(3)
Hmm, sounds like a good idea, but all of the properties of DefaultMethodSecurityExpressionHandler are private without accessors, so I was curious how you extended the class without any ugly reflection. Thanks.Merca
You mean trustResolver, etc? Those all have setters in DefaultMethodSecurityExpressionHandler (at least in Spring Security 3.0) See: static.springsource.org/spring-security/site/apidocs/org/…Caprifoliaceous
@ericacm How do you get around MethodSecurityExpressionRoot being package-private?Jook
A
186

None of the mentioned techniques will work anymore. It seems as though Spring has gone through great lengths to prevent users from overriding the SecurityExpressionRoot.

EDIT 11/19/14 Setup Spring to use security annotations:

<beans ... xmlns:sec="http://www.springframework.org/schema/security" ... >
...
<sec:global-method-security pre-post-annotations="enabled" />

Create a bean like this:

@Component("mySecurityService")
public class MySecurityService {
    public boolean hasPermission(String key) {
        return true;
    }
}

Then do something like this in your jsp:

<sec:authorize access="@mySecurityService.hasPermission('special')">
    <input type="button" value="Special Button" />
</sec:authorize>

Or annotate a method:

@PreAuthorize("@mySecurityService.hasPermission('special')")
public void doSpecialStuff() { ... }

Additionally, you may use Spring Expression Language in your @PreAuthorize annotations to access the current authentication as well as method arguments.

For example:

@Component("mySecurityService")
public class MySecurityService {
    public boolean hasPermission(Authentication authentication, String foo) { ... }
}

Then update your @PreAuthorize to match the new method signature:

@PreAuthorize("@mySecurityService.hasPermission(authentication, #foo)")
public void doSpecialStuff(String foo) { ... }
Abuttal answered 15/2, 2013 at 22:5 Comment(18)
Any way to give MySecurityService a handle on an existing Authentication object?Nnw
@Nnw in your hasPermission method, you can use Authentication auth = SecurityContextHolder.getContext().getAuthentication(); to get the current authentication token.Abuttal
Thanks James for your answer. Do I have to define mySecurityService in spring config file?Forelady
And is @PreAuthorize a custom annotation?Forelady
You don't need to define mySecurityService in any XML file if you have a component-scan setup for the package that the service is in. If you don't have a matching component-scan, then you must use an xml bean definition. @PreAuthorize comes from org.springframework.securityAbuttal
James, simply great bro !! But id doesn't worked for me. I created a bean as component and trying to use in PreAuthorize via my component class.Ipomoea
You may need to specify the name of the bean to the annotation like this: @Component("mySecurityService") or use the @Named annotation.Abuttal
@James Watkins : I have used @PreAuthorize example shown above but hasPermission method of MySecurityService is not getting called. In xml I have defined global security pre-post annotation enabled as well. Code is something like : @RequestMapping...then @PreAuthorize...then method. Method is working fine but @PreAuthorize is having no impact.Topology
@Topology Please see the edit I made. You will need to configure spring to use these annotations. I'm surprised nobody else complained about this important missing detail :)Abuttal
@James Watkins : Yes, I googled it and found solution. But thanks for your effort. This solution is very clean and easy to understand. It saved my lot of time.Topology
@James Watkins : I am getting : org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'mySecurityService' is definedKate
Incredibly simple and straightforward solution! You saved me a lot of time and for that I thank you!Nowise
Spent a while trying to get the custom expression root gunk to work. Your solution is far simpler to get to work thanks.Angelinaangeline
Is there any way I can make 'authentication' argument implicit?Sunbeam
@DhananjayK You may remove the argument and fetch the Authentication object statically. Caution: I'm not sure how this works if you are forking threads: Authentication auth = SecurityContextHolder.getContext().getAuthentication();Abuttal
@James Watkins Can I use mySecurityService on JSPs to hide or show links?Compressor
@Compressor Yes, using the spring security taglib docs.spring.io/spring-security/site/docs/3.1.x/reference/…Abuttal
@James Watkins I wrote a component as you suggested and calling it from JSP like this <sec:authorize access="@permisssionEvaluator.hasPermiss‌​ion('testPermi', ${session})">. But it is not worming any more. The only difference is my hasPermission accept one more object which is session.Compressor
C
36

You'll need to subclass two classes.

First, set a new method expression handler

<global-method-security>
  <expression-handler ref="myMethodSecurityExpressionHandler"/>
</global-method-security>

myMethodSecurityExpressionHandler will be a subclass of DefaultMethodSecurityExpressionHandler which overrides createEvaluationContext(), setting a subclass of MethodSecurityExpressionRoot on the MethodSecurityEvaluationContext.

For example:

@Override
public EvaluationContext createEvaluationContext(Authentication auth, MethodInvocation mi) {
    MethodSecurityEvaluationContext ctx = new MethodSecurityEvaluationContext(auth, mi, parameterNameDiscoverer);
    MethodSecurityExpressionRoot root = new MyMethodSecurityExpressionRoot(auth);
    root.setTrustResolver(trustResolver);
    root.setPermissionEvaluator(permissionEvaluator);
    root.setRoleHierarchy(roleHierarchy);
    ctx.setRootObject(root);

    return ctx;
}
Caprifoliaceous answered 9/7, 2011 at 11:24 Comment(3)
Hmm, sounds like a good idea, but all of the properties of DefaultMethodSecurityExpressionHandler are private without accessors, so I was curious how you extended the class without any ugly reflection. Thanks.Merca
You mean trustResolver, etc? Those all have setters in DefaultMethodSecurityExpressionHandler (at least in Spring Security 3.0) See: static.springsource.org/spring-security/site/apidocs/org/…Caprifoliaceous
@ericacm How do you get around MethodSecurityExpressionRoot being package-private?Jook
M
15

Thanks ericacm, but it does not work for a few reasons:

  • The properties of DefaultMethodSecurityExpressionHandler are private (reflection visibility kludges undesirable)
  • At least in my Eclipse, I can't resolve a MethodSecurityEvaluationContext object

The differences are that we call the existing createEvaluationContext method and then add our custom root object. Finally I just returned an StandardEvaluationContext object type since MethodSecurityEvaluationContext would not resolve in the compiler (they are both from the same interface). This is the code that I now have in production.

Make MethodSecurityExpressionHandler use our custom root:

public class CustomMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler  {

    // parent constructor
    public CustomMethodSecurityExpressionHandler() {
        super();
    }

    /**
     * Custom override to use {@link CustomSecurityExpressionRoot}
     * 
     * Uses a {@link MethodSecurityEvaluationContext} as the <tt>EvaluationContext</tt> implementation and
     * configures it with a {@link MethodSecurityExpressionRoot} instance as the expression root object.
     */
    @Override
    public EvaluationContext createEvaluationContext(Authentication auth, MethodInvocation mi) {
        // due to private methods, call original method, then override it's root with ours
        StandardEvaluationContext ctx = (StandardEvaluationContext) super.createEvaluationContext(auth, mi);
        ctx.setRootObject( new CustomSecurityExpressionRoot(auth) );
        return ctx;
    }
}

This replaces the default root by extending SecurityExpressionRoot. Here I've renamed hasRole to hasEntitlement:

public class CustomSecurityExpressionRoot extends SecurityExpressionRoot  {

    // parent constructor
    public CustomSecurityExpressionRoot(Authentication a) {
        super(a);
    }

    /**
     * Pass through to hasRole preserving Entitlement method naming convention
     * @param expression
     * @return boolean
     */
    public boolean hasEntitlement(String expression) {
        return hasRole(expression);
    }

}

Finally update securityContext.xml (and make sure it's referenced from your applcationContext.xml):

<!-- setup method level security using annotations -->
<security:global-method-security
        jsr250-annotations="disabled"
        secured-annotations="disabled"
        pre-post-annotations="enabled">
    <security:expression-handler ref="expressionHandler"/>
</security:global-method-security>

<!--<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">-->
<bean id="expressionHandler" class="com.yourSite.security.CustomMethodSecurityExpressionHandler" />

Note: the @Secured annotation will not accept this override as it runs through a different validation handler. So, in the above xml I disabled them to prevent later confusion.

Merca answered 23/8, 2011 at 19:59 Comment(1)
thanks. great help for me but by the new changes in spring security, you can not override createEvaluationContext but you have to override createEvaluationContextInternal and also createSecurityExpressionRoot.Tamishatamma

© 2022 - 2024 — McMap. All rights reserved.