I have configured ACL in my Spring Boot application. The ACL configuration is as follows:

@Configuration
@ComponentScan(basePackages = "com.company")
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class ACLConfigration extends GlobalMethodSecurityConfiguration {

    @Autowired
    DataSource dataSource;

    @Bean
    public EhCacheBasedAclCache aclCache() {
        return new EhCacheBasedAclCache(aclEhCacheFactoryBean().getObject(), permissionGrantingStrategy(), aclAuthorizationStrategy());
    }

    @Bean
    public EhCacheFactoryBean aclEhCacheFactoryBean() {
        EhCacheFactoryBean ehCacheFactoryBean = new EhCacheFactoryBean();
        ehCacheFactoryBean.setCacheManager(aclCacheManager().getObject());
        ehCacheFactoryBean.setCacheName("aclCache");
        return ehCacheFactoryBean;
    }

    @Bean
    public EhCacheManagerFactoryBean aclCacheManager() {
        return new EhCacheManagerFactoryBean();
    }

    @Bean
    public DefaultPermissionGrantingStrategy permissionGrantingStrategy() {
        ConsoleAuditLogger consoleAuditLogger = new ConsoleAuditLogger();
        return new DefaultPermissionGrantingStrategy(consoleAuditLogger);
    }

    @Bean
    public AclAuthorizationStrategy aclAuthorizationStrategy() {
        return new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_ACL_ADMIN"));
    }

    @Bean
    public LookupStrategy lookupStrategy() {
        return new BasicLookupStrategy(dataSource, aclCache(), aclAuthorizationStrategy(), new ConsoleAuditLogger());
    }

    @Bean
    public JdbcMutableAclService aclService() {
        return new JdbcMutableAclService(dataSource, lookupStrategy(), aclCache());
    }

    @Bean
    public DefaultMethodSecurityExpressionHandler defaultMethodSecurityExpressionHandler() {
        return new DefaultMethodSecurityExpressionHandler();
    }

    @Override
    public MethodSecurityExpressionHandler createExpressionHandler() {
        DefaultMethodSecurityExpressionHandler expressionHandler = defaultMethodSecurityExpressionHandler();
        expressionHandler.setPermissionEvaluator(new AclPermissionEvaluator(aclService()));
        expressionHandler.setPermissionCacheOptimizer(new AclPermissionCacheOptimizer(aclService()));
        return expressionHandler;
    }
}

References:

• SO Q1
• SO Q2

and the security configuration is as follows:

@Configuration
@EnableWebSecurity
public class CustomSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Bean
    public AuthenticationEntryPoint entryPoint() {
        return new LoginUrlAuthenticationEntryPoint("/authenticate");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
                .csrf()
                .disable()
                .authorizeRequests()
                .antMatchers("/authenticate/**").permitAll()
                .anyRequest().fullyAuthenticated()
                .and().requestCache().requestCache(new NullRequestCache())
                .and().addFilterBefore(authenticationFilter(), CustomUsernamePasswordAuthenticationFilter.class);
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**");
    }

    @Bean
    public CustomUsernamePasswordAuthenticationFilter authenticationFilter()
            throws Exception {
        CustomUsernamePasswordAuthenticationFilter authenticationFilter = new CustomUsernamePasswordAuthenticationFilter();
        authenticationFilter.setUsernameParameter("username");
        authenticationFilter.setPasswordParameter("password");
        authenticationFilter.setFilterProcessesUrl("/authenticate");
        authenticationFilter.setAuthenticationSuccessHandler(new CustomAuthenticationSuccessHandler());
        authenticationFilter.setAuthenticationFailureHandler(new CustomAuthenticationFailureHandler());
        authenticationFilter.setAuthenticationManager(authenticationManagerBean());
        return authenticationFilter;
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

My CustomAuthenticationProvider class:

@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {

    @Autowired
    private UsersService usersService;

    @Override
    public Authentication authenticate(Authentication authentication)
            throws AuthenticationException {

        String username = authentication.getName();
        String password = authentication.getCredentials().toString();

        User user = usersService.findOne(username);

        if(user != null && usersService.comparePassword(user, password)){

            return new UsernamePasswordAuthenticationToken(
                    user.getUsername(),
                    user.getPassword(),
                    AuthorityUtils.commaSeparatedStringToAuthorityList(
                            user.getUserRoles().stream().collect(Collectors.joining(","))));
        } else {
            return null;
        }
    }

    @Override
    public boolean supports(Class<?> authentication) {
        return authentication.equals(UsernamePasswordAuthenticationToken.class);
    }
}

Here's my CustomUsernamePasswordAuthenticationToken:

public class CustomUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter {

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
            throws AuthenticationException {

        if(!request.getMethod().equals("POST"))
            throw new AuthenticationServiceException(String.format("Authentication method not supported: %s", request.getMethod()));

        try {

            CustomUsernamePasswordAuthenticationForm form = new ObjectMapper().readValue(request.getReader(), CustomUsernamePasswordAuthenticationForm.class);

            String username = form.getUsername();
            String password = form.getPassword();

            if(username == null)
                username = "";

            if(password == null)
                password = "";

            UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, password);

            setDetails(request, token);

            return getAuthenticationManager().authenticate(token);

        } catch (IOException exception) {
            throw new CustomAuthenticationException(exception);
        }
    }

    private class CustomAuthenticationException extends RuntimeException {
        private CustomAuthenticationException(Throwable throwable) {
            super(throwable);
        }
    }
}

Apart from the above, I have CustomAuthenticationFailureHandler, CustomAuthenticationSuccessHandler, CustomNoRedirectStrategy and CustomUsernamePasswordAuthenticationForm which I skipped for the sake of this question's length.

And I am using MySQL schema that can be found here.

I am adding entries to my acl related tables as follows:

INSERT INTO acl_class VALUES (1, com.company.project.domain.users.User)
INSERT INTO acl_sid VALUES (1, 1, "demo")

(I have a user with username demo)

INSERT INTO acl_object_identity VALUES (1, 1, 1, NULL, 1, 0)
INSERT INTO acl_entry VALUES (1, 1, 1, 1, 1, 1, 1, 1)

But all I am getting is:

Denying user demo permission 'READ' on object com.company.project.domain.users.User@4a49e9b4

in my

@PostFilter("hasPermission(filterObject, 'READ')")

I am suspecting of several issues here:

1. The hasPermission expression: I have substituted it with 'READ' and '1', but to no extent.
2. My database entries are not right
3. I am not implementing a custom permission evaluator. Is this required, or is expressionHandler.setPermissionEvaluator(new AclPermissionEvaluator(aclService())); enough?

Update

Sample method where @PostFilter is used:

@RequestMapping(method = RequestMethod.GET)
    @PostFilter("hasPermission(filterObject, 'READ')")
    List<User> find(@Min(0) @RequestParam(value = "limit", required = false, defaultValue = "10") Integer limit,
                    @Min(0) @RequestParam(value = "page", required = false, defaultValue = "0") Integer page,
                    @RequestParam(value = "email", required = false) String email,
                    @RequestParam(value = "firstName", required = false) String firstName,
                    @RequestParam(value = "lastName", required = false) String lastName,
                    @RequestParam(value = "userRole", required = false) String userRole) {

        return usersService.find(
                limit,
                page,
                email,
                firstName,
                lastName,
                userRole);
    }

Update #2:

The question now reflects everything set up in regards to authentication/authorization/ACL.

Update #3:

I am now very close to resolve the issue, the only thing left is to resolve this:

https://stackoverflow.com/questions/42996579/custom-permissionevaluator-not-called-although-set-as-permissionevaluator-deny

If anyone could help me with that question, I can finally have a write up of what I have went through to resolve this.

Here's the long waited answer:

The documentation clearly describes:

To use hasPermission() expressions, you have to explicitly configure a PermissionEvaluator in your application context. This would look something like this:

so basically I was doing in my AclConfiguration which extends GlobalMethodSecurityConfiguration:

    @Override
    protected MethodSecurityExpressionHandler createExpressionHandler() {
        DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
        expressionHandler.setPermissionEvaluator(new AclPermissionEvaluator(aclService()));
        expressionHandler.setPermissionCacheOptimizer(new AclPermissionCacheOptimizer(aclService()));
        return expressionHandler;
    }

Which was not getting processed by Spring!

I had to separate AclConfig and GlobalMethodSecurityConfiguration. When there are @Beans defined in the latter, the above method is not getting processed, which might be a bug (if not, any clarification on subject is welcome).

I upgraded my application to use Spring Security 4.2.1.RELEASE then afterwards I started to experience an unexpected access denied in all @PreAuthorize annotated methods, which was working just fine before the upgrade. I debugged the spring security code and I realized that the problem was that all roles to be checked were being prefixed with a default string "ROLE_" regardless of the fact that I had set my default prefix to empty, as shown in the code below.

auth.ldapAuthentication()
        .groupSearchBase(ldapProperties.getProperty("groupSearchBase"))
        .groupRoleAttribute(ldapProperties.getProperty("groupRoleAttribute"))
        .groupSearchFilter(ldapProperties.getProperty("groupSearchFilter"))

        //this call used to be plenty to override the default prefix
        .rolePrefix("")

        .userSearchBase(ldapProperties.getProperty("userSearchBase"))
        .userSearchFilter(ldapProperties.getProperty("userSearchFilter"))
        .contextSource(this.ldapContextSource);

All my controller methods were annotated with @PreAuthorize("hasRole('my_ldap_group_name')"), however, the framework was not taking my empty role prefix setting into account and thus it was using ROLE_my_ldap_group_name to check the actual role instead.

After I dug deep into the framework's code, I realized that the class org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler still had the default role prefix set to "ROLE_". I followed up the source of its value and I found out that it was first checking for a declared bean of the class org.springframework.security.config.core.GrantedAuthorityDefaults to look for a default prefix during first initialization of the bean org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer, however, as this initializer bean could not find it declared, it ended up using the aforementioned default prefix.

I believe this is not an expected behavior: Spring Security should have considered the same rolePrefix from ldapAuthentication, however, to solve this issue, it was necessary to add the bean org.springframework.security.config.core.GrantedAuthorityDefaults to my application context (I'm using annotation based configuration), as following:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class CesSecurityConfiguration extends WebSecurityConfigurerAdapter {

    private static final String ROLE_PREFIX = "";
    //... ommited code ...
    @Bean
    public GrantedAuthorityDefaults grantedAuthorityDefaults() {
        return new GrantedAuthorityDefaults(ROLE_PREFIX);
    }

}

Maybe you're getting the same problem - I could see that you're using DefaultMethodSecurityExpressionHandler and it also uses the bean GrantedAuthorityDefaults, so if you're using the same Spring Security version as me - 4.2.1.RELEASE you are probably running into the same issue.

Here's the long waited answer:

The documentation clearly describes:

To use hasPermission() expressions, you have to explicitly configure a PermissionEvaluator in your application context. This would look something like this:

so basically I was doing in my AclConfiguration which extends GlobalMethodSecurityConfiguration:

    @Override
    protected MethodSecurityExpressionHandler createExpressionHandler() {
        DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
        expressionHandler.setPermissionEvaluator(new AclPermissionEvaluator(aclService()));
        expressionHandler.setPermissionCacheOptimizer(new AclPermissionCacheOptimizer(aclService()));
        return expressionHandler;
    }

Which was not getting processed by Spring!

I had to separate AclConfig and GlobalMethodSecurityConfiguration. When there are @Beans defined in the latter, the above method is not getting processed, which might be a bug (if not, any clarification on subject is welcome).

Your data in the DB and your config looks good. I use @PostFilter("hasPermission(filterObject, 'READ')") all the time.

I'd check to make sure your user class that extends UserDetails is returning the same username via getUsername() you have in the db. Along with checking to make sure you security and app are in the same context.

the hasPermission method take an Authentication object as it's 1st param.

boolean hasPermission(Authentication authentication,
                      Object targetDomainObject,
                      Object permission)

The Authentication object is an implementing class, usually of UsernamePasswordAuthenticationToken. So the getPrincipal() method needs to return an object that has a getUserName() method that returns the same thing you have in your DB.

Take a look at PrincipalSid

public PrincipalSid(Authentication authentication) {
    Assert.notNull(authentication, "Authentication required");
    Assert.notNull(authentication.getPrincipal(), "Principal required");

    if (authentication.getPrincipal() instanceof UserDetails) {
        this.principal = ((UserDetails) authentication.getPrincipal()).getUsername();
    }
    else {
        this.principal = authentication.getPrincipal().toString();
    }
}

Obviously, AclPermissionEvaluator is not respected. The same issue occurred on my way, solved by 2 steps:

1. Created expression handler inside overridden method instead of injecting
2. WebSecurityConfig was created in the same class as GlobalMethodSecurityConfiguration, otherwise, GlobalMethodSecurityConfiguration will not work and will not override the handler.