Login/Register
How to configure Spring ACL without XML file
Asked Answered
Solved springspring-mvcconfigurationspring-securityacl
S

2

8

I am trying to add ACL capabilities to my server. I have configured spring security using java file and would like to add ACL in the same manner. How should I do it? All the tutorials I found used XML file.

SecurityInit: 

@Order(1)
public class SecurityInitializer extends AbstractSecurityWebApplicationInitializer {
}

SecurityConfig

@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
@Component
@ComponentScan(basePackages = {"test.package"})
public class SecurityConfig extends 

WebSecurityConfigurerAdapter {

...
    @Autowired
    protected void registerAuthentication(UserDetailsService userDetailsService, AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService);
    }

//  https://mcmap.net/q/541308/-moving-spring-security-to-java-config-where-does-authentication-success-handler-ref-go
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .headers().disable()
                .addFilterBefore(...)
                .addFilterBefore(...)

//                TODO: create a better way to differentiate login to signup
                .exceptionHandling()
                    .authenticationEntryPoint(noRedirectForAnonymous)
                    .and()

                .formLogin()
                    .successHandler(restAuthenticationSuccessHandler)
                    .failureHandler(restAuthenticationFailureHandler)
                    .and()

                .logout()
                    .logoutSuccessHandler(noRedirectLogoutSuccessHandler)
                    .and()

                .authorizeRequests()
                    .antMatchers("/api/keywords/**").permitAll()
                    .antMatchers("/api/**").authenticated();
    }
}
Spelunker answered 10/10, 2014 at 5:20 Comment(0)
E
-6

There is no way to configure spring acl without xml file. This is mentioned in spring docs itself.Refer to spring documentation.

Educate answered 11/10, 2014 at 7:49 Comment(1)
This answer should be update cause the answer from @Fiore proves this is not true anymore. His code also proves it.Sunsunbaked
P
14

You can configure spring acl with Java configuration class as follow

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class ACLConfig extends GlobalMethodSecurityConfiguration {

@Autowired
DataSource dataSource;

EhCacheBasedAclCache aclCache() {
    EhCacheFactoryBean factoryBean = new EhCacheFactoryBean();
    EhCacheManagerFactoryBean cacheManager = new EhCacheManagerFactoryBean();

    factoryBean.setName("aclCache");
    factoryBean.setCacheManager(cacheManager.getObject());
    return new EhCacheBasedAclCache(factoryBean.getObject());
}


LookupStrategy lookupStrategy() {
    return new BasicLookupStrategy(dataSource, aclCache(), aclAuthorizationStrategy(), new ConsoleAuditLogger());
}


AclAuthorizationStrategy aclAuthorizationStrategy() {
    return new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_ACL_ADMIN"),
        new SimpleGrantedAuthority("ROLE_ACL_ADMIN"),
        new SimpleGrantedAuthority("ROLE_ACL_ADMIN"));
}

@Bean
JdbcMutableAclService aclService() {
    JdbcMutableAclService service = new JdbcMutableAclService(dataSource, lookupStrategy(), aclCache());
    service.setClassIdentityQuery("select currval(pg_get_serial_sequence('acl_class', 'id'))");
    service.setSidIdentityQuery("select currval(pg_get_serial_sequence('acl_sid', 'id'))");
    return service;
}

@Bean
AclMasterService masterService() {
    return new AclMasterService();
}

@Override
protected MethodSecurityExpressionHandler createExpressionHandler(){
    DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
    expressionHandler.setPermissionEvaluator(new AclPermissionEvaluator(aclService()));
    return expressionHandler;
}
}

The important aspect of the configuration are extend from

GlobalMethodSecurityConfiguration

override the method

createExpressionHandler

and enable the Pre and Post anotations with the follow anotation at the begining of the class

@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)

Now you can use anotations like

@PreAuthorize('hasPermission(#object,read)')

see the Contact sample of Spring Security or the spring security reference guide for more uses of @Pre and @Post anotations. This configuration class was tested on Spring 4 , Spring Security 4.0.1 and Spring Security ACL 3.1.2. If you want configure the authentication you can use a different Java class or override the configure method from this. If you already have a configured ehcache this configuration could not work correctly due to the ehcache is a singleton class and this configuration try to create a new one.

Placement answered 31/8, 2015 at 12:34 Comment(2)
You don't have to extend the GlobalMethodSecurityConfiguration configuration. You just have to expose a @Bean of type DefaultMethodSecurityExpressionHandler and @EnableGlobalMethodSecurity( securedEnabled = true, prePostEnabled = true)Parapet
What version of EHCache do you use? This example does not compile for 2.10.4, 2.10.3, 2.10.2, didn't check others.Insight
E
-6

There is no way to configure spring acl without xml file. This is mentioned in spring docs itself.Refer to spring documentation.

Educate answered 11/10, 2014 at 7:49 Comment(1)
This answer should be update cause the answer from @Fiore proves this is not true anymore. His code also proves it.Sunsunbaked

© 2022 - 2024 — McMap. All rights reserved.