How to dynamically decide access attribute value in Spring Security?

by

The FilterInvocationSecurityMetadataSourceParser class in Spring-security (try Ctrl/Cmd+Shift+T in STS with the source code) parses the intercept-url tags and creates instances of ExpressionBasedFilterInvocationSecurityMetadataSource, that extends DefaultFilterInvocationSecurityMetadataSource that implements FilterInvocationSecurityMetadataSource that extends SecurityMetadataSource.

What I did is to create a custom class that implements FilterInvocationSecurityMetadataSource, OptionsFromDataBaseFilterInvocationSecurityMetadataSource. I used DefaultFilterInvocationSecurityMetadataSource as base to use urlMatcher, to implement the support() method and something like that.

Then you must to implement these methods:

  • Collection getAttributes(Object object), where you can access to database, searching for the ‘object’ being secured (normally the URL to access) to obtain the allowed ConfigAttribute’s (normally the ROLE’s)

  • boolean supports(Class clazz)

  • Collection getAllConfigAttributes()

Be careful with the later, because it’s called at startup and maybe is not well configured at this time (I mean, with the datasources or persistence context autowired, depending on what are you using). The solution in a web environment is to configure the contextConfigLocation in the web.xml to load the applicationContext.xml before the applicationContext-security.xml

The final step is to customize the applicationContext-security.xml to load this bean.

For doing that, I used regular beans in this file instead of the security namespace:

    <beans:bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
    <filter-chain-map path-type="ant">
        <filter-chain pattern="/images/*" filters="none" />
        <filter-chain pattern="/resources/**" filters="none" />
        <filter-chain pattern="/**" filters="
        securityContextPersistenceFilter,
        logoutFilter,
        basicAuthenticationFilter,
        exceptionTranslationFilter,
        filterSecurityInterceptor" 
    />
    </filter-chain-map>
</beans:bean>

You have to define all the related beans. For instance:

    <beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    <beans:property name="authenticationManager" ref="authenticationManager"></beans:property>
    <beans:property name="accessDecisionManager" ref="affirmativeBased"></beans:property>
    <beans:property name="securityMetadataSource" ref="optionsFromDataBaseFilterInvocationSecurityMetadataSource"></beans:property>
    <beans:property name="validateConfigAttributes" value="true"/></beans:bean>

I know that is not a well explained answer, but it’s not as difficult as it seems.

Just use the spring source as base and you will obtain what you want.

Debugging with the data in your database, will help you a lot.

More Related Contents:

  1. Spring boot Security Disable security
  2. What’s the difference between @Secured and @PreAuthorize in spring security 3?
  3. Java Spring Security config – multiple authentication providers
  4. Standalone Spring OAuth2 JWT Authorization Server + CORS
  5. Spring Security: how to exclude certain resources?
  6. Feign and Spring Security 5 – Client Credentials
  7. Spring Security: mapping OAuth2 claims with roles to secure Resource Server endpoints
  8. Multiple roles using @PreAuthorize
  9. Spring security 3.1.4 and ShaPasswordEncoder deprecation
  10. Multiple Authentication Providers in Spring Security
  11. CORS issue – No ‘Access-Control-Allow-Origin’ header is present on the requested resource
  12. How to manage exceptions thrown in filters in Spring?
  13. Spring Security 3 database authentication with Hibernate
  14. Restrict access to a specific controller by IP address in ASP.NET MVC Beta
  15. Disable Spring Security for OPTIONS Http Method
  16. Logging user activity in web app
  17. Spring 5.0.3 RequestRejectedException: The request was rejected because the URL was not normalized
  18. JSON Web Token (JWT) with Spring based SockJS / STOMP Web Socket
  19. ASP.NET MVC – How to show unauthorized error on login page?
  20. Multiple WebSecurityConfigurerAdapters: JWT authentication and form login in spring security
  21. HttpSecurity, WebSecurity and AuthenticationManagerBuilder
  22. How to check “hasRole” in Java Code with Spring Security?
  23. How to set up Spring Security SecurityContextHolder strategy?
  24. How do I remove the ROLE_ prefix from Spring Security with JavaConfig?
  25. How to get custom user info from OAuth2 authorization server /user endpoint
  26. Spring Security 5 : There is no PasswordEncoder mapped for the id “null”
  27. Should I explicitly send the Refresh Token to get a new Access Token – JWT
  28. Spring Security multiple url ruleset not working together
  29. What is the appropriate way to manage API secrets within a Google Apps script?
  30. Simple token based authentication/authorization in asp.net core for Mongodb datastore

Leave a Comment