Spring security group based authorization [closed]
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this questioni intend to make group based permission scheme but i am confused about the following:
i have some questions:
- What is the best approach
User > Group > Roles > Permissions
orUser > Roles > Permissions
- How to implement the security (login/remember me) in this case (need a link to good tutorial).
- The method level security will use the annotation
@PreAutorize hasPermission(开发者_运维百科#, '')
or hasRole or what ? - How will i hide components (administration for non admins) in the UI depending on the permissions (UI is JSF) ?
- If i hided components in the view what will be the importance of the method level security then ?
To design a security model is not a simple task itself, and without detailed knowledge of the domain, you're trying to secure it's close to impossible. Having said that any advice you can get here will be as general your question is.
1) In most applications the User -> Roles
is enough. In more complex ones the User -> Roles -> Permissions
could be used, but it all depends on how you'll define the scope of each. Often fine-grained roles and assigning a couple of them to the user is just what you'll need. I'd say putting another level be adding Groups
in the middle is a bit too much. Imagine it as a file system - flat-file systems exist and are way less complicated as it may seem. Take your time while deciding this as this is one of the most important decisions and will have many implications that are not always easy to predict.
2) The authentication and remember-me mechanisms are already implemented in Spring Security - all you need to do is choose the implementation that best suits you and configure it using the security namespace support. Do take a look at Petclinic example app, if you haven't already.
3) If you decide on using permissions, you should always check for permissions. Keep the gain level you chose. Be consistent. Always.
4) Depending on the view technology you use, the JSP taglib may come in handy (as mentioned by Ralph). There is a non-such thing for JSF - but it's relatively simple to write something similar.
5) As Ralph said, if you hide something it doesn't mean it doesn't exist any more - it still can be called by an unprivileged user.
Spring Security 4-SNAPSHOT
Authority Groups
http://docs.spring.io/autorepo/docs/spring-security/4.0.0.CI-SNAPSHOT/reference/htmlsingle/#authority-groups
An alternative approach is to partition the authorities into groups and assign groups to the user.
5) Even if you hide some funсtion in the GUI, a malignant user could send a faked HTTP request that invokes your function.
4) For JSP there is the spring security tag lib, maybe there is something similar for JSF
3) Depends on your implementation of Role - Permission assignment
2) Authentication and remember me is independent of using groups or not.
1) Depends on your needs. Groups make it more difficult, so I would start with User-Role-Permission and would add groups late when I really need it. -- Spring comes with an out of the box solution to assign Users to Privileges. Adding Roles is easy. But if you start with Groups you have to implement it by your own.
I strongly recommend reading the Spring-Security-Docs. Either you do it in the by spring security recommended way: "Suggested Steps for Getting Started with Spring Security" or you read the (very good) book "Spring Security 3" (written by some of the authors of the framework).
If you follow the tutorial you will find how to do a simple login and remember me.
To differ roles and authorities you have two choices.
- There is an integrated solution in spring 3 (you have to search for your one - I don't use it.)
- You can implement your own authorization provider that adds the authorities by the already assigned roles.
精彩评论