In a web project we have a simple file browser. For security we need some kind of mapping what user roles can read (R) or read+write (RW) in which directories (including their subdirectories).
examples:
UserA with roleA can view files in folderA/
UserB with roleB view and edit files in folderA/ and also view folderB/
Some of the used technologies in the project so far:
I've been looking further into Spring Security, but am not sure if I can use a GrantedAuthority implementation (permissions) for my use case.
So my question is if anybody has experience with Spring Security and can point me in the right way. If it's not possible with Spring Security, other library proposals are also appreciated, but I ofcourse prefer using a library that is already being used.
It is possible with Spring Security with some custom code. Annotate your service layer to something like:
@PostAuthorize("hasPermission(returnObject, 'READ')")
public FileObject readFileObject(String path) {
// return the file object from DAO
}
@PreAuthorize("hasPermission(#fileObj, 'WRITE')")
public void writeFileObject(FileObject fileObj) {
// write the file object, security check made at this point
}
Implement the PermissionEvaluator interface, make it a Spring bean. Then enable it in security config with:
@Autowired
private PermissionEvaluator permissionEvaluator;
@Bean
public DefaultMethodSecurityExpressionHandler expressionHandler() {
DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler();
handler.setPermissionEvaluator(permissionEvaluator);
return handler;
}
And:
<global-method-security pre-post-annotations="enabled">
<expression-handler ref="expressionHandler" />
</global-method-security>