Spring Security: custom authorities by operation

Question

I need to make a legacy application start using spring security 3.

This app already has its security data model with:

Very simple by far. I can write my custom usersByUsernameQuery and authoritiesByUsernameQuery.

The thing is that there is another table indicating the operation (i.e. @Service layer method) that a Role can execute:

So the administrator can enable/disable a role from accessing an operation through a web interface, without redeploying the app.

I still can annotate the business methods with @Secure('ROLE_ADMIN') for example, but my custom UserDetailsService must know at least the method name that is being secured, so I can perform the right query.

So, the question is: is there a way that my custom UserDetailsService can intercept the method's name that is being secured?

Answer 1

It sounds like your access-decision is based on the "operation role", rather than the user roles, so it might be better to use the "operational role" directly in the Spring Security constraints. That is essentially an RBAC approach, where there is a mapping between the user roles and the operations they are allowed to perform.

You would address the issue in the AuthenticationProvider rather than the UserDetailsService, by adding a mapping layer in there which translates the user roles (supplied by the UserDetailsService) into the rights that the user has within the application. These would make up the collection of authorities that are returned in the Authentication object created by the AuthenticationProvider.

The mapping layer would directly use the data which your administration interface provides.

You might want to take a look at this presentation, by Mike Weisner, which covers similar material, amongst other things.

Not also that Spring Security 3.1 will include an additional GrantedAuthorityMapper strategy to make it easier to plug in a mapping of this kind.