Reputation: 1499
Spring Security 3 - Add information to (role) voters
I am pretty new to Spring security and just going through the reference, doing some examples. One feature that I am strongly missing (and I wonder that hardly anybody else seems to miss it) is to provide custom information to the user why or for what reason access was denied. E.g. I would like to inform the user that he has no access to module A or that he needs to needs to be granted role-access B, etc.
I took at a look at the role interface, but this information seems to get lost:
int vote(Authentication authentication, Object object, List<ConfigAttribute> config);
Spring Security Access Denied logging with missing role This says, that I have to provide a custom implementation of AccessDecisionManager.
But how could an actual implementation look like which provides specific information if access is denied? And how to hook it into spring security? For starters simple role-based access would be sufficient. Can anybody provide any examples on this?
Upvotes: 1
Views: 2578
Answers (1)
Reputation: 120861
Have a look at the AffirmativeBased - DecisionManager. You can enhance it an add some additional information to the AccessDeniedException.
But it seams to be not so easy to get the reasons from the Voters why they dendied the access. (I hope you will find some naming pattern, or you have even to extend the voters).
And this is an example how to configure your custom DecisionManager
<security:http auto-config="true" access-decision-manager-ref="myDecisionManager">
<bean id="myAccessDecisionManager"
class="MyAffirmativeBasedDecisionManager">
<constructor-arg name="decisionVoters">
<list>
<ref bean="roleVoter" />
<ref bean="authenticatedVoter" />
<ref bean="preAdviceVoter" />
</list>
</constructor-arg>
</bean>
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter" />
<bean id="authenticatedVoter"
class="org.springframework.security.access.vote.AuthenticatedVoter" />
<bean id="preAdviceVoter"
class="org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter">
<constructor-arg ref="exprPreInvocationAdvice" />
</bean>
<bean
class="org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice"
id="exprPreInvocationAdvice">
<property name="expressionHandler" ref="methodExprHandler" />
</bean>
<bean id="methodExprHandler"
class="org.springframework.security.access.expression.method.ExtensibleMethodSecurityExpressionHandler">
<property name="methodSecurityExpressionRootFactory">
<bean
class="com.queomedia.infrastructure.security.spring.MethodSecurityExpressionRootFactoryImpl" />
</property>
</bean>
Upvotes: 2
Related Questions
- Add 'ROLE' to spring security / Auth0 authorization
- AccessDecisionManager, how to add RoleVoter
- Understanding RoleVoter concept?
- Spring security AccessDecisionManager: roleVoter, Acl Voter
- Spring security role assignment
- Rolevoter not working
- how to use spring security for user role management?
- Custom RoleVoter And Accessing UserRole for additional vote check
- Spring security roles
- the role and permission in spring security 3