Spring boot security roles per entity

Question

My application has currently two types of users: Admin or Normal user.

The application has several projects: 100 or more. Per project the user has a different role like project owner, client, etc...

I'm now figuring out the best way to put those subroles in place. Because in my services I want to use PreAuthorise("hasRole('OWNER')") so that only the right people can execute an update or whatever.

What I was trying now was giving every project a list of users that are working on it with a roles (project owner, client, etc...) when I login via Spring Security I retrieve the user and fetch all the projects where he is part of and then I add roles as follows ROLE_PROJECTNAME_OWNER or ROLE_PROJECTNAME_CLIENT.

The thing is that I can't use the HASROLE because there are a lot of projects so I can't annotate in advance which projects there are to allow a method call in my service layer. I also can't just add OWNER because then I don't know in which project. So I'm a little bit stuck here how to do this properly.

Answer 1

Why don't you separate your users and the groups they form part of, from the roles and services they can access.

There are various ways you can do this, but one approach is to have the central authentication framework provide you the groups of the user once he performs authentication.

Now within each service, there will be a mapping between groups and roles. The roles are application specific, the authentication service or the other applications do not care about them. You might store this mapping in the individual application's database, or in a simple configuration file (maybe simply in application.yaml of the specific application).

Your groups currently are Admin and Normal but you could have others. A user could also be a member of multiple groups. So in application 1 you could say that Admin users can do role 1, role 2, role 3, while Normal users can only do role 1. Again it is many to many. This is something your UserDetails instance would carry once it recognizes the authenticated user and his groups, which are then mapped to roles as part of your Spring Security configuration. You will then be able to do PreAuthorise("hasRole('OWNER')") etc. on your services.

This way, if you add more users, you just put them in the right groups to give them access to the individual services. If you want to create new profiles, instead of just Admin and Normal, or special groups, you just do it once and update the configuration of the individual application to recognise that group if it is relevant to it (remember the user can be a member of multiple groups, so you don't even need each application to know about each group).

I don't know what mechanism you are using for single sign on authentication. But in spirit of microservices and minimal sharing between applications, you could actually put the groups as scopes in your token (if you are using JWT for example). This way the application receiving the token not only knows that the user was authenticated but knows the groups of the user without even making a query to any other system.

This architecture you will have is shown in the picture.

Each use case (service method annotated with @PreAuthorise) will have a role. Each user will be associated with a number of groups the authentication system will provide. (For example groups in Active Directory). Upon receiving the authentication information of the user, the groups will be mapped to the roles specific to the application and populated in the UserDetails Spring Security object. Each annotated method will then get the application specific roles (not the global groups).

This gives you the flexibility to add as many groups as you like that can have the same application role.

Answer 2

Define your own service to manage access with user/project/role and call this service directly on your @PreAUthorize.

Have a look to : https://dreamix.eu/blog/java/implementing-custom-authorization-function-for-springs-pre-and-post-annotations