CODEWITHSUNDEEP
javaspring-securityauthorization
egervari
egervari

Reputation: 22512

Spring Security - how can I ask invoke access control methods directly?

There's a lot of documentation on how to use jsp tags, aop, annotations, the application context, and all of these sorts of things... but how do I access the access control methods directly? What class do I need to create, if any? Is there hidden bean I need to be aware of? It doesn't seem like SecurityContextHolder is the right place to look.

What I'd like to do is something like this:

if(springSecurityObject.isAuthorized("hasAnyRole('DIRECTOR', 'ADMIN')")) {
    // ... do something
}

Or even better:

if(springSecurityObject.hasAnyRole('DIRECTOR', 'ADMIN')) {
    // ... do something
}

Thanks!

EDIT: It seems like the spring security people are using the granted authorities on the user object itself:

https://fisheye.springsource.org/browse/spring-security/taglibs/src/main/java/org/springframework/security/taglibs/authz/AbstractAuthorizeTag.java?r=fc399af136492c6c37cdddca6d44e5fe57f69680

I think it would probably have been helpful if they abstracted out a ton of this code and put it into a nice set of classes instead - something that both the tag libraries and actual users could use. They are private helper methods after all... a common smell that they should probably exist in some classes instead.

Since they are doing the plumbing manually, I guess I have to assume that what I want doesn't exist.

Upvotes: 3

Views: 478

Answers (2)

sbrattla
sbrattla

Reputation: 5386

You can also invoke SecurityContextHolder.getContext().getAuthentication() to get the current Authentication instance andUserDetails :

Authentication auth = SecurityContextHolder.getContext().getAuthentication();
UserDetails user = (UserDetails) auth.getPrincipal();
[...]

Upvotes: 0

Simeon
Simeon

Reputation: 7792

The only thing I can think of is invoking your UserDetailsService manually, calling getAuthorities() on the returned Authentication and then calling contains() or containsAll() on the returned collection.

So you'd have something like:

final UserDetails jimmyDetails = myDetailsService.loadUserByUsername("Jimmy");
final Collection<GrantedAuthority> jimmyAuthorities = jimmyDetails.getAuthorities();

// make it a Collection<String> by iterating and calling .getAuthority()

plainAuthorities.contains("ROLE_YOU_NEED_TO_CHECK_FOR");

Writing your own helper methods that do this would not be too hard, although I agree that having them in the API would be nice.

Upvotes: 2

Related Questions