tags:

views:

1061

answers:

3
Q: 

Spring Security: Advice needed on how to handle GrantedAuthority

I have a concern when it comes to GrantedAuthority objects in a Spring Security application. I'm looking for a good way to handle things. First of all I'm trying to describe my concern, if there are any factual errors do not hesitate to point them out, I'll only be greatful.

Spring Security uses GrantedAuthority instances to act as tokens of authorization in different parts of the application.

By default a GrantedAuthority may present itself as a String. When methods are secured using *@Secured("ROLE_NAME")*, or URL's are secured using the Spring XML configuration or when the HttpServletRequest request is checked programmatically as in *if(request.isUserInRole("ROLE_NAME")) {..}* it's always the String that you are using to specify the authority which is checked for.

I'm wondering about the implications of using static strings in several places of the application. If a role name is changed the developer has to hunt down all the old strings and update them. There will be no compile time error if a String is missed, only a problem at runtime.

What is the best way according to you when it comes to handling GrantedAuthority objects in a Spring Security application? What pros and cons does your solution have?

A: 

I do not see a big problem here. It is very unlikely for GrantedAuthority to change the key. Just do not name your roles ROLE_A.

Also, I personally prefer XML security configuration over annotations. In general to keep any related configurations in one place looks like a good idea.

Georgy Bolyuba  2009-05-05 14:00:14
The problem I see is that it's easy to misspell something and not find out about it until the application is tested or run. Being alterted of declarative errors during compilation is a plus in my book.And there is always a balance between keeping "related configurations" together and keeping them together with what they are configuring. For instance I prefer annotations in most cases where a configuration doesn't change between the test, dev and prod environments. That's why I use annotations for Hibernate entities and XML configuration for my Spring beans.
DeletedAccount  2009-06-18 17:01:44
s/alterted/alerted
DeletedAccount  2009-06-18 17:41:25
A: 

In Spring and other frameworks (especially for dynamic languages) "Convention over Configuration" is used. If you were free to define the role names yourself, you easily find out that much more lines of code are needed.

So stick to the convention. Always use the 3 following roles, ROLE_ANONYMOUS, ROLE_ADMIN, and ROLE_USER. If you need another one, name it accordingly and use it in all occasions. Documentations is important.

Also unit testing is imported. It helps you in the cases that an error isn't caught by the compiler.

kgiannakakis  2009-05-05 14:01:09
Thanks for your answer, but I think you are confused. Convention over configuration isn't related to this at all, I have to configure the role names in each and every place I use them. Convention over configuration is when I don't have to configure something, unless I want to break a convention. Those three role names may be commonly used. But I still don't get any compile time errors, which was my complaint. Unit testing is good for sure, I still don't see any clear advantage of not having the option to use declarations cought by the compiler. Silent errors are never a good thing. All IMHO.:)
DeletedAccount  2009-06-18 16:56:08
With `I have to configure the role names in each and every place I use them` I mean that I write the name of the accepted role(s) each time. Nothing is stopping me from performing a spelling error, it will simple be interpreted as a new role (which no user has). In that sense I'm doing configuration all the time when using `@Secured`.
DeletedAccount  2009-06-18 16:58:14
post has nothing todo with question.
Salvin Francis  2009-11-09 12:54:30
+1  A: 

First off, if possible, only do your checks at a particular place in the application (e.g. an HTTP interceptor at the beginning of the request), and using only one of the mentioned approaches. This is a good practice since you will be able to know authoritatively when a user becomes authorized.

If this is not possible, use enums for the role names and only compare on the enums. Therefore, if you wanted to locate all usages in the application it's a simple search.

eqbridges  2009-05-05 15:47:06
+1. This problem of changing Strings / making constants/enums is nothing specific to using Spring Security - a good practice no matter what.
matt b  2009-05-05 18:34:37
I'm using a combination of method security in the Spring (service) layer and component security in the Wicket (presentation) layer. The idea is that if something is missed in one of the layers it's most likely cought in the other. The risk of users not being allowed to execute code they should be allowed to execute increases a bit, but I think it's worth it.
DeletedAccount  2009-06-18 17:07:30
Using enums is exactly what I would like to do. But as far as I have come it seems impossible as the GrantedAuthority interface extends Comparable. The result in my enum is `Name clash: The method compareTo(Object) of type A has the same erasure as compareTo(T) of type Comparable<T> but does not override it` where A is the name of my enum.
DeletedAccount  2009-06-18 17:08:02
Yes, that's a known issue with Spring Security. You need to create a enum class as opposed to using a Java 5 enum.
eqbridges  2009-06-19 16:40:22

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java