While Spring Security supports several resources to protect such as a URL, a method invocation and an (domain) object, it lacks a uniform abstraction for representing the same in its architecture. It also lacks an abstraction to represent a permission on a resource. Let me give examples for what I mean.
Defining and enforcing permissions for URL resources requires configuring FilterSecurityInterceptor with permissions defined in the form of intercept-url elements including URL patterns and allowed roles.
1: <bean id="filterInvocationInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
2: ...
3: <!--property name="securityMetadataSource" ref="cspaceMetadataSource"/-->
4: <property name="securityMetadataSource">
5: <sec:filter-security-metadata-source>
6: <sec:intercept-url pattern="/**" access="ROLE_USERS"/>
7: </sec:filter-security-metadata-source>
8: </property>
9: </bean>
Defining and enforcing permissions for method resources using MethodSecurityInterceptor requires listing permissions using a set of properties including qualified methods as names and allowed roles as value.
1: <bean id="bankManagerSecurity"
2: class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor">
3: ...
4: <property name="securityMetadataSource">
5: <value>
6: com.mycompany.BankManager.delete*=ROLE_SUPERVISOR
7: com.mycompany.BankManager.getBalance=ROLE_TELLER,ROLE_SUPERVISOR
8: </value>
9: </property>
10: </bean>
Spring ACL for Domain Object Security has an abstraction for Permission but actually the permission is required to be configured programatically using abstractions such as Permission, ObjectIdentity and Sid (security identity). It offers no management interfaces to configure or administer permissions declaratively.
1: <security:global-method-security pre-post-annotations="enabled">
2: <security:expression-handler ref="expressionHandler"/>
3: </security:global-method-security>
4: <bean id="expressionHandler"
5: class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
6: <property name="permissionEvaluator" ref="myPermissionEvaluator"/>
7: </bean>
The first two examples above show that Spring Security neatly allows to define permissions exactly where those permissions would be enforced. This makes it really easy to configure permissions. However, it also makes it really difficult to administer permissions independently as there are no distinct and unified administrative interfaces to do so. Now, if you had abstractions for Resource and Permission, you would be able to administer these separately and enforce them from FilterInvocation, MethodInvocation and PermissionEvaluator too.
A typical simple non-hierarchical resource would have the following information:
- Type of the resource (URL, method, object, class, db table, etc.)
- Id to uniquely identify the resource
- Pattern (e.g. com.mycompany.BankManager.delete* or /**)
- Resource on which access is defined
- A set of principals (roles and users) it is applicable to
- An effect (permit or deny)
No comments:
Post a Comment