Une expression de sécurité personnalisée avec Spring Security

1. Vue d'ensemble

Dans ce didacticiel, nous allons nous concentrer sur la création d'une expression de sécurité personnalisée avec Spring Security .

Parfois, les expressions disponibles dans le cadre ne sont tout simplement pas assez expressives. Et, dans ces cas, il est relativement simple de créer une nouvelle expression sémantiquement plus riche que les expressions existantes.

Nous aborderons d'abord comment créer un PermissionEvaluator personnalisé , puis une expression entièrement personnalisée - et enfin comment remplacer l'une des expressions de sécurité intégrées.

2. Une entité utilisateur

Tout d'abord, préparons les bases de la création des nouvelles expressions de sécurité.

Jetons un coup d'œil à notre entité utilisateur - qui a des privilèges et une organisation :

@Entity public class User{ @Id @GeneratedValue(strategy = GenerationType.AUTO) private Long id; @Column(nullable = false, unique = true) private String username; private String password; @ManyToMany(fetch = FetchType.EAGER) @JoinTable(name = "users_privileges", joinColumns = @JoinColumn(name = "user_id", referencedColumnName = "id"), inverseJoinColumns = @JoinColumn(name = "privilege_id", referencedColumnName = "id")) private Set privileges; @ManyToOne(fetch = FetchType.EAGER) @JoinColumn(name = "organization_id", referencedColumnName = "id") private Organization organization; // standard getters and setters }

Et voici notre privilège simple :

@Entity public class Privilege { @Id @GeneratedValue(strategy = GenerationType.AUTO) private Long id; @Column(nullable = false, unique = true) private String name; // standard getters and setters }

Et notre organisation :

@Entity public class Organization { @Id @GeneratedValue(strategy = GenerationType.AUTO) private Long id; @Column(nullable = false, unique = true) private String name; // standard setters and getters }

Enfin, nous utiliserons un Principal personnalisé plus simple :

public class MyUserPrincipal implements UserDetails { private User user; public MyUserPrincipal(User user) { this.user = user; } @Override public String getUsername() { return user.getUsername(); } @Override public String getPassword() { return user.getPassword(); } @Override public Collection getAuthorities() { List authorities = new ArrayList(); for (Privilege privilege : user.getPrivileges()) { authorities.add(new SimpleGrantedAuthority(privilege.getName())); } return authorities; } ... }

Avec toutes ces classes prêtes, nous allons utiliser notre Principal personnalisé dans une implémentation de base UserDetailsService :

@Service public class MyUserDetailsService implements UserDetailsService { @Autowired private UserRepository userRepository; @Override public UserDetails loadUserByUsername(String username) { User user = userRepository.findByUsername(username); if (user == null) { throw new UsernameNotFoundException(username); } return new MyUserPrincipal(user); } }

Comme vous pouvez le voir, ces relations n'ont rien de compliqué: l'utilisateur a un ou plusieurs privilèges et chaque utilisateur appartient à une organisation.

3. Configuration des données

Ensuite, initialisons notre base de données avec des données de test simples:

@Component public class SetupData { @Autowired private UserRepository userRepository; @Autowired private PrivilegeRepository privilegeRepository; @Autowired private OrganizationRepository organizationRepository; @PostConstruct public void init() { initPrivileges(); initOrganizations(); initUsers(); } }

Voici nos méthodes d' initialisation :

private void initPrivileges() { Privilege privilege1 = new Privilege("FOO_READ_PRIVILEGE"); privilegeRepository.save(privilege1); Privilege privilege2 = new Privilege("FOO_WRITE_PRIVILEGE"); privilegeRepository.save(privilege2); }
private void initOrganizations() { Organization org1 = new Organization("FirstOrg"); organizationRepository.save(org1); Organization org2 = new Organization("SecondOrg"); organizationRepository.save(org2); }
private void initUsers() { Privilege privilege1 = privilegeRepository.findByName("FOO_READ_PRIVILEGE"); Privilege privilege2 = privilegeRepository.findByName("FOO_WRITE_PRIVILEGE"); User user1 = new User(); user1.setUsername("john"); user1.setPassword("123"); user1.setPrivileges(new HashSet(Arrays.asList(privilege1))); user1.setOrganization(organizationRepository.findByName("FirstOrg")); userRepository.save(user1); User user2 = new User(); user2.setUsername("tom"); user2.setPassword("111"); user2.setPrivileges(new HashSet(Arrays.asList(privilege1, privilege2))); user2.setOrganization(organizationRepository.findByName("SecondOrg")); userRepository.save(user2); }

Notez que:

  • L'utilisateur «john» n'a que FOO_READ_PRIVILEGE
  • L'utilisateur «tom» a à la fois FOO_READ_PRIVILEGE et FOO_WRITE_PRIVILEGE

4. Un évaluateur d'autorisations personnalisées

À ce stade, nous sommes prêts à commencer à implémenter notre nouvelle expression - via un nouvel évaluateur d'autorisation personnalisé.

Nous allons utiliser les privilèges de l'utilisateur pour sécuriser nos méthodes, mais au lieu d'utiliser des noms de privilèges codés en dur, nous voulons atteindre une implémentation plus ouverte et plus flexible.

Commençons.

4.1. PermissionÉvaluateur

Afin de créer notre propre évaluateur d'autorisation personnalisé, nous devons implémenter l' interface PermissionEvaluator :

public class CustomPermissionEvaluator implements PermissionEvaluator { @Override public boolean hasPermission( Authentication auth, Object targetDomainObject, Object permission) { if ((auth == null) || (targetDomainObject == null) || !(permission instanceof String)){ return false; } String targetType = targetDomainObject.getClass().getSimpleName().toUpperCase(); return hasPrivilege(auth, targetType, permission.toString().toUpperCase()); } @Override public boolean hasPermission( Authentication auth, Serializable targetId, String targetType, Object permission) { if ((auth == null) || (targetType == null) || !(permission instanceof String)) { return false; } return hasPrivilege(auth, targetType.toUpperCase(), permission.toString().toUpperCase()); } }

Voici notre méthode hasPrivilege () :

private boolean hasPrivilege(Authentication auth, String targetType, String permission) { for (GrantedAuthority grantedAuth : auth.getAuthorities()) { if (grantedAuth.getAuthority().startsWith(targetType)) { if (grantedAuth.getAuthority().contains(permission)) { return true; } } } return false; }

Nous avons maintenant une nouvelle expression de sécurité disponible et prête à être utilisée: hasPermission .

Et donc, au lieu d'utiliser la version plus codée en dur:

@PostAuthorize("hasAuthority('FOO_READ_PRIVILEGE')")

Nous pouvons utiliser utiliser:

@PostAuthorize("hasPermission(returnObject, 'read')")

ou

@PreAuthorize("hasPermission(#id, 'Foo', 'read')")

Remarque: #id fait référence au paramètre de méthode et « Foo » fait référence au type d'objet cible.

4.2. Configuration de la sécurité de la méthode

Il ne suffit pas de définir CustomPermissionEvaluator - nous devons également l'utiliser dans notre configuration de sécurité de méthode:

@Configuration @EnableGlobalMethodSecurity(prePostEnabled = true) public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration { @Override protected MethodSecurityExpressionHandler createExpressionHandler() { DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler(); expressionHandler.setPermissionEvaluator(new CustomPermissionEvaluator()); return expressionHandler; } }

4.3. Exemple en pratique

Commençons maintenant à utiliser la nouvelle expression - dans quelques méthodes de contrôleur simples:

@Controller public class MainController { @PostAuthorize("hasPermission(returnObject, 'read')") @GetMapping("/foos/{id}") @ResponseBody public Foo findById(@PathVariable long id) { return new Foo("Sample"); } @PreAuthorize("hasPermission(#foo, 'write')") @PostMapping("/foos") @ResponseStatus(HttpStatus.CREATED) @ResponseBody public Foo create(@RequestBody Foo foo) { return foo; } }

Et nous y voilà - nous sommes tous prêts et utilisons la nouvelle expression dans la pratique.

4.4. Le test en direct

Écrivons maintenant un simple test en direct - en appuyant sur l'API et en nous assurant que tout est en ordre de marche:

@Test public void givenUserWithReadPrivilegeAndHasPermission_whenGetFooById_thenOK() { Response response = givenAuth("john", "123").get("//localhost:8082/foos/1"); assertEquals(200, response.getStatusCode()); assertTrue(response.asString().contains("id")); } @Test public void givenUserWithNoWritePrivilegeAndHasPermission_whenPostFoo_thenForbidden() { Response response = givenAuth("john", "123").contentType(MediaType.APPLICATION_JSON_VALUE) .body(new Foo("sample")) .post("//localhost:8082/foos"); assertEquals(403, response.getStatusCode()); } @Test public void givenUserWithWritePrivilegeAndHasPermission_whenPostFoo_thenOk() { Response response = givenAuth("tom", "111").contentType(MediaType.APPLICATION_JSON_VALUE) .body(new Foo("sample")) .post("//localhost:8082/foos"); assertEquals(201, response.getStatusCode()); assertTrue(response.asString().contains("id")); }

And here is our givenAuth() method:

private RequestSpecification givenAuth(String username, String password) { FormAuthConfig formAuthConfig = new FormAuthConfig("//localhost:8082/login", "username", "password"); return RestAssured.given().auth().form(username, password, formAuthConfig); }

5. A New Security Expression

With the previous solution, we were able to define and use the hasPermission expression – which can be quite useful.

However, we're still somewhat limited here by the name and semantics of the expression itself.

And so, in this section, we're going to go full custom – and we're going to implement a security expression called isMember() – checking if the principal is a member of a Organization.

5.1. Custom Method Security Expression

In order to create this new custom expression, we need start by implementing the root note where the evaluation of all security expressions starts:

public class CustomMethodSecurityExpressionRoot extends SecurityExpressionRoot implements MethodSecurityExpressionOperations { public CustomMethodSecurityExpressionRoot(Authentication authentication) { super(authentication); } public boolean isMember(Long OrganizationId) { User user = ((MyUserPrincipal) this.getPrincipal()).getUser(); return user.getOrganization().getId().longValue() == OrganizationId.longValue(); } ... }

Now how we provided this new operation right in the root note here; isMember() is used to check if current user is a member in given Organization.

Also note how we extended the SecurityExpressionRoot to include the built-in expressions as well.

5.2. Custom Expression Handler

Next, we need to inject our CustomMethodSecurityExpressionRoot in our expression handler:

public class CustomMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler { private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl(); @Override protected MethodSecurityExpressionOperations createSecurityExpressionRoot( Authentication authentication, MethodInvocation invocation) { CustomMethodSecurityExpressionRoot root = new CustomMethodSecurityExpressionRoot(authentication); root.setPermissionEvaluator(getPermissionEvaluator()); root.setTrustResolver(this.trustResolver); root.setRoleHierarchy(getRoleHierarchy()); return root; } }

5.3. Method Security Configuration

Now, we need to use our CustomMethodSecurityExpressionHandler in the method security configuration:

@Configuration @EnableGlobalMethodSecurity(prePostEnabled = true) public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration { @Override protected MethodSecurityExpressionHandler createExpressionHandler() { CustomMethodSecurityExpressionHandler expressionHandler = new CustomMethodSecurityExpressionHandler(); expressionHandler.setPermissionEvaluator(new CustomPermissionEvaluator()); return expressionHandler; } }

5.4. Using the New Expression

Here is a simple example to secure our controller method using isMember():

@PreAuthorize("isMember(#id)") @GetMapping("/organizations/{id}") @ResponseBody public Organization findOrgById(@PathVariable long id) { return organizationRepository.findOne(id); }

5.5. Live Test

Finally, here is a simple live test for user “john“:

@Test public void givenUserMemberInOrganization_whenGetOrganization_thenOK() { Response response = givenAuth("john", "123").get("//localhost:8082/organizations/1"); assertEquals(200, response.getStatusCode()); assertTrue(response.asString().contains("id")); } @Test public void givenUserMemberNotInOrganization_whenGetOrganization_thenForbidden() { Response response = givenAuth("john", "123").get("//localhost:8082/organizations/2"); assertEquals(403, response.getStatusCode()); }

6. Disable a Built-in Security Expression

Finally, let's see how to override a built-in security expression – we'll discuss disabling hasAuthority().

6.1. Custom Security Expression Root

We'll start similarly by writing our own SecurityExpressionRoot – mainly because the built-in methods are final and so we can't override them:

public class MySecurityExpressionRoot implements MethodSecurityExpressionOperations { public MySecurityExpressionRoot(Authentication authentication) { if (authentication == null) { throw new IllegalArgumentException("Authentication object cannot be null"); } this.authentication = authentication; } @Override public final boolean hasAuthority(String authority) { throw new RuntimeException("method hasAuthority() not allowed"); } ... }

After defining this root note, we'll have to inject it into the expression handler and then wire that handler into our configuration – just as we did above in Section 5.

6.2. Example – Using the Expression

Now, if we want to use hasAuthority() to secure methods – as follows, it will throw RuntimeException when we try to access method:

@PreAuthorize("hasAuthority('FOO_READ_PRIVILEGE')") @GetMapping("/foos") @ResponseBody public Foo findFooByName(@RequestParam String name) { return new Foo(name); }

6.3. Live Test

Finally, here is our simple test:

@Test public void givenDisabledSecurityExpression_whenGetFooByName_thenError() { Response response = givenAuth("john", "123").get("//localhost:8082/foos?name=sample"); assertEquals(500, response.getStatusCode()); assertTrue(response.asString().contains("method hasAuthority() not allowed")); }

7. Conclusion

In this guide, we did a deep-dive into the various ways we can implement a custom security expression in Spring Security, if the existing ones aren't enough.

And, as always, the full source code can be found over on GitHub.