Spring Security Permission Based framework

28 / Apr / 2014 by Mohit Garg 2 comments

In my recent project, I want to implement permission based framework with spring security grails plugin.

What does permission based framework mean?

We can create a ROLE at run time based on the permission given to the user. Most of the times, we use Spring security in a way where we pre-define the roles to be used in our apps. But with the use of Permission, we can define the role at run time and assign permission as per our requirement.

Let’s take an example : Suppose we have a controller named as PersonController

class PersonController {

@Secured('ROLE_PERMISSION_PERSON_CREATE')

def create(){....}

@Secured('ROLE_PERMISSION_PERSON_EDIT')

def edit(){...}

@Secured('ROLE_PERMISSION_PERSON_SHOW')

def show(){....}

@Secured('ROLE_PERMISSION_PERSON_DELETE')
def delete(){....}
}

In this example, we have defined four action, We want to create 2 roles like this :-

  • Edit Person: This role has permissions like edit, create, delete, show.
  • Show Person : This role has permissions like show.

So, for this, we have to define the different permissions to each action or may be you can define same permission to different action as same as we are defining roles in our projects.

After that, we have to add a new domain named as Permission, we have to define the many to many relationship with Role domain.

Role.groovy

class Role implements Serializable {

String authority
Date dateCreated
Date lastUpdated

static hasMany = [permissions:Permission]

static mapping = {
cache true
}

static constraints = {
authority blank: false, unique: true
}
}

Permission.groovy

class Permission implements Serializable {

String name
static constraints = {
}
}

In Bootstrap.groovy, you can bootstrap roles and permissions. See the code snippet below:

Firstly you have to save different type of permissions that mentioned above the action name in @secured annotation and assign permission to each role as per your requirements.

Permission createPermission = new Permission(name: 'PERSON_CREATE')
createPermission.save()

Permission editPermission = new Permission(name: 'PERSON_EDIT')
editPermission.save()

Permission deletePermission = new Permission(name: 'PERSON_DELETE')
deletePermission.save()

Permission showPermission = new Permission(name: 'PERSON_SHOW')
showPermission.save()

Role editRole = new Role(authority: 'ROLE_EDIT_PERSON', permissions: [createPermission, deletePermission, showPermission, editPermission])
editRole.save()

Role showRole = new Role(authority: 'ROLE_SHOW_PERSON', permissions: [showPermission])
showRole.save()

You can create as many as can roles at run time and assign permissions to each role.

You have to create one class in src/groovy package CustomAuthority which will extends the GrantedAuthority
class.

import org.springframework.security.core.GrantedAuthority

class CustomAuthority implements GrantedAuthority {
private String authority;

public CustomAuthority(String authority) {
this.authority = authority;
}

@Override
public String getAuthority() {
return authority;
}

@Override
public int hashCode() {
return authority.hashCode();
}

@Override
public boolean equals(Object obj) {
if(obj == null) return false;
if(!(obj instanceof CustomAuthority)) return false;
return ((CustomAuthority) obj).getAuthority().equals(authority);
}
}

Now, you have to override getAuthorities() method of the User.groovy file to use the permission for each role specific to users.

Set getAuthorities() {
Set list = UserRole.findAllByUser(this).collect { it.role } as Set
def roles = new HashSet()
roles.addAll(list)
def newRoles = new HashSet()
list.each { role ->
role?.permissions?.each { permission ->
CustomAuthority customAuthority = new CustomAuthority("ROLE_PERMISSION_" + permission.name);
newRoles.add(customAuthority);
}
}
return newRoles
}

In this method, we are getting the different permissions from each role and assigning them to authority list.

Now, your permission based framework is configured.

It’s very powerful way to customize the roles in spring security, you don’t need to change the code when creating the role, you can customize roles based on permissions at run time.

Hope this blog will give you the idea to integrate the spring security with permissions.

FOUND THIS USEFUL? SHARE IT

comments (2)

  1. Mohit Post author

    Hi Ricardo,

    This problem is related to the org.springframework.security:spring-security-web:jar:3.2.0.RC1 jar file, Using grails 2.3.8 with spring-security-core:2.0-RC2, It’s not able to download the org.springframework.security:spring-security-web:jar:3.2.0.RC1 jar file from maven repository.

    Add following line in BuildConfig.groovy file:
    repositories {
    mavenRepo ‘http://repo.spring.io/milestone’
    }

    It’ll download org.springframework.security:spring-security-web:jar:3.2.0.RC1 this jar file and from this you will get the GrantAuthority class.

    If you are still facing any problem, please let me know.

    Thanks

    Reply
  2. Ricardo

    Good Article, thanks!

    I have a problem when trying to implement the CustomAuthority. It looks like my environment do not have a import org.springframework.security.core.GrantedAuthority.

    Do you have any idea what the problem might be?
    I’m using grails 2.3.8 and spring-security-core:2.0-RC2

    Reply

Leave a comment -