{"id":3477,"date":"2011-04-06T16:16:05","date_gmt":"2011-04-06T10:46:05","guid":{"rendered":"http:\/\/www.tothenew.com\/blog\/?p=3477"},"modified":"2016-12-16T13:01:19","modified_gmt":"2016-12-16T07:31:19","slug":"handling-instance-based-security","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/handling-instance-based-security\/","title":{"rendered":"Handling Instance Based Security"},"content":{"rendered":"

In my current project, we were required to implement Instance Based Security<\/strong>. The idea was to find a clean solution separate from the main business logic of the application. We took a clue from the Spring Security Plugin<\/strong> to use the Annotations<\/strong> to do our job. All we wanted to do was to develop annotations for actions, which could help to decide what type of access verification needs to be done on a particular request, inside some Filter. So we proceeded like this:<\/p>\n

We created an Abstract Class from which our User<\/strong> domain Class extended. All our Access Verifying functions would remain in this class. The class provides a single entry function (by the name evaluateExpression<\/strong>) to all other Access Verifying functions. This helped us to keep the Filter class clean. The Class looks like:<\/p>\n

[java]
\nabstract class MyAppSecure {<\/p>\n

public Boolean evaluateExpression(String methodName, Map params = [:]) {
\n this."$methodName"(params.id?.toLong())
\n }<\/p>\n

\/\/ One of the many functions to be used to verify valid access
\n public Boolean hasUserAccessById(Long id) {
\n return id ? (this.id == id.toLong()) : true
\n }<\/p>\n

}
\n[\/java]<\/p>\n

So our User domain class looks like:<\/p>\n

[java]
\nclass User extends MyAppSecure {<\/p>\n

}
\n[\/java]<\/p>\n

Now, the idea is to:<\/p>\n

    \n
  1. Intercept a request in the filter.<\/li>\n
  2. Get the annotation expression placed on top of the respective Controller Action. (The expression(s) would be name of the MyAppSecure<\/strong> method(s) used to verify the access)<\/li>\n
  3. Call a corresponding method in MyAppSecure<\/strong> to verify access<\/li>\n
  4. Take appropriate action corresponding to a result<\/li>\n<\/ol>\n

    So let us delve into the implementation:<\/p>\n

    First step would be to enable the annotations. To do this create an interface in src\/java (or you can do it in src\/groovy as well):<\/p>\n

    [java]
    \n@Documented
    \n@Target({ElementType.FIELD, ElementType.METHOD, ElementType.TYPE})
    \n@Retention(RetentionPolicy.RUNTIME)
    \npublic @interface MySecured {
    \n String[] expressions();
    \n}
    \n[\/java]<\/p>\n

    Now we are good to go for using annotations. Let us assume an action edit<\/strong> inside AccountController<\/strong>:<\/p>\n

    [java]
    \nclass AccountController{<\/p>\n

    @MySecured(expressions = ["hasUserAccessToAccount"])
    \n def edit = {
    \n User user = params.id ? User.get(params.id) : user
    \n render(view: "edit", model: [user: user])
    \n }
    \n}<\/p>\n

    [\/java]<\/p>\n

    Note<\/strong>: We can also give multiple expressions (to evaluate multiple access rules), separated by\u00a0commas inside the list.<\/p>\n

    Now we need to implement a method by the name hasUserAccessToAccount<\/strong> in MyAppSecure:<\/p>\n

    [java]
    \nabstract class MyAppSecure {<\/p>\n

    public Boolean evaluateExpression(String methodName, Map params = [:]) {
    \n this."$methodName"(params)
    \n}<\/p>\n

    public Boolean hasUserAccessToAccount(Map params) {
    \n\/\/ SAMPLE LOGIC.
    \n Integer count = Account.createCriteria().get {
    \n projections {
    \n count("id")
    \n }
    \n eq(‘id’, params.id.toLong())
    \n eq(‘user’, this)
    \n }
    \n return (count > 0)
    \n }
    \n }
    \n}<\/p>\n

    [\/java]<\/p>\n

    We would also need some logic to get and parse annotations in MyAppSecure<\/strong>. We wrote something like this:<\/p>\n

    [java]
    \npublic Boolean hasAccess(Class controllerClazz, String actionName, Map params) { def field = controllerClazz.declaredFields.find {it.toString().indexOf(controllerClazz.name + ‘.’ + actionName) != -1}
    \n \/\/ get the annotation on a Controller action (account\/edit in our case)
    \n def securedAnnotation = field.getAnnotation(AdlSecured)
    \n return (securedAnnotation ? this.evaluateEveryExpression (params, securedAnnotation)
    \n }<\/p>\n

    \/\/ Evaluate every expression and combine the result using AND (or we can use OR as well)
    \n private Boolean evaluateEveryExpression(Map params, def securedAnnotation) {
    \n Boolean hasAccess = securedAnnotation.expressions().every {String securedExpression ->
    \n this.hasAccessForExpression(securedExpression, params)
    \n }
    \n return hasAccess
    \n }<\/p>\n

    \/\/Evaluate expression
    \n private Boolean hasAccessForExpression(String expressionToBeEvaluated, Map params) {
    \n return this.evaluateExpression(expressionToBeEvaluated, params)
    \n }<\/p>\n

    [\/java]<\/p>\n

    Now in you Filter<\/strong> you can write something like this:<\/p>\n

    [java]
    \nmySecureFilter(controller: "*", action: "*") {
    \n before = {
    \n User user = someSecurityService.currentUser
    \n if (user) {
    \n \/\/ gets the controller class for a controllerName
    \n Class controllerClazz = getControllerClass(controllerName)<\/p>\n

    if (!user.hasAccess(controllerClazz, actionName, params)) {
    \n redirect(controller: ‘accessController’, action: ‘unauthorized’)
    \n }
    \n }
    \n return false
    \n }
    \n }
    \n[\/java]<\/p>\n

    That is all that we need to do. I hope you would find this useful. Any suggestions will be welcomed.<\/p>\n","protected":false},"excerpt":{"rendered":"

    In my current project, we were required to implement Instance Based Security. The idea was to find a clean solution separate from the main business logic of the application. We took a clue from the Spring Security Plugin to use the Annotations to do our job. All we wanted to do was to develop annotations […]<\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":4},"categories":[7],"tags":[521,4840,227,9],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/3477"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=3477"}],"version-history":[{"count":0,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/3477\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=3477"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=3477"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=3477"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}