Spring Security permissionEvaluator not invoked

Asked

Viewed 62 times

0

I’m trying to use my own permissionEvaluator,

but the spring is not recognizing/invoking my settings.

My current situation:

package com.brunorozendo.security;

import java.io.Serializable;

import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;

public class BasePermissionEvaluator implements PermissionEvaluator {

    @Override
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
        return true;
    }

    @Override
    public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission){
        return true;
    }

}

web.xml

<!--Spring MVC -->
<servlet>
    <servlet-name>spring</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>spring</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>
<!--Fim Spring MVC -->
<!--Spring Security -->
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring-security-datasource.xml
        /WEB-INF/spring-security.xml
    </param-value>
</context-param>
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!--Fim Spring Security -->

spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>  

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:mvc="http://www.springframework.org/schema/mvc"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans   http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
                           http://www.springframework.org/schema/mvc     http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">  


    <context:component-scan  base-package="com.brunorozendo" />

    <mvc:annotation-driven />

    <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">  
        <property name="prefix" value="/WEB-INF/jsp/" />  
        <property name="suffix" value=".jsp" />  
    </bean>  
</beans>

spring-security.xml

<?xml version="1.0"  encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
         xmlns:b="http://www.springframework.org/schema/beans"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.springframework.org/schema/beans    http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
                             http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd">



    <debug />

    <http auto-config="true" use-expressions="true">


        <intercept-url pattern="/**" access="isAnonymous() or isAuthenticated()" />


        <form-login 
            login-page="/login"
            always-use-default-target="true" 
            default-target-url="/"
            authentication-failure-url="/login?login_error=1"
            login-processing-url="/authenticate" />

        <logout/>

        <remember-me />

    </http>

    <b:bean id="basePermissionEvaluator" class="com.brunorozendo.security.BasePermissionEvaluator"/>

    <b:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
        <b:property name="permissionEvaluator" ref="basePermissionEvaluator"/>
    </b:bean>

    <global-method-security pre-post-annotations="enabled">
        <expression-handler ref="expressionHandler"/>
    </global-method-security>


    <authentication-manager>
        <authentication-provider>
            <jdbc-user-service 

                data-source-ref="dataSourceName" 

                authorities-by-username-query=" select 
                                                    u.tx_username, 
                                                    p.tx_perfil
                                                from 
                                                    tb_user u
                                                inner join 
                                                    tb_user_tb_perfil up 
                                                ON 
                                                    u.id_user = up.id_user
                                                inner join 
                                                    tb_perfil p 
                                                ON 
                                                    up.id_perfil = p.id_perfil
                                                where 
                                                u.tx_username = ?"

                users-by-username-query="select 
                                            u.tx_username, 
                                            HEXTORAW(u.tx_pass) as tx_pass, 
                                            true 
                                        from tb_user u 
                                        WHERE 
                                        u.tx_username = ?" 


                group-authorities-by-username-query = " select 
                                                            p.id_perfil, 
                                                            p.tx_perfil,
                                                            pm.tx_permission
                                                        from 
                                                            tb_permission pm
                                                        inner join 
                                                            tb_permission_tb_perfil pb 
                                                            ON  pb.id_permission = pm.id_permission
                                                        inner join
                                                            tb_perfil p
                                                            ON p.id_perfil = pb.id_perfil
                                                        inner join 
                                                            tb_user_tb_perfil up
                                                            ON up.id_perfil = p.id_perfil
                                                        inner join 
                                                            tb_user u
                                                            ON u.id_user = up.id_user
                                                        where 
                                                            u.tx_username = ?" />


        </authentication-provider>
    </authentication-manager>

</b:beans>

spring-security-datasource.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans  xmlns="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd">

    <bean id="dataSourceName" class="org.springframework.jndi.JndiObjectFactoryBean">
        <property name="jndiName">
            <value>java:comp/env/jdbc/h2db</value>
        </property>
    </bean>     
</beans>

1 answer

0

After a lot of reading, I got:

spring-security.xml

<http auto-config="true" use-expressions="true">

    <expression-handler ref="expressionHandlerWeb" />

</http>



<b:bean id="permissionEvaluator" class="spring.security.BasePermissionEvaluator"/>

<b:bean id="expressionHandlerMethod" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
    <b:property name="permissionEvaluator" ref="permissionEvaluator"/>
</b:bean>
<b:bean id="expressionHandlerWeb" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
    <b:property name="permissionEvaluator" ref="permissionEvaluator"/>
</b:bean>


<global-method-security pre-post-annotations="enabled">
    <expression-handler ref="expressionHandlerMethod"/>
</global-method-security>

Browser other questions tagged

You are not signed in. Login or sign up in order to post.