Professional Documents
Culture Documents
SeparatingRolesandPermissionsinSpringSecurity
JavaBeat
HOME
JAVA
SPRING FRAMEWORK
JSF TUTORIALS
MOST POPULAR
ABOUT US
Email:
Werespectyour
Security
emailprivacy
Krishna Srinivasan
Spring
Framework
Share This
AdvertiseHere
1/10
1/19/2016
SeparatingRolesandPermissionsinSpringSecurity
Buffer
alsoread:
SpringTutorials
Spring4Tutorials
SpringInterviewQuestions
Permissions
Introduction
The goal behind separating roles and permissions is
to avoid embedding security policy decisions in the
code. Such decisions should be set at runtime since
they vary across customers, they vary over time, and
sometimes they need to be changed immediately
(for example, in response to a security breach).
Example
Consider, for example, the difference between this
rule:
public long
And this one:
public long
http://www.javabeat.net/separatingrolesandpermissionsinspringsecurity/
2/10
1/19/2016
SeparatingRolesandPermissionsinSpringSecurity
http://www.javabeat.net/separatingrolesandpermissionsinspringsecurity/
3/10
1/19/2016
SeparatingRolesandPermissionsinSpringSecurity
BungalowinBTMLayout
Buy/RentBungalowinBTM
Layout.GetPrices&
Details.SearchNow!
99acres.com/Bungalow_BTM_Layout
4/10
1/19/2016
SeparatingRolesandPermissionsinSpringSecurity
5/10
1/19/2016
SeparatingRolesandPermissionsinSpringSecurity
by default.
Thats annotation-based configuration. To try out the
security annotations, try the following:
Start up the application and click the forums link.
Spring Security will force a login because the call
to getForums() requires the
PERM_READ_FORUMS permission.
Log in as user daniel/p@ssword. He has just the
student role.
Go into one of the forums and try to block a
message. You should get an error message in a
dialog box because the
ForumServiceImpl.setMessageVisible() method
requires the PERM_ADMIN_MESSAGES
permission, which the student role does not
have.
Try the same thing with editing and deleting
messages. Youll be able to get the edit page and
the delete confirm box, but there will be an error
message when you try to actually save the edit
or confirm the deletion, because the student role
doesnt have the required
PERM_UPDATE_MESSAGES and
PERM_DELETE_MESSAGES permissions.
Log out, and then log back in under
juan/p@ssword. User juan has the admin role.
Try the same operations. You should be able to
execute all of them, because the admin role has
the required permissions.
alsoread:
SpringBooks
IntroductiontoSpringFramework
IntroductiontoSpringMVC
Framework
http://www.javabeat.net/separatingrolesandpermissionsinspringsecurity/
6/10
1/19/2016
SeparatingRolesandPermissionsinSpringSecurity
Summary
We created authorization rules and applied them to
Java methods. We showed you why we used a
hasRole() predicate to check for a permission, since
roles and permissions arent the same thing. A role
typically entails a set of permissions. The release
engineer role, for example, might have permission to
deploy software packages to servers.
GoogleWebHosting
BuildYourOnlinePresenceWithGoogleSites.
Free30DayTrial!
Related posts:
1. Spring Security 3.0
2. Designing and Developing Secure Java EE
Applications using GlassFish Security
3. Aspect Oriented Programming (AOP) in Spring
2.5
4. Spring HTML ESCAPE and ESCAPE BODY Tags
(<spring:htmlEscape> and
<spring:escapeBody>)
5. Static Code Analysis Tool FireBugs
Spring Security
Did you like this article? Share it with your friends!
Like
Tweet
7/10
1/19/2016
SeparatingRolesandPermissionsinSpringSecurity
julius says:
November 9, 2012 at 9:30
rayman says:
October 22, 2013 at 1:17
Hi,
Do you have a solution of defining
permissions with LDAP ? This way ill be able to use our LDAP
with spring security within roles and permissions context.
Reply
http://www.javabeat.net/separatingrolesandpermissionsinspringsecurity/
8/10
1/19/2016
SeparatingRolesandPermissionsinSpringSecurity
satheesh says:
October 17, 2015 at 8:42
Leave a Reply
Your email address will not be published. Required fields are
marked *
Name
Website
Comment
Post Comment
Sign up to our newsletter!
Recent Posts
Suppressed Exceptions in Java 7
Java Exceptions Tutorial
http://www.javabeat.net/separatingrolesandpermissionsinspringsecurity/
9/10
1/19/2016
SeparatingRolesandPermissionsinSpringSecurity
2016 JavaBeat
http://www.javabeat.net/separatingrolesandpermissionsinspringsecurity/
10/10