{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 该账号已被封号 的问题《Spring Security entity field level security》','https://www.manongdao.com/q-1321517.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a Spring MVC application which presents a view which shows all of the fields from a Customer entity such as name, address, phone number etc. The application has various roles such as ROLE_USER and ROLE_ADMIN. Users with ROLE_USER are only able to see the customer name where as users with ROLE_ADMIN can see all of the customer fields.
At the moment the way I have implemented this is with a Thymeleaf view which makes use of the SpringSecurityDialect to restrict access to certain fields based on the user's role:
<th:block sec:authorize="hasRole('ROLE_ADMIN')">
<div th:text="${customer.phoneNumber}" />
</th:block>
Whilst this works absolutely fine it doesn't feel right and it's difficult to test. I would like to write tests against the controller which call the controller method with a principal that has different roles such as testViewCustomerAsRoleAdmin and testViewCustomerAsRoleUser. This isn't possible to verify as the controller returns a Customer to the view which is fully populated and has every field accessible via the getters.
What I'm after is some sort of field level security at the entity level where I can make use of the Spring Security annotations:
@PreAuthorize("hasRole('ROLE_ADMIN')")
public String getPhoneNumber()
{
return phoneNumber;
}
It would be ideal if this could then raise an AccessDeniedException when trying to access the field if the principal is not authorized.
The Jersey project seems to have this sort of concept which is mentioned here, here and an example here. It does however seem to be limited to role based security rather than the full SpEL support offered with @PreAuthorize
Is there any way or implementing this sort of thing with Spring Security, I know the security context or SpEL evaluation context is not available in entities as they are not Spring managed. If not, is there any other approach which might allow me to achieve the same thing?
EDIT:
I don't know the Spring Security framework inside out but it seems like something that might be able to be done using Spring AOP in ApectJ mode to instrument methods of domain (entity) classes. It would then be a case of getting hold of the AccessDecisionManager and passing along the authentication (presumably obtained from the SecurityContextHolder) along with the contents of the annotation on the domain class methods (if present). Does anyone have experience with doing this sort of thing?
I've managed to solve the problem using Spring AOP in AspectJ mode. The various Spring annotations such as
@Transactionaland@PreAuthorizewill work on any non-Spring managed classes if you enable AspectJ mode and perform either compile time or load time weaving, there is a very good example here: https://github.com/spring-projects/spring-security/tree/4.0.1.RELEASE/samples/aspectj-jcYou need to make sure you have the
spring-security-aspectsdependency in your project (or plugin if you're using compile-time weaving) to enable weaving of@Securedannotations. Despite the comment inAnnotationSecurityAspectwhich describes the class as:The class does actually weave the other Spring annotations including
@PreAuthorize,@PreFilter,@PostAuthorizeand@PostFilter.