Spring Security - Annotation Based Method level Security Handler

Introduction



Spring Security 3, apart from securing URL’s based on priviledge i.e. roles (The basic authorization process),
also provides the ample scope of implementing method level security with annotations at the business layer, and thus ensuring no unauthorized calls would be made at the methods at the corresponding layer. The implementation of method level security is being accomplished with the help of Spring managed AOP
approach to recognize, evaluate and secure method invocations. The basic flow can be described as follows:
• Spring AOP runtime intercept calls to the methods of interest by implemeting
aspects with the help of MethodSecurityInterceptor.

• The MethodSecurityInterceptor with the help of AccessDecisionManager, and the corresponding
AccessDecisionVoters of the AccessDecisionManager makes the authorization decision.

Generic Configuration Details



The AOP proxying is not invoked for all Spring Mannaged Beans by default.
Declaring in Spring Security Configuration will result in the
registration of BeanPostProcessor that will introspect AOP configuration to see if any AOP advisors indicate that proxying is required.
This workflow is a standard Spring AOP handling known as AOP auto proxying.
The AOP auto proxying functionality queries all registered PointcutAdvisors to see if
there are AOP pointcuts that resolve to method invocation that should have AOP advice applied and the pointcuts
are being identified by Annotations. (like @PreAuthorize,@PostAuthorize).
Depending on the number of Spring beans configured in your application,
and the number of secured method annotation,
adding method security proxying may increase the Application Context Intialization
duration, but once Spring Context is initialized there is negligible performance impact on indivudual proxied beans.
This is in short about underlying operation mechanism for implementing
method level security as provided by Spring Security 3.2. We are going to use this architecture to create a ecustom label which we can use in
our Annotation based method level security Handler. We know the labels currently supported by Spring Security Framework are like hasIpAddress, hasPermission etc.
Say the name of our label be isSichern and we are going to implement preAuthorize filter with it,
i.e. the expression evaluation will happen before method execution. If the expression evaluation result is positive then only the method
will be executed, otherwise an Access Denied exception will be thrown. The whole expression will look like:
“ @PreAuthorize("isSichern('<>','<>','<>')") ”
With the above annotation in action whenever methods annnoated with the above mentioned annotation will
be invoked then the registered PriviledgeEvaluator will perform the business security validations for the parameters passed along with
isSichern and authorization decisions are Taken Based on that. The basic Configuration Part consists of:

xmlns:security="http://www.springframework.org/schema/security
http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.2.xsd

	<security:global-method-security
            				pre-post-annotations="enabled">
       	<security:expression-handler ref="defaultExpressionHandler"/>		     				
  </security:global-method-security>

  <bean id="defaultExpressionHandler" class="org.springSecurity.methodhandler.CustomMethodSecurityExpressionHandler">
  	<property name="permissionEvaluator">
<bean autowire="constructor" class="org.springSecurity.methodhandler.DefaultPermissionEvaluator"></bean>		
</property>
<property name="priviledgeEvaluator" ref="priviledgeEvaluator"></property>
  		
 </bean>

<bean id="priviledgeEvaluator" class="org.springSecurity.methodhandler.CustomPriviledgeEvaluator"></bean>


I will discuss the remaining custom configuration details along with the Code in my next post, Till then happy coding

Comments

Post a Comment

Popular posts from this blog

Use of @Configurable annotation.

Spring WS - Part 5

Spring WS - Part 4