Spring Authorization

1. Difference between spring authorization and spring security ?
2. Need few samples or code snippets to understand spring authorization.
3. Assume need to authorize every user action and not sure how to do it?
Software ProgrammerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mccarlIT Business Systems Analyst / Software DeveloperCommented:
1). "Spring Authorization" is not really a thing. Spring Security does authorization as part of what it does, it is just one of its functions.
2) Due to the above, look at pretty much any Spring Security sample and you will see how it does authorization.
3) The samples show this, authorizing all user actions (but possibly slightly differently for each action) is pretty much a standard functionality so the samples will also show this.
0
Software ProgrammerAuthor Commented:
Can you please help me with some good links for reference to achieve this?
0
girionisCommented:
Spring authorisation is part of Spring Security. You use Spring security to authorise and authenticate users.

Here is a good tutorial to start on spring security.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Software ProgrammerAuthor Commented:
We are having custom datables and it has a different structure. I want to authorize an user based on some conditions. I think AccessDecisionVoter should be implemented in this case which i am not sure. Can you please help me with some custom authorization code via AccessDecisionVoter ? Please help me and tutorial won't be helpful in this.
0
girionisCommented:
I want to authorize an user based on some conditions. I think AccessDecisionVoter should be implemented in this case which i am not sure.

What conditions are they? If they are not very specialised you do not need an AccessDecisionVoter. You simply need to extend a WebSecurityConfigurerAdapter  and in your configAuthentication method query the database for the user.
0
Software ProgrammerAuthor Commented:
We have tables as follows - group table. Each group or A Single group may have like the following and corresponding will be inserted in to tables

User                  Module    Permissions
Sales Rep          Sales         Read
Admin                Sales         Read, Write, Delete
Order Rep         Order        Read, Write
Admin                Order        Read, Write, Delete

One user can be associated with ONLY ONE group.

Now when the user access sales or order or any action we need to authorize it after login.

i thought of AccessDecisionVoter.

Please suggest whether AccessDecisionVoter (OR) WebSecurityConfigurerAdapter  -> configAuthentication method which ever is most suitable for this

Also, kindly help me with code snippet to proceed for any of the above. Any code snippet would be helpful.
0
girionisCommented:
One user can be associated with ONLY ONE group.

I am not sure what you mean here. I can see Users associated with more than one module.
0
Software ProgrammerAuthor Commented:
User Table -> User Details + One Group Gkey
Module Table -> Module Details
Permission Table -> Permission Details
Group Table -> Group Details
Group Module Permission Table -> Association Table where the rows will be as follows

Group Gkey + Module Gkey + Permission Gkey
0
girionisCommented:
I would go with WebSecurityConfigurerAdapter  + configAuthentication. For source code have a look at the link I posted in my first comment.
0
Software ProgrammerAuthor Commented:
Authentication differs from Authorization. Is that right? Can we do Authorization inside configAuthentication?
0
girionisCommented:
Yes you can. If you look at the link I posted shows how to restrict access to protected resources.
0
Software ProgrammerAuthor Commented:
I don't see any link...Can u re-post the link ?
0
girionisCommented:
I have posted a link in this comment:

https://www.experts-exchange.com/questions/29088205/Spring-Authorization.html#a42494686

The fact that you don't see the link probably means that you don't read my comments carefully.
0
Software ProgrammerAuthor Commented:
This is a generic tutorial and hard to understand about authorization
0
girionisCommented:
It's not a generic tutorial, it actually shows you how to do authorization:

protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }

Open in new window

0
Software ProgrammerAuthor Commented:
The above code shows about Authentication and not Authorization.
0
girionisCommented:
It shows authorisation and authentication in the same example. You mistake it for only authentication because all authenticated users are authorised to view the /hello page. This code

.authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .anyRequest().authenticated()

Open in new window


means that

1) The /home page can be viewed by everyone (no authentication is required)
2) The /hello page is only accessible by authenticated and authorised users with the role of USER.
3) the line .anyRequest().authenticated() means that any request that has not been matched yet should be authenticated first.

You can extend this example for specific resources:

.authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .antMatchers("/admin/**").hasRole("Admin")
                .antMatchers("/sales/**").access("hasRole('Admin') or hasRole('Sales Rep')")
                .antMatchers("/order/**").access("hasRole('Admin') or hasRole('Order Rep')")
                .anyRequest().authenticated()

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.