Lesson 29 - Using permissions

WEB/Security

Lesson 29 - Using permissions

Tony Lim 2022. 5. 20. 14:28

728x90

permission can provide complex authorization rules

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class ProjectConfig extends GlobalMethodSecurityConfiguration {

  @Bean
  public UserDetailsService uds () {
    var uds = new InMemoryUserDetailsManager();

    var u1 =
        User.withUsername("john")
            .password("12345")
            .authorities("read")
        .build();

    var u2 =
        User.withUsername("bill")
            .password("12345")
            .authorities("write")
            .build();

    uds.createUser(u1);
    uds.createUser(u2);

    return uds;
  }

  @Bean
  public PasswordEncoder passwordEncoder() {
    return NoOpPasswordEncoder.getInstance();
  }

  @Override
  protected MethodSecurityExpressionHandler createExpressionHandler() {
    var meh = new DefaultMethodSecurityExpressionHandler();
    meh.setPermissionEvaluator(permissionEvaluator());
    return meh;
  }

  private PermissionEvaluator permissionEvaluator() {
    return new DocumentPermissionEvaluator();
  }
}

public class DocumentPermissionEvaluator implements PermissionEvaluator {

  @Override
  public boolean hasPermission(Authentication authentication,
                               Object targetObject,
                               Object permission) {
    List<Document> returnedList = (List<Document>) targetObject;
    String username = authentication.getName();
    String auth = (String) permission;

    boolean docsBelongToTheAuthUser =returnedList.stream()
        .allMatch(d -> d.getUser().equals(username));

    boolean hasProperAuthority = authentication.getAuthorities().stream()
        .anyMatch(g -> g.getAuthority().equals(auth));

    return docsBelongToTheAuthUser && hasProperAuthority;
  }

  @Override
  public boolean hasPermission(Authentication authentication,
                               Serializable targetID,
                               String type,
                               Object permission) {
    return false;
  }
}

@Service
public class DocumentService {

  @PostAuthorize("hasPermission(returnObject, 'read')")
  public List<Document> findDocuments(String username) {
    var doc = new Document();
    doc.setUser("john");
    doc.setText("TEXT");
    return List.of(doc);
  }
}

if 2 parameter given -> user first overloaded hasPermission method

3 parameter given -> second hasPermission method

728x90

저작자표시

'WEB > Security' 카테고리의 다른 글

앱 설명 (0)	2022.06.08
Lesson 33,34 - Integration testing for Spring Security implementations - Part 1,2 (0)	2022.05.22
Lesson 27 - Method authorization configurations (0)	2022.05.16
Lesson 26 - Endpoint authorization rules for an OAuth 2 resource server (0)	2022.05.14
Lesson 24,25 - Authorities, Roles and Matcher methods (mvc,ant) (0)	2022.05.14

현재글Lesson 29 - Using permissions

250x250

Algorithm, Interval Scheduling, Median Find, 람다, 파일입출력, Matrix Mutilply, JPA, Quicksort, fft, spring, Linux, systemd, 오블완, 영속성, Text Justification, 날짜시간, Weighted Interval Scheduling, 메소드 참조, 티스토리챌린지, 자바8,

Today :
Yesterday :

관심있는것들

Lesson 29 - Using permissions

'WEB > Security' 카테고리의 다른 글

'WEB/Security'의 다른글

티스토리툴바

« 2024/11 »
일	월	화	수	목	금	토
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30

Lesson 29 - Using permissions

'WEB > Security' 카테고리의 다른 글

'WEB/Security'의 다른글

관련글

티스토리툴바