The ROLE_ prefix plays a special 'role' in spring security since it is prepended to GrantedAuthority name by default. While different XXXAuthoritiesPopulator (as extending DefaultLdapAuthoritiesPopulator) expose a property that can be changed through spring configuration (for instance) this will not help very much since the constant is used as a default value (added as a prefix if not already present in role name!) in many related authorization functionalities (like voters) so getting rid of it is not a trivial task. For example:
<security:intercept-url pattern="/faces/auth/admin/**" access="Admins"/>
will actually check for ROLE_Admins.
Seraching for rolePrefix\s+=\s+"ROLE_";
regex in spring security (4.0.0.RELEASE) will return 10 hits (in 10 different java files):
D:\Java\Spring\4.0\spring-security-rb4.0.0.RELEASE\config\src\main\java\org\springframework\security\config\annotation\authentication\configurers\ldap\LdapAuthenticationProviderConfigurer.java (1 hit)
Line 61: private String rolePrefix = "ROLE_";
D:\Java\Spring\4.0\spring-security-rb4.0.0.RELEASE\core\src\main\java\org\springframework\security\access\annotation\Jsr250MethodSecurityMetadataSource.java (1 hit)
Line 41: private String defaultRolePrefix = "ROLE_";
D:\Java\Spring\4.0\spring-security-rb4.0.0.RELEASE\core\src\main\java\org\springframework\security\access\expression\method\DefaultMethodSecurityExpressionHandler.java (1 hit)
Line 43: private String defaultRolePrefix = "ROLE_";
D:\Java\Spring\4.0\spring-security-rb4.0.0.RELEASE\core\src\main\java\org\springframework\security\access\expression\SecurityExpressionRoot.java (1 hit)
Line 26: private String defaultRolePrefix = "ROLE_";
D:\Java\Spring\4.0\spring-security-rb4.0.0.RELEASE\core\src\main\java\org\springframework\security\access\intercept\RunAsManagerImpl.java (1 hit)
Line 60: private String rolePrefix = "ROLE_";
D:\Java\Spring\4.0\spring-security-rb4.0.0.RELEASE\core\src\main\java\org\springframework\security\access\vote\RoleVoter.java (1 hit)
Line 55: private String rolePrefix = "ROLE_";
D:\Java\Spring\4.0\spring-security-rb4.0.0.RELEASE\ldap\src\main\java\org\springframework\security\ldap\userdetails\DefaultLdapAuthoritiesPopulator.java (1 hit)
Line 143: private String rolePrefix = "ROLE_";
D:\Java\Spring\4.0\spring-security-rb4.0.0.RELEASE\ldap\src\main\java\org\springframework\security\ldap\userdetails\LdapUserDetailsManager.java (1 hit)
Line 95: private final String rolePrefix = "ROLE_";
D:\Java\Spring\4.0\spring-security-rb4.0.0.RELEASE\ldap\src\main\java\org\springframework\security\ldap\userdetails\LdapUserDetailsMapper.java (1 hit)
Line 43: private String rolePrefix = "ROLE_";
D:\Java\Spring\4.0\spring-security-rb4.0.0.RELEASE\web\src\main\java\org\springframework\security\web\access\expression\DefaultWebSecurityExpressionHandler.java (1 hit)
Line 22: private String defaultRolePrefix = "ROLE_";
The Conceptual Problem
As specified in JAVA EE 7 tutorial the recommended (simplified) approach for defining authorization policies is as follows (47.5 Working with Realms, Users, Groups, and Roles):
Realm->Groups->Map Groups to Roles->Use Roles in defining authorization rules.
Unfortunately spring security does not implement this pattern (by mapping automatically a Group to ROLE_Group) which might lead to deployment problems in real life environments. Imagine a potential client for your product that already has a well established policy for group membership and is not willing to enrich (and duplicate) existing AD structure just to accommodate your product Roles requirements!
The Real-Life Problem
Suppose you already have an application that uses restriction policies based on roles and you want to switch to spring security. The chance to have roles used by the application called as ROLE_XXX is minimal so that you will not be able to use out of the box functionality provided by spring security. Please notice that you application might use role based authorization (apart from spring intercept-url
type rules, for instance) in other parts like menu entries visibility, code access, different processing rules, data restriction, etc.
The Solution
Supposing we use org.springframework.security.ldap.authentication.LdapAuthenticationProvider
extend the XXXAuthoritiesPopulator
specified as a constructor argument:
package ro.mycompany.springsecurity.extensions;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
import org.springframework.ldap.core.ContextSource;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.ldap.userdetails.NestedLdapAuthoritiesPopulator;
public class NestedLdapAuthoritiesPopulatorEx extends NestedLdapAuthoritiesPopulator {
public NestedLdapAuthoritiesPopulatorEx(ContextSource contextSource, String groupSearchBase) {
super(contextSource, groupSearchBase);
}
private GroupsToRoles groupsToRoles;
@Override
public Set<GrantedAuthority> getGroupMembershipRoles(String userDn, String username) {
Set<GrantedAuthority> authorities = super.getGroupMembershipRoles(userDn, username);
Collection<GrantedAuthority> rga=groupsToRoles.getReachableGrantedAuthorities(authorities);
Set<GrantedAuthority> ret=new HashSet<>();
ret.addAll(rga);
//return authorities;
return ret;
}
public GroupsToRoles getGroupsToRoles() {
return groupsToRoles;
}
public void setGroupsToRoles(GroupsToRoles groupsToRoles) {
this.groupsToRoles = groupsToRoles;
}
}
where GroupsToRoles
is defined as follows (inspired by org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl
):
package ro.mycompany.springsecurity.extensions;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import java.util.*;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.springframework.security.access.hierarchicalroles.CycleInRoleHierarchyException;
public class GroupsToRoles {
private String roleHierarchyStringRepresentation = null;
private Map<GrantedAuthority, Set<GrantedAuthority>> rolesReachableInOneStepMap = null;
private Map<GrantedAuthority, Set<GrantedAuthority>> rolesReachableInOneOrMoreStepsMap = null;
public void setHierarchy(String roleHierarchyStringRepresentation) {
this.roleHierarchyStringRepresentation = roleHierarchyStringRepresentation;
buildRolesReachableInOneStepMap();
buildRolesReachableInOneOrMoreStepsMap();
}
public Collection<GrantedAuthority> getReachableGrantedAuthorities(
Collection<? extends GrantedAuthority> authorities) {
if (authorities == null || authorities.isEmpty()) {
return AuthorityUtils.NO_AUTHORITIES;
}
Set<GrantedAuthority> reachableRoles = new HashSet<>();
for (GrantedAuthority authority : authorities) {
addReachableRoles(reachableRoles, authority);
Set<GrantedAuthority> additionalReachableRoles = getRolesReachableInOneOrMoreSteps(authority);
if (additionalReachableRoles != null) {
reachableRoles.addAll(additionalReachableRoles);
}
}
List<GrantedAuthority> reachableRoleList = new ArrayList<>(
reachableRoles.size());
reachableRoleList.addAll(reachableRoles);
return reachableRoleList;
}
// SEC-863
private void addReachableRoles(Set<GrantedAuthority> reachableRoles,
GrantedAuthority authority) {
for (GrantedAuthority testAuthority : reachableRoles) {
String testKey = testAuthority.getAuthority();
if ((testKey != null) && (testKey.equals(authority.getAuthority()))) {
return;
}
}
reachableRoles.add(authority);
}
private Set<GrantedAuthority> getRolesReachableInOneOrMoreSteps(
GrantedAuthority authority) {
if (authority.getAuthority() == null) {
return null;
}
for (GrantedAuthority testAuthority : rolesReachableInOneOrMoreStepsMap.keySet()) {
String testKey = testAuthority.getAuthority();
if ((testKey != null) && (testKey.equals(authority.getAuthority()))) {
return rolesReachableInOneOrMoreStepsMap.get(testAuthority);
}
}
return null;
}
private void buildRolesReachableInOneStepMap() {
Pattern pattern = Pattern.compile("(\\s*([^\\s>]+)\\s*>\\s*([^\\s>]+))");
Matcher roleHierarchyMatcher = pattern.matcher(roleHierarchyStringRepresentation);
rolesReachableInOneStepMap = new HashMap<>();
while (roleHierarchyMatcher.find()) {
GrantedAuthority higherRole = new SimpleGrantedAuthority(
roleHierarchyMatcher.group(2));
GrantedAuthority lowerRole = new SimpleGrantedAuthority(
roleHierarchyMatcher.group(3));
Set<GrantedAuthority> rolesReachableInOneStepSet;
if (!rolesReachableInOneStepMap.containsKey(higherRole)) {
rolesReachableInOneStepSet = new HashSet<>();
rolesReachableInOneStepMap.put(higherRole, rolesReachableInOneStepSet);
}
else {
rolesReachableInOneStepSet = rolesReachableInOneStepMap.get(higherRole);
}
addReachableRoles(rolesReachableInOneStepSet, lowerRole);
}
}
private void buildRolesReachableInOneOrMoreStepsMap() {
rolesReachableInOneOrMoreStepsMap = new HashMap<>();
// iterate over all higher roles from rolesReachableInOneStepMap
for (GrantedAuthority role : rolesReachableInOneStepMap.keySet()) {
Set<GrantedAuthority> rolesToVisitSet = new HashSet<>();
if (rolesReachableInOneStepMap.containsKey(role)) {
rolesToVisitSet.addAll(rolesReachableInOneStepMap.get(role));
}
Set<GrantedAuthority> visitedRolesSet = new HashSet<>();
while (!rolesToVisitSet.isEmpty()) {
// take a role from the rolesToVisit set
GrantedAuthority aRole = rolesToVisitSet.iterator().next();
rolesToVisitSet.remove(aRole);
addReachableRoles(visitedRolesSet, aRole);
if (rolesReachableInOneStepMap.containsKey(aRole)) {
Set<GrantedAuthority> newReachableRoles = rolesReachableInOneStepMap
.get(aRole);
// definition of a cycle: you can reach the role you are starting from
if (rolesToVisitSet.contains(role) || visitedRolesSet.contains(role)) {
throw new CycleInRoleHierarchyException();
}
else {
// no cycle
rolesToVisitSet.addAll(newReachableRoles);
}
}
}
rolesReachableInOneOrMoreStepsMap.put(role, visitedRolesSet);
}
}
}
The actual configuration looks like:
<bean id="AD-LdapProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="contextSource" />
<property name="userSearch">
<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0" value="OU=MyCompany,DC=mycompany,DC=local"/>
<constructor-arg index="1" value="(&(objectClass=user)(sAMAccountName={0}))"/>
<constructor-arg index="2" ref="contextSource" />
<property name="searchSubtree" value="true"/>
</bean>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<!--bean class="org.springframework.security.ldap.userdetails.NestedLdapAuthoritiesPopulator"-->
<bean class="ro.mycompany.springsecurity.extensions.NestedLdapAuthoritiesPopulatorEx">
<constructor-arg ref="contextSource" />
<constructor-arg value="OU=MyCompany,DC=mycompany,DC=local" />
<property name="groupSearchFilter" value="(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=-2147483648)(member={0}))"/><!--http://ldapwiki.willeke.com/wiki/Active%20Directory%20Group%20Related%20Searches#section-Active+Directory+Group+Related+Searches-AllSecurityGroupsLocalGlobalAndUniversal -->
<property name="rolePrefix" value="ROLE_"/>
<property name="searchSubtree" value="true"/>
<property name="convertToUpperCase" value="false"/>
<property name="groupsToRoles" ref="groupsToRoles"/>
</bean>
</constructor-arg>
</bean>
<bean id="groupsToRoles" class="ro.mycompany.springsecurity.extensions.GroupsToRoles">
<property name="hierarchy">
<value>
ROLE_Admins>admin
</value>
</property>
</bean>
Now you can use the application unchanged if configuring correctly groupsToRoles
.
The Explanation
There is a very good answer on StackOverflow to the question Why does Spring Security's RoleVoter need a prefix?
The Update (Spring Security 4.0.1.RELEASE)
After updating to 4.0.1.RELEASE the authorization through FacesContext.getCurrentInstance().getExternalContext().isUserInRole(role);
suddenly failed to work. This is related to https://jira.spring.io/browse/SEC-2926 which actually means that "ROLE_" is automatically prepended (by default if no other specific configuration is done) to role names while checking authorization in spring configuration files (like
<security:intercept-url pattern="/faces/auth/admin/**" access="Admins"/>
that will actually checks for "ROLE_Admins" in GrantedAuthorities) as oposed to FacesContext.getCurrentInstance().getExternalContext().isUserInRole("admin")
that will check for "admin" in 4.0.0 and "ROLE_admin" in 4.0.1.
The quick solution is to change the configuration file from
...
<bean id="groupsToRoles" class="ro.mycompany.springsecurity.extensions.GroupsToRoles">
<property name="hierarchy">
<value>
ROLE_Admins>admin
</value>
</property>
</bean>
...
to
...
<bean id="groupsToRoles" class="ro.mycompany.springsecurity.extensions.GroupsToRoles">
<property name="hierarchy">
<value>
ROLE_Admins>ROLE_admin
</value>
</property>
</bean>
...
The difference (in this respect) between the two versions come from the following snippet in SecurityContextHolderAwareRequestFilter
public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean {
// ~ Instance fields
// ================================================================================================
private String rolePrefix;
private HttpServletRequestFactory requestFactory;
in 4.0.0 and
public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean {
// ~ Instance fields
// ================================================================================================
private String rolePrefix = "ROLE_";
private HttpServletRequestFactory requestFactory;
in 4.0.1.
The rolePrefix
is actually used in SecurityContextHolderAwareRequestWrapper
as
private boolean isGranted(String role) {
Authentication auth = getAuthentication();
if (rolePrefix != null) {
role = rolePrefix + role;
}
if ((auth == null) || (auth.getPrincipal() == null)) {
return false;
}
Collection<? extends GrantedAuthority> authorities = auth.getAuthorities();
if (authorities == null) {
return false;
}
for (GrantedAuthority grantedAuthority : authorities) {
if (role.equals(grantedAuthority.getAuthority())) {
return true;
}
}
return false;
}
As we can see the rolePrefix
is prepended (if not null) unconditionally to checked role which is a different behaviour than the one implemented in voters (if the role starts with the default/configured prefix this will not be prepended any more); that's why FacesContext.getCurrentInstance().getExternalContext().isUserInRole("ROLE_admin")
will ot work since the actually match will be done against "ROLE_ROLE_admin"!
