4

I am developing a web service which uses Spring Security toolbox for authorizing the request by the 'Authority'. Naturally, the web service has a configuration class which extends to WebSecurityConfigurerAdapter class and overrides the configure(HttpSecurity http) method.

Within the method I have written the profiles (roles or Authorities) with the follow code:

           http
              .authorizeRequests() 
                         .antMatchers("/**").hasAnyAuthority("PERFIL")      
                         .anyRequest().authenticated()
                         .and() 
             .logout().clearAuthentication(true)
                      .invalidateHttpSession(true)
                      .and()

             .csrf().disable();

It works very well, however I would want to charge dynamic profiles (roles or Authorities) from a database because I want to change them without changing the web service.

Does someone know how could do it?

Regards.

J. Abel
  • 790
  • 1
  • 15
  • 31

2 Answers2

0

There are many configurations which you will have to change in order to pass those details from database.

Use jdbc-user-service to define a query to perform database authentication.

<authentication-manager>
      <authentication-provider>
        <jdbc-user-service data-source-ref="dataSource"
          users-by-username-query=
            "select username,password, enabled from users where username=?"
          authorities-by-username-query=
            "select username, role from user_roles where username =?  " />
      </authentication-provider>
    </authentication-manager>

Follow this tutorial to learn how Spring Security works.

Rohan Kadu
  • 1,201
  • 2
  • 9
  • 20
  • Hi Rohan. I have already changed Authority for each user in the authentication, but I am trying to use dynamic Role in the configure(HttpSecurity http) method i.e. I want to change the code `.antMatchers("/**").hasAnyAuthority("PERFIL")` by something like this (this code does not exist, obviously): `.antMatchers("/**").hasAnyAuthority("?")`, such that `?` has to change when the service starts and based on a query to a database. It is the idea, but I do know if it is the form correct. – J. Abel Dec 20 '17 at 16:01
  • Hi Abel, Have you gone through following link. https://stackoverflow.com/questions/8321696/creating-new-roles-and-permissions-dynamically-in-spring-security-3 – Rohan Kadu Dec 20 '17 at 16:07
0

You can find a full working example here.

Although the logic is reversed in my project, you can extract information that will help with your case (as in how to "inject" these authorities to spring security)

In Authorities class i have defined 2 static authorities. This is the point where you can fetch your Authorities from the db. You could have an empty List<Authority> which will get populated from the db automatically when your application starts (see @PostConstruct).

Your Authority class should implement spring's GrantedAuthority as in here.

alextsil
  • 413
  • 2
  • 12
  • 22