1/19/2016

SeparatingRolesandPermissionsinSpringSecurity

JavaBeat

HOME

JAVA

SPRING FRAMEWORK

JSF TUTORIALS

MOST POPULAR

ABOUT US

Email:

Separating Roles and

Permissions in Spring

Werespectyour

Security

emailprivacy

Krishna Srinivasan

April 14, 2011

Spring

Framework

This article is based on Spring in Practice, to be

Share This

published August-2011. It is being reproduced here by

permission from Manning Publications. Manning

AdvertiseHere

Share this post with your friends!

publishes MEAP (Manning Early Access Program,)

eBooks and pBooks. MEAPs are sold exclusively through

Twitter
Manning.com. All pBookpurchases
include free
PDF, Google+
http://www.javabeat.net/separatingrolesandpermissionsinspringsecurity/

1/10

1/19/2016

SeparatingRolesandPermissionsinSpringSecurity

mobi and epub. When mobile formats become available

Facebook

all customers will be contacted

and upgraded. Visit

Buffer

Manning.com for more information. [ Use promotional

code java40beat and get 40% discount on eBooks and
pBooks ]

alsoread:
SpringTutorials
Spring4Tutorials
SpringInterviewQuestions

Technique: Separate Roles and

Bungalow in BTM Layo

Buy/Rent Bungalow in BTM
Layout. Get Prices & Details.
Search Now !
99acres.com/Bungalow_BTM_Layout

Permissions
Introduction
The goal behind separating roles and permissions is
to avoid embedding security policy decisions in the
code. Such decisions should be set at runtime since
they vary across customers, they vary over time, and
sometimes they need to be changed immediately
(for example, in response to a security breach).

Example
Consider, for example, the difference between this
rule:

 
public  long
And this one:
 
public  long
http://www.javabeat.net/separatingrolesandpermissionsinspringsecurity/

2/10

1/19/2016

SeparatingRolesandPermissionsinSpringSecurity

The first rule breaks when somebody decides that

teaching assistants, parents, faculty trainers,
accreditors, or any number of other roles should gain
access or that one of the roles should lose access (for
instance, faculty-only forums). The roles may be
different for different customers using the software,
and many of the roles may not even make any sense
for some customers.
The second rule is more resilient in the face of such
changes since in essence it says that a user gets a
given forum if he has read access to forums
generally. The rule isnt perfectwe may decide that
there isnt any such thing as read access to forums
generally (that is, access exists on a forum-by-forum
basis)but clearly its much more flexible, especially
if we can establish the relationship between roles
and permissions outside the code itself. And we can
certainly do that.
So as a general rule, prefer permission-based rules
to role-based rules. There are exceptions to this rule,
but it holds as a general rule.
Spring Security 3 appears schizophrenic on the issue
of separating roles and permissions in the manner
shown above. The interface underlying
ROLE_STUDENT, PERM_READ_FORUMS and so forth
is called GrantedAuthority, and this sounds like a
fancy way of saying permission rather than role.
But the examples in the Spring Security reference
documentation tend to treat granted authorities as
roles, and even the hasRole() and hasAnyRole()
predicates steer us toward using roles directly, which
is at best a questionable practice for the reasons
already given.

http://www.javabeat.net/separatingrolesandpermissionsinspringsecurity/

3/10

1/19/2016

SeparatingRolesandPermissionsinSpringSecurity

BungalowinBTMLayout
Buy/RentBungalowinBTM
Layout.GetPrices&
Details.SearchNow!
99acres.com/Bungalow_BTM_Layout

Figure 1 User schema that separates roles from

permissions.Apparent schizophrenia aside, Spring
Security makes it easy to do the right thing. The
sample code, for instance, uses a custom
UserDetailsService backed by the
user/role/permission schema in figure 1.2 The sip07schema-mysql.sql script (available here) contains this
schema, but its just an example. Even if youre using
the JdbcDaoImpl instead of a custom
UserDetailsService, you can take advantage of the
Spring Security group schema to separate roles and
permissions.
Besides the schema, we also need some sample data
http://www.javabeat.net/separatingrolesandpermissionsinspringsecurity/

4/10

1/19/2016

SeparatingRolesandPermissionsinSpringSecurity

so we can actually test the security configuration.

Figure 2 shows the roles and permissions that each
of our sample users has, as contained in the sip07data-mysql.sql script.

Figure 2 Users, roles, and permissions for the sample

applicationThats it for our source code changes.
Now we need to activate the security annotations.
To do that, we add a single line to the beanssecurity.xml configuration:

Weve enabled Spring Securitys pre- and postannotations, disabled by default, since they allow us
to use SpEL to define access rules in an elegant
fashion. This is the preferred approach in Spring
Security 3. There are, however, a couple of other
options, which we list for completeness:
jsr250-annotations=enabled: Activate the
standard JSR 250 security annotations. Though
these are standard, they support only simple
role-based rules and arent nearly as powerful as
Spring Securitys pre/post annotations. These are
disabled by default.
secured-annotations=enabled: Support for
Springs legacy @Secured annotation. Originally
superseded by the JSR 250 @RolesAllowed
annotation and now by the Spring Security
@PreAuthorize annotation. @Secured is disabled
http://www.javabeat.net/separatingrolesandpermissionsinspringsecurity/

5/10

1/19/2016

SeparatingRolesandPermissionsinSpringSecurity

by default.
Thats annotation-based configuration. To try out the
security annotations, try the following:
Start up the application and click the forums link.
Spring Security will force a login because the call
to getForums() requires the
PERM_READ_FORUMS permission.
Log in as user daniel/p@ssword. He has just the
student role.
Go into one of the forums and try to block a
message. You should get an error message in a
dialog box because the
ForumServiceImpl.setMessageVisible() method
requires the PERM_ADMIN_MESSAGES
permission, which the student role does not
have.
Try the same thing with editing and deleting
messages. Youll be able to get the edit page and
the delete confirm box, but there will be an error
message when you try to actually save the edit
or confirm the deletion, because the student role
doesnt have the required
PERM_UPDATE_MESSAGES and
PERM_DELETE_MESSAGES permissions.
Log out, and then log back in under
juan/p@ssword. User juan has the admin role.
Try the same operations. You should be able to
execute all of them, because the admin role has
the required permissions.

alsoread:
SpringBooks
IntroductiontoSpringFramework
IntroductiontoSpringMVC
Framework

http://www.javabeat.net/separatingrolesandpermissionsinspringsecurity/

6/10

1/19/2016

SeparatingRolesandPermissionsinSpringSecurity

Summary
We created authorization rules and applied them to
Java methods. We showed you why we used a
hasRole() predicate to check for a permission, since
roles and permissions arent the same thing. A role
typically entails a set of permissions. The release
engineer role, for example, might have permission to
deploy software packages to servers.

GoogleWebHosting
BuildYourOnlinePresenceWithGoogleSites.
Free30DayTrial!

Related posts:
1. Spring Security 3.0
2. Designing and Developing Secure Java EE
Applications using GlassFish Security
3. Aspect Oriented Programming (AOP) in Spring
2.5
4. Spring HTML ESCAPE and ESCAPE BODY Tags
(<spring:htmlEscape> and
<spring:escapeBody>)
5. Static Code Analysis Tool FireBugs

Spring Security
Did you like this article? Share it with your friends!
Like

Tweet

Written by Krishna Srinivasan

He is Founder and Chief Editor of
JavaBeat. He has more than 8+
years of experience on
developing Web applications. He
http://www.javabeat.net/separatingrolesandpermissionsinspringsecurity/

7/10

1/19/2016

SeparatingRolesandPermissionsinSpringSecurity

writes about Spring, DOJO, JSF,

Hibernate and many other
emerging technologies in this
blog.

3 Responses to "Separating Roles and

Permissions in Spring Security"

julius says:
November 9, 2012 at 9:30

There is an implementation example of

Spring 3 with rights and roles here:
http://en.tekstenuitleg.net/blog/spring-security-with-rolesand-rights
Reply

rayman says:
October 22, 2013 at 1:17

Hi,
Do you have a solution of defining
permissions with LDAP ? This way ill be able to use our LDAP
with spring security within roles and permissions context.
Reply

http://www.javabeat.net/separatingrolesandpermissionsinspringsecurity/

8/10

1/19/2016

SeparatingRolesandPermissionsinSpringSecurity

satheesh says:
October 17, 2015 at 8:42

sir i need help in spring roles and permissions

Reply

Leave a Reply
Your email address will not be published. Required fields are
marked *

Name

Email

Website

Comment

Post Comment
Sign up to our newsletter!

Recent Posts
Suppressed Exceptions in Java 7
Java Exceptions Tutorial
http://www.javabeat.net/separatingrolesandpermissionsinspringsecurity/

9/10

1/19/2016

SeparatingRolesandPermissionsinSpringSecurity

OCAJP Pass by Value or Pass by

Reference
OCAJP Static Methods and
Fields
Spring and JSON Example

2016 JavaBeat

http://www.javabeat.net/separatingrolesandpermissionsinspringsecurity/

10/10