cas-security-spring-boot-starter icon indicating copy to clipboard operation
cas-security-spring-boot-starter copied to clipboard

Published 20 hours ago verified publisher icon kakawait

Working with GlobalMethodSecurity

Open ankit-test-repo opened this issue 6 years ago • 5 comments

Hi , i am trying to configure my application to work with http://www.baeldung.com/spring-security-method-security

I was just wondering if i can do something like security.securedEnabled = true in the application.properties file to get this working with your CAS library

ankit-test-repo avatar Jun 18 '18 13:06 ankit-test-repo 

import com.kakawait.spring.boot.security.cas.CasSecurityConfigurerAdapter;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, proxyTargetClass = true)
public class SecurityConfiguration extends CasSecurityConfigurerAdapter {

}

Adding that class solved it for me.

However i am now noticing that my spring security context does not have any roles (apart from ROLE_USER) in the granted authorities for my session. Any idea what i am doing wrong?

EDIT:

Okay. so it turns out i will have to get them roles from the Active directory. I am currently working to get that sorted. Will post it here once sorted. Any help to speed up the process is however appreciated.

ankit-test-repo avatar Jun 19 '18 10:06 ankit-test-repo 

@Override
    protected UserDetails loadUserDetails(Assertion assertion) {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        List<GrantedAuthority> grantedAuthorities = getRoles(assertion.getPrincipal().getName());
/*        final List<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_USER"));*/


        return new User(assertion.getPrincipal().getName(),"[PROTECTED]", true, true, true, true, grantedAuthorities);
    }

Okay this is a very weird one. I have worked out to get the Roles from ldap and my method "getRoles()" is fetching the correct roles. Now the problem is that my @Secured annotation is not working for any of the roles that i am getting back.

However if i manually add ROLE_USER to the list and then grant ROLE_USER access to the request mapping it works. But it only works for the ROLE_USER

I have checked my session on tomcat and my SPRING_SECURITY_CONTEXT attribute shows all the added roles in the list of Granted Authorities.

ankit-test-repo avatar Jun 20 '18 12:06 ankit-test-repo

Okay got it all to work. Turns out the application relies on ROLE_USER to be there to access all controllers

ankit-test-repo avatar Jun 20 '18 14:06 ankit-test-repo

Which version are you using? Latest 0.8.0 or you build the 1.0.0-SNAPSHOT?

kakawait avatar Jun 20 '18 14:06 kakawait

Using 0.8.0. Sorry for a late reply.

ankit-test-repo avatar Jun 25 '18 12:06 ankit-test-repo