In spring security, or RBAC, the Authority is described as a string, such as "download-file" means user can download file. If I need to limit user maximum daily download times and assign different values to different user, means the Authority contains dynamic values, how can I do this in spring security?
spring security: what's the best practice for include value in permission?
309 Views Asked by De Liu At
2
There are 2 best solutions below
0
Ashish
On
Please refer this link Spring Boot : Custom Role - Permission Authorization using SpEL
You can add new permission , like "DOWNLOAD_FILE" and authenticate if the current user has that permission using -
@PreAuthorize("hasPermission('DOWNLOAD_FILE')")
You can also limit access for Roles as well
@PreAuthorize("hasRole('ADMIN') and hasPermission('DOWNLOAD_FILE')")
Related Questions in SPRING-SECURITY
- How do I propagate the current SecurityContext to my @RabbitListener in Spring Boot?
- Spring security causing 404 with message "No static resource login"
- Spring JPA Data Auditing - How to design it?
- Spring 3 - Security: How to rebuild authManager () usage?
- Error: Cannot invoke "jakarta.servlet.http.HttpSession.getAttribute(String)" because "session" is null
- how to use ldap authentication with permission taken from db without needing password in UserDetails
- This error occurred when using springsecurity for database user verification: IllegalArgumentException
- Issue with configuring SpringSecurity to allow URLs in FilterChain
- getting React Hook "useSetupInterceptors" cannot be called at the top level when try to use useSignOut hook
- Spring Authorization Server `JdbcOAuth2AuthorizationService` does not save custom User object
- Customize Authorization Code claims with Spring OAuth2 Authorization Server 3.2.4
- Spring Security Reactive OAuth2 Client: Options for Customizing Refresh Endpoint
- Repository injection in an handler spring boot class performance
- Spring Security mix form based and http basic authentication
- SecurityContextHolder.getContext().getAuthentication() is null
Related Questions in PERMISSIONS
- How to request administrator rights?
- Private queues MSMQ lose Everyone permission
- Laravel spatie permission many to through? query
- Cannot access Google Spreadsheet metadata by API
- Why does each service need permissions to access something?
- How can I enable my app to access a specific partition directory for reading and writing without showing popup to user?
- Access denied when using Get-PnPSubWeb
- Running gcloud app deploy and getting PERMISSION_DENIED 'compute.regions.get', despite having Owner and Compute admin permissions
- iBooks folder permissions issue. I had access, now I don't have access. How can I regain access please?
- SolarIs 11 VM configure sftp. After restart ssh, the sshd_config file resets?
- Share folders and files between host and Docker as persistent data
- Provide access to Azure Storage Account for all VMs in resource group
- Grant auto permission dont work since Android 14
- ShouldShowRequestPermissionRational not working properly in Huawei HarmonyOS devices
- MAUI Email.ComposeAsync function call throws FeatureNotSupportedException on Android
Related Questions in RBAC
- Unable to pass RBAC username of AWS Redis in ServiceStack,Redis. Does ServiceStack.Redis supports RBAC?
- Neo4j Granting Access Based on Label Patterns
- Prevent user login to Azure App Registration
- "Invalid client or Invalid client credentials" with ArgoCD and Keycloak
- RBAC(Role Base Access Control) with gRPC-Gateway generated RESTful API
- How to implement RBAC with express-graphql resolvers?
- Superset - Give a user read-only access on a dashboard and edit access on another dashboard
- K8s rbac - Service Account missing capabilities
- How to implement Multi entity RBAC via Firestore DB and Firestore rules through SubCollections scheme is it even right?
- How to persist users in Grafana open source (docker swarm)
- Is it possible to restrict the group to have reader access at container level in azure?
- Is there a way to allow user to view some of the pods in a namespace using k8s rbac
- Can Kubernetes RoleBinding have subjects in a different namespace?
- Is it possible to use Entra ID to handle my custom application permissions without tying myself to the .NET framework?
- Unable to restrict Vault policy names in hcl template
Related Questions in AUTHORITY
- Can Postman send gRPC request with specific authority
- Docker images are only in the sudo account and not connected to internet
- Receiving value error unable to get authority configuration for domain name
- Envoy Lua Filter - How to make HTTP request?
- Ionic - Android authorities: FacebookContentProvider undefined in android manifest
- Set ':authority' header in Postman
- Microservice intercommunication and authority
- spring security: what's the best practice for include value in permission?
- Spring boot 2.2.7 OAuth2 client + User in database. How correct get authority from database for @AuthenticationPrincipal?
- How do I unlock user in mysql without execute sql query?
- how to set up android:authorities for testing?
- @PreAuthorize without username password and UserDetailsService interface
- Is a DNS query with the authoritative bit set (or other bits used for responses) considered valid?
- Spring Security - GrantedAuthority and role-based access
- Deploying IE Proxy settings to the NT Authority\System account using GPO
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
As you are alluding to there is a difference between authorities (i.e. roles) and permissions. Authorities tend to broadly apply for an application and have no state while permissions tend to be on specific objects and contain state.
This seems more like a domain problem than a permissions problem. Putting the logic into security feels a bit like having a form that must contain a valid email and checking the email format in security. I'd consider moving the logic outside of the security code.
If you really want to do this with Spring Security, I'd use a custom Bean that performs the check:
Then you can autowire the Bean into your code and check the permission by invoking the code. If you prefer, you can also integrate into Spring Security's method security to perform the checks. To enable it you need to specify
@EnableGlobalMethodSecurity(prePostEnabled = true)at the top of one of your configuration classes. Then you can use something like this on a Spring managed Bean: