Versions Compared

Old Version 26

changes.mady.by.user David E Tanner

Saved on

compared with

New Version 27

changes.mady.by.user David E Tanner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel

Application access to a user's roles in the Security Context

It is not uncommon for applications to need access to roles information that may be collected by Spring Security and the CSF. CSF provides facilities to make this easier.

IMPORTANT: when you are writing Java code that needs authorization information about the current user, use the methods on the CSF "SecurityContextService" interface rather than using Spring Security classes. This will insulate us from any future changes in the Spring Security framework classes.

Lets take the example of an application that needs to display a list of sections for the user to choose, which will allow them to view the students assigned to the section, and there is a rule that the class lists are only to be shown to instructors of the section.

First, we need to configure the authorization service to capture whether the user is an instructor.

Code Block
 <bean id="mitAuthorizationUserDetailService" class="edu.mit.csf.security.spring.userdetails.MitAuthorizationUserDetailsService">
	<property name="authorizationService"  ref="authorizationService" />
 </bean>

 <bean id="authorizationService" class="edu.mit.common.security.authorization.InstructorAuthorizationsService">
        <property name="dao" ref="hibernateAuthorizedInstructorDao" />
 </bean>

In this example, the instructorAuthorizationsService and hibernateAuthorizedInstructorDao bean are Spring beans defined elsewhere. The InstructorAuthorizationService has a single method, getAuthorizationsByUser. This method uses the dao to fetch the user's instructor records as an AuthorizedInstructor object containing a collection of AuthorizedTeachingAssignment objects. This is wrapped in an InstructorRoleAuthorization object which is an adaptor for communicating with Spring Security. All of this is done merely by creating the configuration above.

A little later in the application processing, we will have a list of sections, and we want to filter the list to only include those that the instructor has taught. Probably first you would want to check that the user is in fact an instructor, that is, has at least taught some section  at some time, and if not, perhaps show them a different page:

Code Block
boolean isInstructor = securityContextService.hasAnyRole(new String[] { InstructorRoleAuthorization.ROLE_INSTRUCTOR });

if ( isInstructor ) {

  Set allowedSections = securityContextService.getMaskedQualifiersForRole(InstructorRoleAuthorization.ROLE_INSTRUCTOR, allSections);
  // put allowedSections in model map ...

} else {
 // not so fast buster !
}

The mask method takes a collection of things that might be associated with a role and returns a set of things that actually are associated with the role. The things you can filter this way depends on the kind of role. For instructors, you can filter collections of subjects, sections, or teaching assignments. For MIT Roles Database roles that have qualifiers you can filter a collection of strings that would match the qualifier codes.

...