I am new in spring mvc , In my existing project , there is one admin and they have rights to update data , but now i need to create 2 new admin , admin1 and admin2 that can only see limited page when they login like:
when admin login , they can see Add data, update data, Post message pages in menu bar. but in case Admin1 , can see only Post meassage page in menu bar.
so, please guide me how can i achieve this task in spring mvc Thanks in Advance.
you have to consider using Spring security to achieve this.check the following
<http auto-config="true">
<intercept-url pattern="/admin*" access="ROLE_ADMIN" />
</http>
It means, only user with authority of “ROLE_ADMIN” is allowed to access URI /admin*. If non authorized user try to access it, a “http 403 access denied page” will be displayed.
you have to configure the urls and the allowed access to them
simple example at http://www.mkyong.com/spring-security/spring-security-access-control-example/
I had a similar use-case, where the admins might want to create new roles, with arbitrarily assigned permissions to these roles.
If I were to authorize users on the existence of a ROLE_* in their granted authorities, then the code would need to change every time someone adds a new role, or the business requirements for that role changes.
Like @Ralph, I created a library to inject mapped authorities based on Role to Permissions because I found the hierarchical role implementation lacking...
When an Authentication object is injected in the current security session, it will have the original roles/granted authorities. You can provide map the permissions in your UserDetailsService, or JWT Authentication Converter for instance.
The PermissionProvider is called to get the effective permissions for each role the user is a member of. The distinct list of permissions are added as GrantedAuthority items in the Authentication object.
Then I can use permission level authorization in the configuration, and the role to permission mapping can change at runtime.
Concept -
ADMIN1 -> PERM_ADD, PERM_POST
ADMIN2 -> PERM_POST, PERM_UPDATE
Implementation example -
@Autowired
RolePermissionsRepository repository;
public void setup1(){
String roleName = "ROLE_ADMIN1";
List<String> permissions = new ArrayList<String>();
permissions.add("PERM_ADD");
permissions.add("PERM_POST");
repository.save(new RolePermissions(roleName, permissions));
}
public void setup2(){
String roleName = "ROLE_ADMIN2";
List<String> permissions = new ArrayList<String>();
permissions.add("PERM_UPDATE");
permissions.add("PERM_POST");
repository.save(new RolePermissions(roleName, permissions));
}
Then use the permissions for access instead of roles.
<http auto-config="true">
<intercept-url pattern="/addData" access="PERM_ADD" />
<intercept-url pattern="/updateData" access="PERM_UPDATE" />
<intercept-url pattern="/postMessage" access="PERM_POST" />
</http>
Or using the authorization annotations -
@PreAuthorize("hasAuthority('PERM_ADD')")
@RequestMapping("/add")
public String add() {
...
}
For the source code, see here - https://github.com/savantly-net/spring-role-permissions
You need of course two roles. - Then you can either
- check for Role Admin1 or Admin2 or Admin1 every where.
- But a better approach is already mentioned by you: seperate roles and Privileges: Assign roles to users and privileges to roles, so a User gets its privileges via his roles. Now you just need to check the privleges to allow access to an function.
Spring has already an build in 14.4 Hierarchical Roles concept, but I feel that it is clumsy because it requires that every Voter needs to understand it. So I implemented my own solution, that is very simple and is based only on Spring-Security-Roles. So one need only to change the Role Provider but nothing more.
You need to create two roles in Spring security with different access.
<http auto-config="true">
<intercept-url pattern="/addData" access="ADMIN_2" />
<intercept-url pattern="/updateData" access="ADMIN_2" />
<intercept-url pattern="/postMessage" access="ADMIN_1" />
</http>
