Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Facing issues with Authorization of services #162

Closed
abhishekshenoy opened this issue Nov 2, 2020 · 8 comments
Closed

Facing issues with Authorization of services #162

abhishekshenoy opened this issue Nov 2, 2020 · 8 comments

Comments

@abhishekshenoy
Copy link

Have setup a sample maven spring-boot app to test out spring security implementation. I have had success with authentication but facing issues in authorisation. Have tested in both version 4.1.0 and 4.2.0.

4.1.0 -> https://github.com/abhishekshenoy/grpc-service
4.2.0 -> https://github.com/abhishekshenoy/grpc-service/tree/spring-grpc-4.2.0

My spring security test config looks as below :

 @Override
  public void configure(GrpcSecurity builder) throws Exception {
    builder
        .authorizeRequests()
        .withSecuredAnnotation()
        .authenticationProvider(
            new AuthenticationProvider() { ....}
}

Have 2 services as below

  @Override
  public void sayBye(ByeRequest request, StreamObserver<ByeReply> responseObserver) {
    ByeReply reply = ByeReply.newBuilder().setMessage("Bye ==> " + request.getName()).build();
    responseObserver.onNext(reply);
    responseObserver.onCompleted();
  }

  @Override
  @Secured("ROLE_EDITOR")
  public void sayHello(HelloRequest request, StreamObserver<HelloReply> responseObserver) {
    HelloReply reply = HelloReply.newBuilder().setMessage("Hello ==> " + request.getName()).build();
    responseObserver.onNext(reply);
    responseObserver.onCompleted();
  }

Secured Service : sayHello
Non Secure Service: sayBye

Have setup 4 tests and they behave different in the 2 versions:

In 4.1.0

  1. secureServiceWithAuthenticatedandAuthorizedUser() : Test Passes
  2. secureServiceWithAuthenticatedandNonAuthorizedUser() : Test Passes (Throws Access denied exception as expected)
  3. secureServiceAccessByNonAuthenticatedNonAuthorizedUser(): Test Passes (Throws Unauthenticated exception as expected)
  4. nonSecureServiceWithAuthenticatedButNonAuthorizedUser(): Test Fails (This should pass as the service is non secure ) (Please enable the test to run it)

In 4.2.0

  1. secureServiceWithAuthenticatedandAuthorizedUser() : Test Passes
  2. secureServiceWithAuthenticatedandNonAuthorizedUser() : Test Fails (Does not throw an Access denied exception as expected)
  3. secureServiceAccessByNonAuthenticatedNonAuthorizedUser(): Test Fails (Does not throw an Access denied exception as expected)
  4. nonSecureServiceWithAuthenticatedButNonAuthorizedUser(): Test Passes

Can someone please check the above ? My problem is actually being able to distinguish between services which only need authentication to be accessed vs the ones that need both authentication as well as authorisation to be accessed. Currently in 4.1.0 , even if i do not pass @secured annotation to a Service api , it expects the service api to be authorised.

@jvmlet
Copy link
Collaborator

jvmlet commented Nov 2, 2020

Found the issue with 4.2.0. Till the fix, please camel-case your rpc methods in proto file : SayHello -> sayHello and SayBye ->sayBye

@jvmlet
Copy link
Collaborator

jvmlet commented Nov 2, 2020

Fixed in 4.2.2

@jvmlet jvmlet closed this as completed Nov 2, 2020
@abhishekshenoy
Copy link
Author

@jvmlet thanks for the quick fix, things are working as expected in 4.2.2.

@abhishekshenoy
Copy link
Author

@jvmlet I was trying to leverage expression based access control (SPEL) rules but whenever i define my expressions within @PreAuthorize("") i see that it will make another interceptor call which does not have the SecurityContext and my whole call fails stating Unauthenticated , is there any way how i can implement simple ABAC using SPEL ?

@jvmlet
Copy link
Collaborator

jvmlet commented Nov 2, 2020

Spel expressions are not supported. The nearest you can get is adding your custom Voter

@swarupdonepudi
Copy link

@jvmlet will spel expressions ever be supported ?

@jvmlet
Copy link
Collaborator

jvmlet commented Jan 5, 2021

@swarupdonepudi , yes, eventually 😄 . PRs are welcome

@jvmlet
Copy link
Collaborator

jvmlet commented Jan 5, 2021

@swarupdonepudi , I've created #175 to track it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants