A Fresh Look at Spring Security Access Control

Mark Berg   ·   Wednesday, October 24th, 2018

Today’s blog is a deep dive on various types of access control. I’ll be reviewing the differences between Expression-Based Access Control, Role Based Access Control (RBAC), and Attribute Based Access Control (ABAC), with a deeper focus on  how we can use Expression-Based Access Control and Spring Expression Language (SpEL) expressions for fine grained access control.

What is Expression-Based Access Control?

Simply put, Expression-Based Access Control is the use of the Spring Expression Language  (SpEL) expressions to write authorization. It was in Spring Security 3.0 that the ability to use SpEL expressions as an authorization mechanism in addition to the simple use of configuration attributes and access-decision voters was introduced.

Is it Attribute Based Access Control (ABAC)?

No, but Attribute Based Access Control (ABAC) could be implemented with Spring Security.

Here is a high level definition of Attribute Based Access Control (ABAC) according to NIST Special Publication 800-162:

An access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions

With this in mind, we could write our own Spring Expression Language (SpEL) based expressions that can then call with the existing @PreAuthorize, @PostAuthorize, @PreFilter and @PostFiler, sec:authorize tags and even from intercept-url conditions.

Is it Role Based Access Control (RBAC)?

No, Expression-Based Access Control  is not equivalent to Role Based Access Control (RBAC), but RBAC comes built-in with Spring Expression Language (SpEL). For instance, there are these two common expressions that allow us to implement Role Based Access Control (RBAC) with ease:

• hasRole([role])
• hasAnyRole([role1,role2])

However, when writing fine-grained authorization rules, we easily begin to write Spring EL expressions that surpass the granularity level of RBAC.

Web Security Expressions

Spring Security allows us to secure URLs using Expression-Based Access Control. The expressions should evaluate to true or false, defining whether or not access is granted. An example of restricting access in a RESTful application base on userID in a Java configuration:

http
.authorizeRequests()
.antMatchers("/user/{userId}/**").access("@webSecurity.checkUserId(authentication,#userId)")
...
...


Method Security Expressions

Method security is more complicated than permit or deny. There are four annotations that take expression attributes to perform pre and post-invocation authorization checks and also to support filtering of submitted collection arguments or return values.

1. @PreAuthorize, which is the most commonly used, decides whether a method can actually be invoked or not.
2. @PostAuthorize, an uncommonly used annotation, performs an access-control check after the method has been invoked.
3. With @PostFilter, Spring Security iterates through the returned collection and removes any items for which the provided expression is false.
4. @PreFilter allows us to filter before the method call, but this is less commonly used.

Below we have an example of combining @PreAuthorize with @PostFilter for more fine grained security:

@PreAuthorize("hasRole('USER')")
@PostFilter("hasPermission(filterObject, 'read') or hasPermission(filterObject, 'admin')")
public List getAll();


How do you work with Spring Expression Language (SpEL) expressions for fine grained access control and Attribute Based Access Control (ABAC)?

As a provider of externalized dynamic authorization, also referred to as Attribute Based Access Control (ABAC) we closely integrate with Spring Security’s Expression Based Access Control. This means that we can write Spring Expression Language (SpEL) expressions for fine grained access control and send the requests to a Policy Decision Point (PDP).

Conclusion

Due to its power, ease of configuration, and support for Spring Express Language (SpEL), it’s no wonder why we all love Spring Security so much. Here at Axiomatics, we support many customers using Spring Security and we provide SDKs for the integration to our dynamic authorization suite, in addition to technical guidance from our team.