Spring security support

[vicmosin]

@remmeier I would love to have a spring security's based SecurityModule so one can not only provide list of roles for each resource, but the full list of Spring EL expressions. I noticed there is a SpringSecurityModule in crnk-spring module but it's empty mostly.. Any movements into that directions planned?

[remmeier]

SpringEL would be nice to have.

For the traditional use cases, everything should already work out-of-the-box as it makes use of the Servlet API and as long as SpringSecurity sets Servlet Security properly up, it should work. That is the reason you only see exception mappers in that SpringSecurityModule.

[vicmosin]

So what do you say, should I try to introduce SPEL in SpringSecurityModule or custom (new) module?

[remmeier]

if you have time, that would of course be very welcomed

(spring cloud sleuth is another topic on my list)

[vicmosin]

@remmeier yeah, I'll try to find time.. But my initial question - should it be part of SpringSecurityModule (makes sense to me) or as a new custom module?

[remmeier]

I think the same module is fine. Maybe with a properly to enable/disable if necessary.

There is the SecurityProvider interface which is hooked into the servlet security api. A Spring-specific implementation to support the EL expression might be necessary. The Crnk SecurityModule could then be configured with EL expressions and would forward them to SecurityProvider.isUserInRole("EL expression") to check authorization.

[vicmosin]

@remmeier I have one question regarding the security module.. The security-provider is filled out in either crank-servlet or crnk-rs modules. Otherwise, by injecting crnk-spring + crnk-validation I get

java.lang.IllegalStateException: exactly one security provide must be installed, got: [] expected:<1> but was:<0>

and it actually makes sense of cause because none of those modules set the provider explicitly. Which makes me think spring security support doesn't work at all. Enabling crnk-servlet module doesn't really help as well since it has its own CrknFilter implementation which might interfere with CrnkSpringFilter. What do you think if I add SpringSecurityProvider into crnk-spring in order to provide proper support for spring integrations?

[remmeier]

crnkservletfilter may should extend servletfilter. that servletmodule is necessary. but i can have a more detailed look tomoorow

the company i work for is now likely also moving to spring, so the entire spring setup will get some more attention from my side.

[vicmosin]

Ok please check it.. currently in my project we have crnk-core, crnk-spring and crkn-security. While starting the app, permitRole fails with error I wrote above..

[remmeier]

adding ServletModule to CrnkConfigV3 seems like the best thing to do (next to providing a security setup in the example application to verify everything). Altough you also opened up https://github.com/crnk-project/crnk-framework/issues/156, which may need something more elaborate in the SpringSecurityModule.

[vicmosin]

Yeah, as I wrote I am trying to understand whether it's a bug for all spring apps or just my misconfig...

[vicmosin]

@Bean
public CrnkBoot crnkBoot(SpringServiceDiscovery serviceDiscovery) {
         CrnkBoot boot = new CrnkBoot();
         boot.setObjectMapper(objectMapper);
         ...
         boot.getModuleRegistry().addModule(new ServletModule(boot.getModuleRegistry().getHttpRequestContextProvider()));
         boot.boot();
         return boot;
}

actually helps.. so I guess that's the bug

[vicmosin]

So I would still introduce SpringSecurityProvider which will implement it's own version of isUserInRole and make it optional i.e. configurable at module definition..

[remmeier]

depends on whether the isUserInRole of the Servlet API allows to specify EL expressions. If not, I guess that SpringSecurityProvider would be the way to go.

[vicmosin]

yeah, sure.. I am talking right now about the issue I found, which is not related to EL.. so do you think it's a bug? The thing that I can't make crkn-spring work with security until I manually add ServletModule..

[remmeier]

yes, then let us add that do CrnkConfigV3

[vicmosin]

PR is ready, could you please build some intermediate release as well?

[remmeier]

release without https://github.com/crnk-project/crnk-framework/pull/165 yet? Then I can promote it as soon as it it has run trough.

[vicmosin]

I have no time for 165 for now.. Wanted to do this during weekend or next week..

[remmeier]

you can also let me know when I should do something.

a 2.4.x version will appear at some point within the next hour on maven central.

[nickbuller]

If interested I've create a gist that works with Spel Expressions, just an extract from our code. https://gist.github.com/nickbuller/a09290ed67c36cce1d32a12bdbe7a592