Facing issues with Authorization of services

[abhishekshenoy]

Have setup a sample maven spring-boot app to test out spring security implementation. I have had success with authentication but facing issues in authorisation. Have tested in both version 4.1.0 and 4.2.0.

4.1.0 -> https://github.com/abhishekshenoy/grpc-service
4.2.0 -> https://github.com/abhishekshenoy/grpc-service/tree/spring-grpc-4.2.0

My spring security test config looks as below :

 @Override
  public void configure(GrpcSecurity builder) throws Exception {
    builder
        .authorizeRequests()
        .withSecuredAnnotation()
        .authenticationProvider(
            new AuthenticationProvider() { ....}
}

Have 2 services as below

  @Override
  public void sayBye(ByeRequest request, StreamObserver<ByeReply> responseObserver) {
    ByeReply reply = ByeReply.newBuilder().setMessage("Bye ==> " + request.getName()).build();
    responseObserver.onNext(reply);
    responseObserver.onCompleted();
  }

  @Override
  @Secured("ROLE_EDITOR")
  public void sayHello(HelloRequest request, StreamObserver<HelloReply> responseObserver) {
    HelloReply reply = HelloReply.newBuilder().setMessage("Hello ==> " + request.getName()).build();
    responseObserver.onNext(reply);
    responseObserver.onCompleted();
  }

Secured Service : sayHello
Non Secure Service: sayBye

Have setup 4 tests and they behave different in the 2 versions:

In 4.1.0

1. secureServiceWithAuthenticatedandAuthorizedUser() : Test Passes
2. secureServiceWithAuthenticatedandNonAuthorizedUser() : Test Passes (Throws Access denied exception as expected)
3. secureServiceAccessByNonAuthenticatedNonAuthorizedUser(): Test Passes (Throws Unauthenticated exception as expected)
4. nonSecureServiceWithAuthenticatedButNonAuthorizedUser(): Test Fails (This should pass as the service is non secure ) (Please enable the test to run it)

In 4.2.0

1. secureServiceWithAuthenticatedandAuthorizedUser() : Test Passes
2. secureServiceWithAuthenticatedandNonAuthorizedUser() : Test Fails (Does not throw an Access denied exception as expected)
3. secureServiceAccessByNonAuthenticatedNonAuthorizedUser(): Test Fails (Does not throw an Access denied exception as expected)
4. nonSecureServiceWithAuthenticatedButNonAuthorizedUser(): Test Passes

Can someone please check the above ? My problem is actually being able to distinguish between services which only need authentication to be accessed vs the ones that need both authentication as well as authorisation to be accessed. Currently in 4.1.0 , even if i do not pass @secured annotation to a Service api , it expects the service api to be authorised.

[jvmlet]

Found the issue with 4.2.0. Till the fix, please camel-case your rpc methods in proto file : SayHello -> sayHello and SayBye ->sayBye

[jvmlet]

Fixed in 4.2.2

[abhishekshenoy]

@jvmlet thanks for the quick fix, things are working as expected in 4.2.2.

[abhishekshenoy]

@jvmlet I was trying to leverage expression based access control (SPEL) rules but whenever i define my expressions within @PreAuthorize("") i see that it will make another interceptor call which does not have the SecurityContext and my whole call fails stating Unauthenticated , is there any way how i can implement simple ABAC using SPEL ?

[jvmlet]

Spel expressions are not supported. The nearest you can get is adding your custom Voter

[swarupdonepudi]

@jvmlet will spel expressions ever be supported ?

[jvmlet]

@swarupdonepudi , yes, eventually 😄 . PRs are welcome

[jvmlet]

@swarupdonepudi , I've created #175 to track it