KYLO-1454: No longer create ROLE_* authorities for groups.

sb003a · Feb 13, 2018 · db912a4 · db912a4
1 parent 800f629
commit db912a4
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 9 deletions.
diff --git a/...th-simple/src/main/java/com/thinkbiganalytics/auth/AuthServiceAuthenticationProvider.java b/...th-simple/src/main/java/com/thinkbiganalytics/auth/AuthServiceAuthenticationProvider.java
@@ -27,7 +27,7 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
+//import org.springframework.security.core.authority.SimpleGrantedAuthority;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -54,7 +54,7 @@ public Authentication authenticate(Authentication authentication)
 
         if (authenticationService.authenticate(name, password)) {
             List<GrantedAuthority> grantedAuths = new ArrayList<>();
-            grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
+//            grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
             return new UsernamePasswordAuthenticationToken(name, password, grantedAuths);
         } else {
             return null;

diff --git a/...ecurity-auth/src/main/java/com/thinkbiganalytics/auth/GroupPrincipalAuthorityGranter.java b/...ecurity-auth/src/main/java/com/thinkbiganalytics/auth/GroupPrincipalAuthorityGranter.java
@@ -32,10 +32,13 @@
 import java.util.Set;
 
 /**
- * A granter that, when presented with a Group principal, returns a set containing the name of that principal (the group's name)
- * and another name constructed by prefixing "ROLE_" to the upper case principal name (Spring's default role name format.)
+ * A granter that, when presented with a Group principal, returns a set containing the name of that principal (the group's name.)
  * If the group contains member principals then it will add authorities for those as well; including, recursively, any of the 
  * member's memberships if they are groups themselves.
+ * <p>
+ * Previously, this provider would also constructed an authority that prefixed "ROLE_" to the upper case principal name 
+ * (Spring's default role name format) for each group.  This was to support spring's role-based access control such as
+ * with annotations.  But since we do not use spring annotations for access control these are not needed.
  */
 public class GroupPrincipalAuthorityGranter implements AuthorityGranter {
 
@@ -59,8 +62,9 @@ private void addAuthorities(Principal principal, Set<String> authorities) {
         authorities.add(name);
 
         if (principal instanceof Group) {
-            String springRole = name.toUpperCase().startsWith("ROLE_") ? name.toUpperCase() : "ROLE_" + name.toUpperCase();
-            authorities.add(springRole);
+            // If it is ever decided to use spring's role-based access control (unlikely) then we can re-enable the code below.
+//            String springRole = name.toUpperCase().startsWith("ROLE_") ? name.toUpperCase() : "ROLE_" + name.toUpperCase();
+//            authorities.add(springRole);
 
             Enumeration<? extends Principal> members = ((Group) principal).members();
             while (members.hasMoreElements()) {

diff --git a/...ty/security-auth/src/main/java/com/thinkbiganalytics/auth/ServiceAuthenticationToken.java b/...ty/security-auth/src/main/java/com/thinkbiganalytics/auth/ServiceAuthenticationToken.java
@@ -41,8 +41,7 @@ public class ServiceAuthenticationToken extends AbstractAuthenticationToken {
     private static final UsernamePrincipal USER = new UsernamePrincipal("service");
 
     public ServiceAuthenticationToken() {
-        super(Arrays.asList(new JaasGrantedAuthority("ROLE_SERVICE", new ServiceAdminPrincipal()),
-                            new JaasGrantedAuthority("admin", new ServiceAdminPrincipal()))); // ModeShape role
+        super(Arrays.asList(new JaasGrantedAuthority("admin", new ServiceAdminPrincipal()))); // ModeShape role
     }
 
     /* (non-Javadoc)

diff --git a/...security-auth/src/main/java/com/thinkbiganalytics/auth/UserPrincipalAuthorityGranter.java b/...security-auth/src/main/java/com/thinkbiganalytics/auth/UserPrincipalAuthorityGranter.java
@@ -33,6 +33,10 @@
 
 /**
  * A granter that, when presented with a UsernamePrincipal, returns a set containing its name and the "ROLE_USER" role name.
+ * <p>
+ * Previously, this provider would also constructed an authority with the name "ROLE_USER" (Spring's default role name format) for the user.  
+ * This was to support spring's role-based access control such as with annotations.  But since we do not use spring annotations for access 
+ * control these are not needed.
  */
 public class UserPrincipalAuthorityGranter implements AuthorityGranter {
 
@@ -44,7 +48,9 @@ public Set<String> grant(Principal principal) {
         if (principal instanceof UsernamePrincipal) {
             String name = principal.getName();
 
-            return Sets.newHashSet(name, "ROLE_USER");
+            // If it is ever decided to use spring's role-based access control (unlikely) then we can use the code below instead.
+//            return Sets.newHashSet(name, "ROLE_USER");
+            return Sets.newHashSet(name);
         } else {
             return null;
         }