Camel
  1. Camel
  2. CAMEL-2796

camel-spring-security: provide reference to the policy when authorization fails

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.3.0
    • Fix Version/s: 2.5.0
    • Component/s: None
    • Labels:
      None

      Description

      While it is possible to set up different policies to enforce authorization rules on Camel routes with the new camel-spring-security plugin, there is currently no way to tell which policy was being enforced when a org.springframework.security.SpringSecurityException is thrown. It would be very helpful to have a reference to the policy ID in the CamelAuthorizationException or in the headers so we can use it in the onException handlers.

      For example, let's say you have two policies:

        <authorizationPolicy id="user" access="ROLE_USER" authenticationManager="authenticationManager" accessDecisionManager="accessDecisionManager"
          xmlns="http://camel.apache.org/schema/spring-security" />
      
        <authorizationPolicy id="admin" access="ROLE_ADMIN" authenticationManager="authenticationManager" accessDecisionManager="accessDecisionManager"
          xmlns="http://camel.apache.org/schema/spring-security" />
      

      You also have two routes which use these policies:

          <camelContext id="myCamelContext" xmlns="http://camel.apache.org/schema/spring">
                <onException useOriginalMessage="true">
                  <exception>org.springframework.security.BadCredentialsException</exception>
                  <handled><constant>true</constant></handled>
                  <to uri="log:auth_error" />
              </onException>
              <route>
                  <from uri="direct:adminStart"/>
                  <policy ref="admin">
                      <to uri="mock:end"/>
                  </policy>
              </route>
              <route>
                  <from uri="direct:userStart"/>
                  <policy ref="admin">
                      <to uri="mock:end"/>
                  </policy>
              </route>
          </camelContext>
      

      Both of these routes will fail with an AccessDeniedException if the user doesn't have the proper role, but it would be desirable to handle exceptions for the ROLE_ADMIN failure differently than the ROLE_USER failure, maybe by using a <choice> element in the <onException> element.

      I know we have the CamelFailureEndpoint header, but this isn't very useful when more than one route uses the same authorization policy.

      1. CAMEL-2796.patch
        2 kB
        Paul Mietz Egli

        Activity

        Paul Mietz Egli created issue -
        Willem Jiang made changes -
        Field Original Value New Value
        Assignee Willem Jiang [ njiang ]
        Willem Jiang made changes -
        Description While it is possible to set up different policies to enforce authorization rules on Camel routes with the new camel-spring-security plugin, there is currently no way to tell which policy was being enforced when a org.springframework.security.SpringSecurityException is thrown. It would be very helpful to have a reference to the policy ID in the CamelAuthorizationException or in the headers so we can use it in the onException handlers.

        For example, let's say you have two policies:

          <authorizationPolicy id="user" access="ROLE_USER" authenticationManager="authenticationManager" accessDecisionManager="accessDecisionManager"
            xmlns="http://camel.apache.org/schema/spring-security" />

          <authorizationPolicy id="admin" access="ROLE_ADMIN" authenticationManager="authenticationManager" accessDecisionManager="accessDecisionManager"
            xmlns="http://camel.apache.org/schema/spring-security" />

        You also have two routes which use these policies:

            <camelContext id="myCamelContext" xmlns="http://camel.apache.org/schema/spring">
                  <onException useOriginalMessage="true">
                    <exception>org.springframework.security.BadCredentialsException</exception>
                    <handled><constant>true</constant></handled>
                    <to uri="log:auth_error" />
                </onException>
                <route>
                    <from uri="direct:adminStart"/>
                    <policy ref="admin">
                        <to uri="mock:end"/>
                    </policy>
                </route>
                <route>
                    <from uri="direct:userStart"/>
                    <policy ref="admin">
                        <to uri="mock:end"/>
                    </policy>
                </route>
            </camelContext>

        Both of these routes will fail with an AccessDeniedException if the user doesn't have the proper role, but it would be desirable to handle exceptions for the ROLE_ADMIN failure differently than the ROLE_USER failure, maybe by using a <choice> element in the <onException> element.

        I know we have the CamelFailureEndpoint header, but this isn't very useful when more than one route uses the same authorization policy.
        While it is possible to set up different policies to enforce authorization rules on Camel routes with the new camel-spring-security plugin, there is currently no way to tell which policy was being enforced when a org.springframework.security.SpringSecurityException is thrown. It would be very helpful to have a reference to the policy ID in the CamelAuthorizationException or in the headers so we can use it in the onException handlers.

        For example, let's say you have two policies:
        {code}
          <authorizationPolicy id="user" access="ROLE_USER" authenticationManager="authenticationManager" accessDecisionManager="accessDecisionManager"
            xmlns="http://camel.apache.org/schema/spring-security" />

          <authorizationPolicy id="admin" access="ROLE_ADMIN" authenticationManager="authenticationManager" accessDecisionManager="accessDecisionManager"
            xmlns="http://camel.apache.org/schema/spring-security" />
        {code}
        You also have two routes which use these policies:
        {code}
            <camelContext id="myCamelContext" xmlns="http://camel.apache.org/schema/spring">
                  <onException useOriginalMessage="true">
                    <exception>org.springframework.security.BadCredentialsException</exception>
                    <handled><constant>true</constant></handled>
                    <to uri="log:auth_error" />
                </onException>
                <route>
                    <from uri="direct:adminStart"/>
                    <policy ref="admin">
                        <to uri="mock:end"/>
                    </policy>
                </route>
                <route>
                    <from uri="direct:userStart"/>
                    <policy ref="admin">
                        <to uri="mock:end"/>
                    </policy>
                </route>
            </camelContext>
        {code}
        Both of these routes will fail with an AccessDeniedException if the user doesn't have the proper role, but it would be desirable to handle exceptions for the ROLE_ADMIN failure differently than the ROLE_USER failure, maybe by using a <choice> element in the <onException> element.

        I know we have the CamelFailureEndpoint header, but this isn't very useful when more than one route uses the same authorization policy.
        Willem Jiang made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Fix Version/s 2.4.0 [ 12250 ]
        Resolution Fixed [ 1 ]
        Paul Mietz Egli made changes -
        Resolution Fixed [ 1 ]
        Status Resolved [ 5 ] Reopened [ 4 ]
        Paul Mietz Egli made changes -
        Attachment CAMEL-2796.patch [ 19485 ]
        Willem Jiang made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Fix Version/s 2.5.0 [ 12320 ]
        Fix Version/s 2.4.0 [ 12250 ]
        Jeff Turner made changes -
        Project Import Sat Nov 27 00:14:50 EST 2010 [ 1290834890113 ]
        Claus Ibsen made changes -
        Status Resolved [ 5 ] Closed [ 6 ]

          People

          • Assignee:
            Willem Jiang
            Reporter:
            Paul Mietz Egli
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development