ADD PermissionVoter for wildcard permissions gh-4611

[HerrDerb]

I was in need a permission based method security. As I was already using spring-security, I did not want to integrate Apache Shiro too which already knows hierarchical wildcard permissions. Also I figured, it would not be to hard to implement it. Seeing in #4661 [Feature request] Featuren similar to Shiro Wildcard Permission that I wasn't the only one desiring this feature, I would like to make it my first contribution.

Hierarchical wildcard permission
A hierarchical wildcard permission is a dynaminc permission definition.
A permission consists of three parts:

1. Path (Custom path pointing to a specific application component/resource)
2. Permissions (The actual permission tokens like read, write, delete)
3. Object identifiers (Implies an additional filtering of the resource)

Example:

• myApp.userMgmt.**:read,write ->implies rights to read write on all components/resources of the userManagment
• myApp.logMgmt.systemLog:delete ->implies rights to delete system logs
• myApp.fleetMgmt.trains:*:TR415,TR420->implies full rights for the trains TR415,TR420
• ** ->implies almighty powers

What's implemented
The content of the pull request is basic. It contains a PermissionVoter , its PermissionVoterTests and a Permission helper object which extends GrantedAuthority. The idea of extending GrantedAuthority is, that Permission can be added to an Authentication for further distinction.

The current way to use the PermissionVoter is by defining a custom GlobalMethodSecurityConfiguration:

@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class MethodSecurityConfiguration extends GlobalMethodSecurityConfiguration {

    @Override
    public AccessDecisionManager accessDecisionManager() {
    List<AccessDecisionVoter<?>> decisionVoters = new ArrayList();
    decisionVoters.add(new PermissionVoter());
    decisionVoters.add(new AuthenticatedVoter());
    return new AffirmativeBased(decisionVoters);
    }
}

Afterwards @Secured tags containing permission strings are supported.

@Secured(value = "myApp.userMgmt.users:read")
public void getUsers(){

What's not implemented
It would be desirable to be able to have a @Permitted annotation. The given values of this annotation could be used to create PermissionConfigAttribute objects which then further would allow a supports() filtering inside of the PermissionVoter. As this is not implemented yet, it might cause issues when combining RoleVoter and PermissionVoter as the PermissionVoter currently accepts every ConfigAttribute

[pivotal-issuemaster]

@HerrDerb Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

[pivotal-issuemaster]

@HerrDerb Thank you for signing the Contributor License Agreement!

[marcusdacoregio]

Hi @HerrDerb, thank you for your contribution.

Since we are moving to use the AuthorizationManager I feel that this PR is not valid anymore.

Also, not sure if the use case is common enough to have an out-of-the-box implementation. We can continue the discussion on #4611.