0

How to generate "intercept-url" dynamically. My user name and roles are stored in database, I want to map all these users in to spring security.Is there any way to do this?

V_K
  • 226
  • 1
  • 10
  • Can you be more specific what your goals are? You want to secure user specific URLs (e.g. `/my-app/user/{userName}/**`)? – Pavel Horal May 31 '13 at 08:40
  • Yes i want to secure URLs. But which user is authorized to access the page that data i want to store in database. – V_K May 31 '13 at 09:29
  • Spring's `WebExpressionVoter` might be of interest to you. – Pavel Horal May 31 '13 at 09:35
  • duplicate of http://stackoverflow.com/questions/6893061/how-to-dynamically-decide-intercept-url-access-attribute-value-in-spring-secur – Maksym Demidas May 31 '13 at 12:40
  • The accepted answer in the referenced question is overly complex and non-dynamic (security metadata are parsed only during application startup). Using custom SPeL method via `WebExpressionVoter` check is better. – Pavel Horal May 31 '13 at 14:40

2 Answers2

0

You'll have to provide your own implementation of com.icod.solapCore.spring.security.FilterInvocationSecurityMetadataSource.

This could look like this : 

public class MyFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {

      @Override
      public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
        FilterInvocation filterInvocation = (FilterInvocation) object;
        HttpServletRequest request = filterInvocation.getHttpRequest();
        Collection<ConfigAttribute> result = new ArrayList<ConfigAttribute>();
        // Find roles in database that secures the specified request
        // ...
        // For any role found, create a SecurityConfig object prefixed with "ROLE_" ex : 
        // for(String role : roles) {
        //   ConfigAttribute attribute = new SecurityConfig("ROLE_"+roleFound);
        //   result.add(attribute);
        // }

        return result;
      }

      @Override
      public Collection<ConfigAttribute> getAllConfigAttributes() {
        return null;
      }

      @Override
      public boolean supports(Class<?> clazz) {
        return FilterInvocation.class.isAssignableFrom(clazz);
      }
}

And then you'll have to replace the default FilterInvocationSecurityMetadataSource with your own. I do it with a BeanPostProcessor, called after spring read the configuration file but before it makes the configuration official. Looks like this : 

public class MyFilterInvocationSecurityMetadataSourceBeanPostProcessor implements BeanPostProcessor {

  private FilterInvocationSecurityMetadataSource metadataSource = new MyFilterInvocationSecurityMetadataSource();

  @Override
  public Object postProcessBeforeInitialization(Object bean, String name) throws BeansException {
    if (bean instanceof FilterInvocationSecurityMetadataSource) {
      return metadataSource;
    }
    return bean;
  }

  @Override
  public Object postProcessAfterInitialization(Object bean, String name) throws BeansException {
    return bean;
  }
}

Then you just have to configure the bean post processor : 

<bean id="solapcoreFilterInvocationSecurityMetadataSourceBeanPostProcessor" class="foo.bar.MyFilterInvocationSecurityMetadataSourceBeanPostProcessor"/>

Hope this help.

baraber
  • 3,296
  • 27
  • 46
-1

Give all your users same role and operate with this role in config.

You can read abour roles here

vacuum
  • 2,273
  • 3
  • 20
  • 32