4

If I have a controller method 

@RequestMapping (value = "/boards/{id}")
public String viewBoard(@PathVariable(value="id") String id){/*..*/}

How can I dynamically, at run-time, pre authorize the user for it by querying the database and getting the desired value for that board id access (for the logged in user).

I tried to research on runtime dynamic spring security permissions with spring security roles but couldnt find a working example.

Further elaboration:

It means, every time the user wants to access that method, the database is checked that whether the user has permissions for it.

This cannot be done in roles as there might be millions of cases. e.g. one user may have view access for a board id 3 but not for board id 10003

some links I got:

http://docs.spring.io/spring-security/site/docs/3.1.x/reference/ns-config.html#ns-method-security

http://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html

http://www.javabeat.net/separating-roles-and-permissions-in-spring-security/

Further info:

I am using public class CustomUserDetailsService implements UserDetailsService{ to give users Roles at login time. But thats a different story.

Masood Ahmad
  • 731
  • 4
  • 15
  • 38
  • You can create custom filter that intercepts all requests to filter dynamicaly – Evgeni Dimitrov Feb 23 '14 at 19:16
  • Take a look here. http://stackoverflow.com/questions/17803406/best-way-to-create-custom-method-security-expression. If you feel that this post can be useful and it cuold be what you need, I can give you more details and elaborate an answer. – gipinani Feb 23 '14 at 22:03

1 Answers1

0

You can extend spring security to provide your own expressions: next to hasRole

See this question for an example: How to create custom methods for use in spring security expression language annotations

One important point when looking for examples: pay attention that the example is for the METHOD-Resolver, not for the WEB-Resolver!

Community
  • 1
  • 1
Ralph
  • 118,862
  • 56
  • 287
  • 383