Dynamic URL access rights from form using Spring Security with Struts2?

Question

Right now I've developed a web app using java with spring framework. And I've also used spring security 3.0 for security purposes.

I've used spring security for user login authentication through database, URL access and and its default session management. Now, i'm willing to apply URL rights dynamically from the form rather than defining on XML file, which i'm finding bit difficult in spring security.

Struts.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE struts PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"
"http://struts.apache.org/dtds/struts-2.0.dtd">

<struts>
<constant name="struts.devMode" value="false" />

<constant name="struts.action.excludePattern" value="/j_spring_security_check" />
<constant name="struts.action.excludePattern"
    value="/j_spring_security_check.*,.*\\.j_spring_security_check" />
<package name="lms"  extends="struts-default,json-default">

    <!-- /** defining result types for implementing tiles **/ -->
    <result-types>
        <result-type name="tiles"  class="org.apache.struts2.views.tiles.TilesResult" />
        <result-type name="plainText" class="org.apache.struts2.dispatcher.PlainTextResult" />
        <result-type name="json" class="org.apache.struts2.json.JSONResult" />
    </result-types>


    <interceptors>
        <interceptor name="json"
            class="org.apache.struts2.json.JSONInterceptor" />
            <!-- <interceptor-stack name="storeStack">
            <interceptor-ref name="defaultStack" />
            <interceptor-ref name="store">
                <param name="operationMode">STORE</param>
            </interceptor-ref>
        </interceptor-stack>

        <interceptor-stack name="retrieveStack">
            <interceptor-ref name="defaultStack" />
            <interceptor-ref name="store">
                <param name="operationMode">RETRIEVE</param>
            </interceptor-ref>
        </interceptor-stack> -->

    </interceptors>
    <!-- <interceptors>
        <interceptor-stack name="storeStack">
            <interceptor-ref name="defaultStack" />
            <interceptor-ref name="store">
                <param name="operationMode">STORE</param>
            </interceptor-ref>
        </interceptor-stack>

        <interceptor-stack name="retrieveStack">
            <interceptor-ref name="defaultStack" />
            <interceptor-ref name="store">
                <param name="operationMode">RETRIEVE</param>
            </interceptor-ref>
        </interceptor-stack>
    </interceptors> -->
    <action name="lead_home">
        <result type="tiles">lead_tiles</result>
    </action>

    <action name="">
        <result></result>
    </action>
    <action name="baseTemplate">
        <result>/dashboard.jsp</result>
    </action>

    </package>


<!-- #####[Lead_Setup_Source]#### -->
<package name="lead_setup_source" namespace="/lead/setup/source" extends="lms">

    <action name="getForm" class="com.tpc.action.LeadSourceAction">
        <result type="tiles">setup_lead_source</result>
    </action>

    <action name="formAction" method="actionTriggerLeadSource"
        class="com.tpc.action.LeadSourceAction">
        <result name="SAVE_SUCCESS" type="redirectAction">
            <param name="actionName">getList</param>
            <param name="action_msg">${action_msg}</param>
        </result>
        <result name="SAVE_ERROR" type="tiles">setup_lead_source</result>
        <result name="UPDATE_ERROR" type="tiles">setup_lead_source</result>
        <result name="DELETE_ERROR" type="tiles">setup_lead_source</result>
        <result name="UPDATE_SUCCESS" type="redirectAction">
            <param name="actionName">getList</param>
            <param name="action_msg">${action_msg}</param>
        </result>
        <result name="DELETE_SUCCESS" type="redirectAction">
            <param name="actionName">getList</param>
            <param name="action_msg">${action_msg}</param>
        </result>
        <result name="NEW_SUCCESS" type="redirect">getForm</result>
    </action>

    <action name="getById" method="actionGetLeadSource"
        class="com.tpc.action.LeadSourceAction">
        <result name="success" type="tiles">setup_lead_source</result>
    </action>

    <action name="getList" method="actionGetListLeadSource"
        class="com.tpc.action.LeadSourceAction">
        <result name="success" type="tiles">setup_lead_source_list</result>
    </action>

</package>


<!-- #####[Lead_Source_Event]#### -->
<package name="lead_setup_source_event" namespace="/lead/setup/source_event" extends="lms">

    <action name="getForm" method="loadLeadSourceEventForm" class="com.tpc.action.LeadSourceEventAction">
        <interceptor-ref name="store">
            <param name="operationMode">RETRIEVE</param>
        </interceptor-ref>
        <result name="success" type="tiles">setup_lead_source_event</result>
        <result name="error" type="tiles">setup_lead_source_event</result>
    </action>

    <action name="formAction" method="triggerAction" class="com.tpc.action.LeadSourceEventAction">
        <interceptor-ref name="store">
            <param name="operationMode">STORE</param>
        </interceptor-ref>
        <interceptor-ref name="defaultStack" />

        <result name="CREATE_SUCCESS" type="redirectAction">
            <param name="actionName">getList</param>
            <param name="lead_source_e_id">${lead_source_e_id}</param>
        </result>
        <result name="CREATE_ERROR" type="redirectAction">getForm</result>
        <result name="GET_SUCCESS" type="tiles">setup_lead_source_event
        </result>
        <result name="UPDATE_SUCCESS" type="redirectAction">
            <param name="actionName">getList</param>
            <param name="lead_source_e_id">${lead_source_e_id}</param>
        </result>
        <result name="UPDATE_ERROR" type="redirectAction">getById</result>
        <result name="DELETE_SUCCESS" type="redirectAction">getList
        </result>
        <result name="DELETE_ERROR" type="redirectAction">getList
        </result>
        <result name="error" type="tiles">setup_lead_source_event
        </result>
    </action>

    <action name="getById" method="actionGetLeadSourceEvent" class="com.tpc.action.LeadSourceEventAction">
        <interceptor-ref name="defaultStack" />
        <interceptor-ref name="store">
            <param name="operationMode">RETRIEVE</param>
        </interceptor-ref>
        <result name="success" type="tiles">setup_lead_source_event
        </result>
        <result name="error" type="tiles">setup_lead_source_event</result>
    </action>

    <action name="getList" method="actionGetLeadSourceEventList"    class="com.tpc.action.LeadSourceEventAction">
        <interceptor-ref name="store">
            <param name="operationMode">RETRIEVE</param>
        </interceptor-ref>

        <result name="success" type="tiles">list_lead_source_event
        </result>
        <result name="error" type="tiles">list_lead_source_event</result>
    </action>

</package>
</struts>

spring-security.xml

<?xml version="1.0" encoding="UTF-8" ?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring-beans-3.0.xsd


http://www.springframework.org/schema/security


http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<http realm="Project Realm" auto-config="true" use-expressions="true">




<!-- Lead Source Setup -->
<intercept-url pattern="/lead/setup/source/**" access="hasAnyRole('ROLE_ADMIN','ROLE_DIRECTOR','ROLE_LEAD_MANAGER')"/>


<!-- Lead Source Event -->
<intercept-url pattern="/lead/setup/source_event/**" access="hasAnyRole('ROLE_ADMIN','ROLE_DIRECTOR','ROLE_LEAD_MANAGER','ROLE_LEAD_OFFICER')"/>





<intercept-url pattern="/lead/lead_home" access="hasAnyRole('ROLE_ADMIN','ROLE_DIRECTOR','ROLE_LEAD_MANAGER','ROLE_LEAD_OFFICER')"/>

<!-- ******END OF LEAD ******END OF LEAD ******END OF LEAD ******END OF LEAD ******END OF LEAD ******END OF LEAD ******END OF LEAD ****** -->




<intercept-url pattern="/annapurnaERP/**" access="hasAnyRole('ROLE_ADMIN','ROLE_DIRECTOR')"/>
<form-login login-page="/login.jsp" default-target-url="/dashboard.jsp" 
    authentication-failure-url="/login.jsp?login_error=1"/>

<logout logout-success-url="/login.jsp"/>
<remember-me />
</http>

<authentication-manager>
    <authentication-provider>

    <jdbc-user-service data-source-ref="dataSource"

   users-by-username-query="
     SELECT USERNAME, PASSWORD, CASE ENABLED WHEN 1 THEN 'true' ELSE 'false' END 'ENABLED' 
     FROM SETUP_SYSTEM_USER_CREDIENTIALS  
     WHERE USERNAME=?;"

   authorities-by-username-query="
    SELECT u.USERNAME, r.ROLES 
    FROM SETUP_SYSTEM_USER_CREDIENTIALS u, SETUP_SYSTEM_STAFF_USER_ROLES r
    WHERE u.SSUR_ID = r.SSUR_ID
    AND u.USERNAME=?;"

    />
</authentication-provider>
</authentication-manager>

</b:beans>

So, as you can see all the URL pattern are defined in this xml file. So how can I define those URL pattern dynamically from forms. By the way, right now my project is working fine, just want to add some dyanamics.

well, suppose i have two different forms one for administrator and another for normal user. To set user rights for administrator and normal user to access those two forms, right now i have to do it from xml file. Like in following example, administrator have user rights to access both forms where as LEAD_OFFICER(Normal user) have access to second form only.

<-- Lead Source Setup -->
<intercept-url pattern="/lead/setup/source/**"         access="hasAnyRole('ROLE_ADMIN','ROLE_DIRECTOR')"/>


<!-- Lead Source Event -->
<intercept-url pattern="/lead/setup/source_event/**" access="hasAnyRole('ROLE_ADMIN','ROLE_DIRECTOR','ROLE_LEAD_OFFICER')"/>

Right now these all are set in xml file. And if there is a new user, i've to manually add in this xml file. But what do i want to do is assign required rights to new user from UI FORM. Right now I've not got any idea how to do it. So any help would be appreciated. Thanks

Web-based forms, actually the project is web-based so wondering how can i dynamically assign different user rights to given users. I'm sure the answer won't be of 2-3 lines but I'm looking for the process, how to achieve that functionality — SunJCarkeY, Jun 11 '14 at 09:24
It is unclear. What do you want to achieve? Why do you need dynamically assign rights? — Aleksandr M, Jun 11 '14 at 11:39
You wrote: _"if there is a new user, i've to manually add in this xml file"_. Do you mean a new role (not a new user)? — nmc, Jun 13 '14 at 13:00
http://stackoverflow.com/questions/8321696/creating-new-roles-and-permissions-dynamically-in-spring-security-3 — prem30488, Jun 15 '14 at 18:56
http://stackoverflow.com/questions/2315873/get-spring-security-intercept-urls-from-database-or-properties — prem30488, Jun 15 '14 at 18:58

score 2 · Answer 1 · answered Jun 12 '14 at 15:53

2

Add this line to jsp,<img src="<s:url value="YourUrlCreationAction" />">

and in this UrlCreationAction class you can add code to create Urls dynamically

answered Jun 12 '14 at 15:53

afsal parangooz

162
6

can you please detail the procees? – SunJCarkeY Jun 13 '14 at 04:40

Dynamic URL access rights from form using Spring Security with Struts2?

1 Answers1