0

Spring Security issue:- I'm using Spring Security (latest version 3.2.7.RELEASE & Spring Framework version 4.0.9.RELEASE) for my application and I've some condition where I'm not understanding how to give access to both individually. Looking for soonest possible response.

Scenario: I've two different types of users, out of these two TESTER has lower privileges than DEVELOPER

  • ROLE_DEVELOPER
  • ROLE_TESTER

In my App, through User Interface - I have functionality of update "Analysis" common to both DEVELOPER and TESTER. I wanted to allow DEVELOPER to update only his own "Analysis" (if he login using DEVELOPER access) and TESTER to update his own analysis (if he login using TESTER access). They should be able to only see each others analysis like Read-Only format, but should not be able update each others analysis.

The following are the Spring Security filters which are mapped to the respective RestFul Web Serices (WS), how can I developed to satisfy above both conditions?

Note: I would like to do it using XML configuration only (without annotations)

<intercept-url method="PUT" pattern="/user/update/analysis/**" 
    access="hasRole('ROLE_TESTER')" />

        <intercept-url method="PUT" pattern="/user/update/analysis/**" 
    access="hasRole('ROLE_DEVELOPER')" />  

 <intercept-url method="GET" pattern="/user/GET/analysis/**" 
access="hasRole('ROLE_DEVELOPER')" />
    <intercept-url method="GET" pattern="/user/GET/analysis/**" 
access="hasRole('ROLE_TESTER')" />

1 Answers1

0

Option 1: If you are using Spring 3.1 and newer you have the ability to create custom 'getCustomMethodCondition' method by extending RequestMappingHandlerMapping. Thus having implementing method overloading you can get it to direct the user to correct method.

Have a look at the following answers to similar questions here:

Option 2: Once you are already in the method, obtain the ROLE associated with the user and then activate relevant process for each type of user.

e.g.

userrole = user.getRole();
if(userrole = "ROLE_DEVELOPER) {
//do this stuff
}
else if(userrole = "ROLE_TESTER") {
// do this stuff
}

Hope this helps guide you in the right direction.

Community
  • 1
  • 1
Aeseir
  • 7,754
  • 10
  • 58
  • 107
  • Thanks - But how we can achieve this through XML configurations only? –  May 06 '15 at 18:21
  • What part exactly? They are all different and do things differently. – Aeseir May 07 '15 at 01:25
  • I mean all above functionality should be achieved through XML configurations only.. –  May 07 '15 at 11:36
  • No, all of it requires you to do java coding. Option 1 XML configuration can only point to the custom made custom RequestMappingHandlerMapping as example. Option 2 is only done in the method of the controller itself. Only way to do this in XML is to have different urls for different roles, which is what you don't want. – Aeseir May 07 '15 at 12:10