In Spring, how can I block access to a path based on a property in my UserDetails object? -
i’m using spring 3.2.11.release, spring security 3.1.4.release can upgrade spring security module if solves problem. in userdetails object, have below property …
public class myauthenticationuser implements userdetails, credentialscontainer { … public boolean issampleuser() { return issampleuser; } // issampleuser then have controller, looks like
@controller @requestmapping("/basedir") public class basedircontroller { @requestmapping(value = “/page1”, method = requestmethod.get) public modelandview dogetpdresources(final model model, final principal principal) throws ioexception { … } @requestmapping(value = “/page2”, method = requestmethod.get) public modelandview dogetpdcenter(final model model, final httpservletrequest request) throws ioexception { return new modelandview("basedir/pdcenter"); } … what easiest way block access every method matching url pattern “/context-path/basedir/**” if “issampleuser” property of userdetails object evaluates true? have hard-code logic every method of controller check property (seems there slicker way solve problem that)?
as others have suggested, seems should able roles.
for example, if issampleuser true ensure role_sample part of roles. assuming other role in question role_user, can add following rule:
<http ... use-expressions="true"> ... <intercept-url pattern="/base-dir/**" access="hasrole('role_user') , !hasrole('role_sample')"/> ... </http> if using java configuration, like:
http .authorizerequests() ... .antmathers("/base-dir/**").access("hasrole('role_user') , !hasrole('role_sample')") ... if don't want add role, can like:
<http ... use-expressions="true"> ... <intercept-url pattern="/base-dir/**" access="principal.sampleuser ? denyall : hasrole('role_user')"/> ... </http> this states url starts /base-dir/** if sampleuser returns true, deny access otherwise role_user required.
Comments
Post a Comment