从数据库或属性获取Spring Security拦截URL

时间:2010-02-23 03:11:26

标签: java spring grails spring-mvc spring-security

希望这是超级简单的,存在的,我忽视了我的鼻子下面的东西。我知道我可以通过注释限制访问:

@Secured({"ROLE_ADMIN"})

或通过配置:

<security:intercept-url pattern="/**" access="ROLE_USER, ROLE_ADMIN, ROLE_SUPER_USER" />

我更愿意从数据库中获取身份验证规则,例如:

<security:intercept-url provider="authProvider"/>

<bean id="authProvider" class="AuthProviderImpl">
    <property name="userDetailsService" ref="userDetailsService"/>
</bean>

最糟糕的情况是,必须有一种通过属性文件填充的方法吗?...

/admin/**=ROLE_ADMIN
/**=ROLE_USER 

<security:intercept-url props="classpath:urls.properties"/>

请告诉我这存在或我的大脑会爆炸! Grails spring-security插件开箱即用,所以我知道这必须存在。请不要让我的大脑爆炸!!!

编辑:

想出来......

您必须提供自定义org.springframework.security.intercept.web.FilterSecurityInterceptor并提供objectDefinitionSource

<bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    <security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" />
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
    <property name="objectDefinitionSource">
        <value>
            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
            PATTERN_TYPE_APACHE_ANT
            /**login.html=IS_AUTHENTICATED_ANONYMOUSLY
            /user/**=ROLE_ADMIN
        </value>
    </property>
</bean>

我想我将使用FactoryBean:

public class RequestMappingFactoryBean implements FactoryBean {

    private final static String EOL = System.getProperty("line.separator");

    public Object getObject() throws Exception {
        StringBuffer sb = new StringBuffer();
        sb.append("CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON");
        sb.append(EOL);
        sb.append("PATTERN_TYPE_APACHE_ANT");
        sb.append(EOL);
        sb.append("/**login.html=IS_AUTHENTICATED_ANONYMOUSLY");
        sb.append(EOL);
        sb.append("/user/**=ROLE_ADMIN");
        return sb.toString();
    }

    @SuppressWarnings("unchecked")
    public Class getObjectType() {
        return String.class;
    }

    public boolean isSingleton() {
        return true;
    }

}

传递DAO等

<bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    <security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" />
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
    <property name="objectDefinitionSource" ref="requestMappings" />
</bean>

<bean id="requestMappings" class="RequestMappingFactoryBean" />

2 个答案:

答案 0 :(得分:3)

你想在spring xml中使用这样的东西吗?

<!-- Settings -->
<b:bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
    <b:property name="locations">
        <b:value>/WEB-INF/config.properties</b:value>
    </b:property>
</b:bean>

然后在你的Spring XML中使用als:

<http entry-point-ref="authenticationProcessingFilterEntryPoint">
        <intercept-url pattern='/custom/**' access="${roles.admin}"/>
</http>

答案 1 :(得分:2)

已经有一段时间了,但您可以创建一个Voter对象,帮助决定是否允许访问URL。 Voter对象可以从数据库或文件加载数据,或者只是随机返回Allow,Deny或Abstain。

相关问题
最新问题