Testing whether user has access to certain URLs

Hi,

I'm iterating over the list of HandlerMethods which Spring did identify. I want to know, to which of those the currently logged in user has access.

So I have access to the HandlerMethod, the RequestMappingInfo which was used (@RequestMapping annotation), the URL which stands for the HandlerMethod and ofcourse the principal.

Is there any chance to identify, to which of a list of HandlerMethods the user has access with the information I have present?

Thanks,
Philipp

After alot of research I was btw able to get this problem addressed now on my own.

Getting achieved what I wanted was actually a 2-step process.

• Getting to know whether the user may enter the URL at all. This can be very easily achieved using WebInvocationPrivilegeEvaluator, which is normally registered as a bean already and can therefor be injecting. It's just a matter of calling
  Code:

  ---

  privilegeEvaluator.isAllowed(contextPath, url, "GET", currentUser);

  ---

• The second part is a little bit more advanced. Unfortunately the first part does not analyze any @PreAuthorize annotations on the HandlerMethods. This goes back to the answer which has been given in this thread: http://forum.springsource.org/showth...-in-Controller
  
  Now what I actually did was going all the way of identifying whether the user may access the handler method "by hand". Well, actually I just stumpled together all the methods calls which return in the end a true or false.
  Here is the code to achieve this
  
  Code:

  ---

  private boolean isAllowedByAnnotation(Authentication currentUser, HandlerMethod method) {
        PreInvocationAuthorizationAdvice advice = new ExpressionBasedPreInvocationAdvice();
        PreInvocationAuthorizationAdviceVoter voter = new PreInvocationAuthorizationAdviceVoter(advice);
       
        MethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
    PrePostInvocationAttributeFactory factory = new ExpressionBasedAnnotationAttributeFactory(expressionHandler);
        PrePostAnnotationSecurityMetadataSource metadataSource = new PrePostAnnotationSecurityMetadataSource(factory);
       
        Class<?> controller = method.getBeanType();
        MethodInvocation mi = MethodInvocationUtils.createFromClass(controller, method.getMethod().getName());
        Collection<ConfigAttribute> attributes = metadataSource.getAttributes(method.getMethod(), controller);
       
        return PreInvocationAuthorizationAdviceVoter.ACCESS_GRANTED == voter.vote(currentUser, mi, attributes);
}

  ---

If someone has any better idea to solve this, I'm happy to listen, otherwise, anyone else feel free to work with that, if you need something similar.

Regards,
Philipp