-
Custom tag
Hello,
I want to build a "authorized by link" security tag
<custom:linkEnforcedAuthorization link="app_link">
See this message if the current user has access to the given app_link.
</custom:linkEnforcedAuthorization >
so if the app_link is defined in security config as below
<http>
...
<intercept-url pattern="app_link*" access="PRIV_role1,PRIV_admin,..."/>
...
</http>
Basically I want to make sure that a certain link is displayed only if the user can click on it! In that way I can improve the readability and maintain the code/roles !
Regards,
Q
-
This is already available in the 3.0 codebase.
-
I already built it yesterday :) - is there a simpler way for 2.0.3?
Code:
protected boolean canUserAccessURL( Authentication authentication, String url )
{
final String FILTER_LIST = "_filterChainList";
final String ACCESS_DECISION_MANAGER = "accessDecisionManager";
AccessDecisionManager accessDecisionManager = (AccessDecisionManager)BeanLocator.getBean( ACCESS_DECISION_MANAGER );
FilterInvocation fi = new FilterInvocation( new URLDrivenHttpServletRequest( getRequest(), url ), getResponse(), new DummyFilterChain() );
FilterChainList filterChainList = (FilterChainList)BeanLocator.getBean( FILTER_LIST );
List filters = filterChainList.getFilters();
for ( int i = 0; i < filters.size(); i++ )
{
Object obj = filters.get( i );
if ( obj instanceof FilterSecurityInterceptor )
{
FilterSecurityInterceptor fsi = (FilterSecurityInterceptor)obj;
ConfigAttributeDefinition attr = fsi.getObjectDefinitionSource().getAttributes( fi );
try
{
accessDecisionManager.decide( authentication, fi, attr );
return true;
}
catch( Exception e )
{
if ( log.isDebugEnabled() )
{
String message = String.format( "Url %s cannot be access by user %s. Reason:%s", url, authentication.getPrincipal(), e.getMessage() );
log.debug( message );
}
}
break;
}
}
return false;
}
