How to define custom DefaultWebInvocationPrivilegeEvaluator when using namespace?
Hi All,
I am using Spring Security 3.0.2. And I had extends FilterInvocationSecurityMetadataSource in order to load intercept-url from external source.
This work well for blocking access to unauthorized URL pattern. However,when I use <security:authorize url=".." />, it is always true regardless if the user have right to access the page or not.
After read the documentation on the taglib again, I found that it is due to the <security:authorize /> are based on an instance of DefaultWebInvocationPrivilegeEvaluator created when using xml namespace in context xml.
So is there any idea about how to replace the default instance of DefaultWebInvocationPrivilegeEvaluator ?
Below is part of my XML:
Code:
<security:http auto-config="true" access-denied-page="/login/login.jsp?status=denied">
<security:anonymous enabled="true" granted-authority="ROLE_ANONYMOUS"/>
<security:form-login login-page="/login/login.jsp"
authentication-failure-url="/login/login.jsp?status=failed"
default-target-url="/home/home.jsp"/>
<security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="customFilterSecurityInterceptor"/>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="userDs"
users-by-username-query=
"select u_username,u_password,u_enabled from users_tab where u_username = ?"
authorities-by-username-query=
"select u.u_username as username, a.a_authority as authority
from users_tab u, authorities_tab a, user_authorities_tab ua
where u.u_username = ? and u.u_id = ua.ua_user_id and a.a_id = ua.ua_authority_id;"
group-authorities-by-username-query=
"select g.g_id as id, g.g_name as group_name, a.a_authority as authority
from groups_tab g, group_authorities_tab ga, users_tab u, authorities_tab a, group_members_tab gm
where u.u_username = ? and u.u_id = gm.gm_user_id and g.g_id = gm.gm_group_id
and ga.ga_group_id = gm.gm_group_id and ga.ga_authority_id = a.a_id;"
/>
</security:authentication-provider>
</security:authentication-manager>
<beans:bean id="customFilterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="accessDecisionManager" ref="accessDecisionManager"/>
<beans:property name="securityMetadataSource" ref="jdbcFilterSecurityMetadataSource"/>
</beans:bean>
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.access.vote.RoleVoter" />
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</beans:list>
</beans:property>
</beans:bean>
<!-- I create another instance here but it don't help -->
<beans:bean id="webPrivilegeEvaluator" class="org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator">
<beans:constructor-arg ref="customFilterSecurityInterceptor"/>
</beans:bean>
<beans:bean id="jdbcFilterSecurityMetadataSource" class="com.unified.spring.security.JdbcFilterSecurityMetadataSource">
<beans:property name="dataSource" ref="userDs"/>
</beans:bean>
Thank you
