declarative access control for dynamic URLs depending on a principal's attribute

[ccmtaylor]

Hi,

in my application, a (externally authenticated) user is signed in to one of several "projects". These have urls like

/projects/project1/...

Is there a way to use <intercept-url /> to control access to projects? For I'm currently exposing the project as an attribute on the principal, so what I'm aiming for is something along the lines of

<intercept-url pattern="/projects/{projectId}/**" access="principal.project==$projectId" />

Alternatively, I guess I could expose the projectId as a role:

<intercept-url pattern="/projects/{projectId}/**" access="hasRole($projectId)" />

Since the projects are created from within the application, I don't know their Ids in advance. Is there a way to capture the path element and re-use it in the web security expression?

Thanks,
--Christopher

[Luke Taylor]

This might be more straightforward in a standard AccessDecisionVoter. Use something like

Code:

<intercept-url pattern="/**" access="PROJECT_ID_CHECK" />

and then write a ProjectCheckVoter which acts on this attribute (see RoleVoter for a basic example). In the voter you have access to the FilterInvocaton (from which you can get the request and the path) and the current Authentication object, which gives you the assigned project ID.

[ccmtaylor]

Thank you, that worked. I had to turn off EL-based authorization though. Is there a way to have both? I've run across http://forum.springsource.org/showpost.php?p=296694 which seems to describe a (rather roundabout) way to enable this.

Happy holidays!
--Christopher