How to dynamically decide <intercept-url> access attribute value in Spring Security?

[crackercracks]

In Spring Security we use the intercept-url tag to define the access for URLs as below:

<intercept-url pattern="/**" access="ROLE_ADMIN" />
<intercept-url pattern="/student" access="ROLE_STUDENT" />

This is hard coded in applicationContext-security.xml. I want to read the access values from a database table instead. I have defined my own UserDetailsService and I read the roles for the logged in user from the database. How do I assign these roles to the URL patterns during runtime?

[Luke Taylor]

Do you mean at startup or every time someone accesses a URL?

If at startup, you could write a custom PropertyPlaceholderConfigurer and replace the access attributes with placeholders.

[crackercracks]

I store the URL patterns and the roles which can access the patterns in a database table. Something like:

URL Pattern Roles
------------------------------------------------------------------------
/student ROLE_STUDENT
/admin ROLE_ADMIN
/login ROLE_ADMIN, ROLE_STUDENT, ROLE_FACULTY

When I load the application I read the values from the database and want to set the access as per these values. Essentially I want to perform the function of <intercept-url> tag using the values from the database.

In short, I do not want to hard code the URL patterns and the roles in applicationConfig-security.xml. Instead I want to load them from a database table.

[jbbarquero]

I put an answer to your question at stackoverflow: http://stackoverflow.com/questions/6...-spring-securi

[Luke Taylor]

You'll find a FAQ entry on this.

[crackercracks]

I followed the FAQ and the SO answer and some other tutorials. I have created my own filter chain as below:

<beans:bean id="springSecurityFilterChain"
class="org.springframework.security.web.FilterChai nProxy">
<filter-chain-map path-type="ant">
<filter-chain pattern="/css/**" filters="none" />
<filter-chain pattern="/images/**" filters="none" />
<filter-chain pattern="/Login.xhtml" filters="none" />
<filter-chain pattern="/j_spring_security_check" filters="none" />
<filter-chain pattern="/securepage.xhtml" filters="
securityContextPersistenceFilter,
logoutFilter,
authenticationProcessingFilter,
exceptionTranslationFilter,
filterSecurityInterceptor" />
</filter-chain-map>
</beans:bean>

I can access all pages directly except securepage.xhtml for which I get the login page. This is as expected. But when I try to login I get an error saying /j_spring_security_check is not available.

If I simply use the namespace configuration http tag I can access /j_spring_security_check. But since I am using my own filter chain I have removed the http tag.

I guess I am missing something which is setup by the http tag. Sorry, but I am really new to Spring Security. May be I am missing the most obvious thing

[crackercracks]

I have attached the contents of my applicationContext-security.xml if those would be helpful.

Shortly, the problem is there is no https://localhost/myapp/j_spring_security_check resource for this configuration.

If I insert
<http><form-login login-page="/Login.xhtml" /></http> to the above file then /j_spring_security_check is accessible but then my springSecurityFilterChain has no effect.

So I think I am missing something which <http><form-login /></http> does.