Jul 31st, 2011, 06:45 PM
How to dynamically decide <intercept-url> access attribute value in Spring Security?
In Spring Security we use the intercept-url tag to define the access for URLs as below:
<intercept-url pattern="/**" access="ROLE_ADMIN" />
<intercept-url pattern="/student" access="ROLE_STUDENT" />
This is hard coded in applicationContext-security.xml. I want to read the access values from a database table instead. I have defined my own UserDetailsService and I read the roles for the logged in user from the database. How do I assign these roles to the URL patterns during runtime?
Aug 1st, 2011, 06:22 AM
Do you mean at startup or every time someone accesses a URL?
If at startup, you could write a custom PropertyPlaceholderConfigurer and replace the access attributes with placeholders.
Aug 1st, 2011, 07:21 AM
I store the URL patterns and the roles which can access the patterns in a database table. Something like:
URL Pattern Roles
/login ROLE_ADMIN, ROLE_STUDENT, ROLE_FACULTY
When I load the application I read the values from the database and want to set the access as per these values. Essentially I want to perform the function of <intercept-url> tag using the values from the database.
In short, I do not want to hard code the URL patterns and the roles in applicationConfig-security.xml. Instead I want to load them from a database table.
Aug 1st, 2011, 08:32 AM
Aug 1st, 2011, 08:35 AM
You'll find a FAQ entry on this.
Aug 2nd, 2011, 02:41 PM
I followed the FAQ and the SO answer and some other tutorials. I have created my own filter chain as below:
<filter-chain pattern="/css/**" filters="none" />
<filter-chain pattern="/images/**" filters="none" />
<filter-chain pattern="/Login.xhtml" filters="none" />
<filter-chain pattern="/j_spring_security_check" filters="none" />
<filter-chain pattern="/securepage.xhtml" filters="
I can access all pages directly except securepage.xhtml for which I get the login page. This is as expected. But when I try to login I get an error saying /j_spring_security_check is not available.
If I simply use the namespace configuration http tag I can access /j_spring_security_check. But since I am using my own filter chain I have removed the http tag.
I guess I am missing something which is setup by the http tag. Sorry, but I am really new to Spring Security. May be I am missing the most obvious thing
Aug 2nd, 2011, 07:13 PM
I have attached the contents of my applicationContext-security.xml if those would be helpful.
Shortly, the problem is there is no https://localhost/myapp/j_spring_security_check resource for this configuration.
If I insert
<http><form-login login-page="/Login.xhtml" /></http> to the above file then /j_spring_security_check is accessible but then my springSecurityFilterChain has no effect.
So I think I am missing something which <http><form-login /></http> does.
Aug 3rd, 2011, 05:39 AM
You have "filters='none'" for the "/j_spring_security_check" URL, so there is nothing available to handle it.
Aug 3rd, 2011, 07:52 AM
(I need to study a lot about Spring!)
Tags for this Thread