Creating a controller level annotation that will check request attributes for objects

[SpringOrSummer]

Is it possible to create a controller level annotation that will check if there are specific objects in the request Attributes collection?

If not, I want to redirect to the signin page.

I currently have code in each and every controller method, and this isn't the best way since a developer can forget to have this security type checks in the method and it can open a security hole.

Having something at the controller annotation level would be much easier.

[Marten Deinum]

That is what HandlerInterceptors are for. You can check that in the preHandle method.

[SpringOrSummer]

Marten,

Yes that is what I am currently doing, but not in a programatic way per say.

Currently I am looking at the url, for example, if my controller is ProductController like:

Code:

@RequestMapping("/products")
@Controller
public class ProductController ... {

}

And then in my interceptor am doing:

Code:

String url = request.getRequestURI().toLowerCase();

if(url.contains("products/")) {
  loginRequired = true;
}

Now this might work, it doesn't seem like a clean solution to me because it is doing string based comparison's on the url and a developer might introduce a security hole somehow.

Is there a way to actually know which controller is going to be used to service this request at this point?

Or in your opinion, what I am doing now is pretty much all I can do?

[Marten Deinum]

If it is security you want I suggest Spring Security instead of inventing your own.

What you can do depends a little on which version of Spring you are on. You could create an annotation (@Secured or something) and check in the interceptor if the annotation is present on the class if so login. That at least saves you all the checks for the URL. The controller is available as a method argument, for Spring 3.1 this will be a HandlerMethod instead of the actual class so you need to do some additional work to get to the actual class.

Is it possible to create a controller level annotation that will check if there are specific objects in the request Attributes collection?

It is only useful to create a generic part if it concerns general objects if they differ per controller this isn't going to work.

[SpringOrSummer]

Ok I am getting access to the handlermethod (thanks for that link!), but having an issue with the annotation, it is always null for some reason.

First time created an annotation so that might be the issue

Code:

public @interface SomeThing {
}

Controller:

Code:

@SomeThing
@RequestMapping("/products")
@Controller
public class ProductController {

   @SomeThing
    @RequestMapping("/")
    public ModelAndView index(HttpServletRequest request, HttpServletResponse response) {
     ...
    }

}

I added the annotation on both the class and method level just for testing, now in my interceptor:

Code:

       HandlerMethod method = (HandlerMethod) handler;
        SomeThing annotation1 = method.getMethodAnnotation(SomeThing.class);

        SomeThing annotation2 = method.getMethod().getAnnotation(SomeThing.class);

Both values are null when I am in the ProductController.

What am I doing wrong?

[Marten Deinum]

The annotation isn't on the method but on the bean... (Edit: Missed that it is actually on the method ).

The first and second are the same (what you do is more or less the same that happens internally).

Code:

HandlerMethod method = (HandlerMethod) handler;
Object bean = method.getBean();
SomeThing annot= AnnotationUtils.findAnnotation(bean.getClass(), SomeThing.class);
if (annot != null) {
  //apply security
}

The above should be more or less what you want.

Edit: Can you post the full annotation code? Make sure it is available at runtime.

Code:

@java.lang.annotation.Retention(java.lang.annotation.RetentionPolicy.RUNTIME)
@java.lang.annotation.Target({java.lang.annotation.ElementType.TYPE, java.lang.annotation.ElementType.METHOD})
public @interface SomeThing {
}

Something like this (from the top of my head).