Results 1 to 2 of 2

Thread: Testing whether user has access to certain URLs

Hybrid View

  1. Aug 3rd, 2012, 01:08 PM #1
    pfeigl
    pfeigl is offline Junior Member
    Join Date
    Aug 2012
    Posts
    2

    Default Testing whether user has access to certain URLs

    Hi,

    I'm iterating over the list of HandlerMethods which Spring did identify. I want to know, to which of those the currently logged in user has access.

    So I have access to the HandlerMethod, the RequestMappingInfo which was used (@RequestMapping annotation), the URL which stands for the HandlerMethod and ofcourse the principal.

    Is there any chance to identify, to which of a list of HandlerMethods the user has access with the information I have present?

    Thanks,
    Philipp
    Reply With Quote Reply With Quote
  2. Aug 3rd, 2012, 05:35 PM #2
    pfeigl
    pfeigl is offline Junior Member
    Join Date
    Aug 2012
    Posts
    2

    Default

    After alot of research I was btw able to get this problem addressed now on my own.

    Getting achieved what I wanted was actually a 2-step process.

    • Getting to know whether the user may enter the URL at all. This can be very easily achieved using WebInvocationPrivilegeEvaluator, which is normally registered as a bean already and can therefor be injecting. It's just a matter of calling
      Code:
      privilegeEvaluator.isAllowed(contextPath, url, "GET", currentUser);
    • The second part is a little bit more advanced. Unfortunately the first part does not analyze any @PreAuthorize annotations on the HandlerMethods. This goes back to the answer which has been given in this thread: http://forum.springsource.org/showth...-in-Controller

      Now what I actually did was going all the way of identifying whether the user may access the handler method "by hand". Well, actually I just stumpled together all the methods calls which return in the end a true or false.
      Here is the code to achieve this
      Code:
      private boolean isAllowedByAnnotation(Authentication currentUser, HandlerMethod method) {
	PreInvocationAuthorizationAdvice advice = new ExpressionBasedPreInvocationAdvice();
	PreInvocationAuthorizationAdviceVoter voter = new PreInvocationAuthorizationAdviceVoter(advice);
	
	MethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
    PrePostInvocationAttributeFactory factory = new ExpressionBasedAnnotationAttributeFactory(expressionHandler);
	PrePostAnnotationSecurityMetadataSource metadataSource = new PrePostAnnotationSecurityMetadataSource(factory);
	
	Class<?> controller = method.getBeanType();
	MethodInvocation mi = MethodInvocationUtils.createFromClass(controller, method.getMethod().getName());
	Collection<ConfigAttribute> attributes = metadataSource.getAttributes(method.getMethod(), controller);
	
	return PreInvocationAuthorizationAdviceVoter.ACCESS_GRANTED == voter.vote(currentUser, mi, attributes);
}


    If someone has any better idea to solve this, I'm happy to listen, otherwise, anyone else feel free to work with that, if you need something similar.

    Regards,
    Philipp
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules