I want to authenticate according to url's params

**creatxr** · Feb 27th, 2005, 04:41 AM

I want to authenticate according to url's params

what do I?

for example

userA

can visit url xxx?param1=0
can't visit url xxx?param1=3

what must I do?
use acl????

**Ben Alex** · Mar 2nd, 2005, 03:24 PM

PathBasedFilterInvocationDefinitionMap and RegExpBasedFilterInvocationDefinitionMap both use AbstractFilterInvocationDefinitionSource's getAttribute(Object) method. It looks like this:

Code:

    public ConfigAttributeDefinition getAttributes&#40;Object object&#41;
        throws IllegalArgumentException &#123;
        if &#40;&#40;object == null&#41; || !this.supports&#40;object.getClass&#40;&#41;&#41;&#41; &#123;
            throw new IllegalArgumentException&#40;
                "Object must be a FilterInvocation"&#41;;
        &#125;

        String url = &#40;&#40;FilterInvocation&#41; object&#41;.getRequestUrl&#40;&#41;;

        return this.lookupAttributes&#40;url&#41;;
    &#125;

As you can see, the URL used for comparison purposes is from the FilterInvocation.getRequestUrl() method, which looks like:

Code:

    public String getRequestUrl&#40;&#41; &#123;
        String pathInfo = getHttpRequest&#40;&#41;.getPathInfo&#40;&#41;;
        String queryString = getHttpRequest&#40;&#41;.getQueryString&#40;&#41;;

        return getHttpRequest&#40;&#41;.getServletPath&#40;&#41;
        + &#40;&#40;pathInfo == null&#41; ? "" &#58; pathInfo&#41;
        + &#40;&#40;queryString == null&#41; ? "" &#58; &#40;"?" + queryString&#41;&#41;;
    &#125;

Therefore your query string is part of the URL assessed by the FilterInvocationDefinitionSource.

As such you should be able to simply use regular expressions to look at the full URL and grant or deny accordingly.

**mavisakal** · Mar 4th, 2005, 05:48 AM

Is it possible to check a url like below for a parameter name like method with a regular exp in filterInvocationInterceptor's objectDefinitionSource
i.e.
http://localhost:9080/MyApp/orderActions.do?param1=1&method=createOrder&param2=2

how can I write the url value for objectDefinitionSource with a regular expression which ignores other parameters and look for the parameter method value.

How can I write it?
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
\A/order/orderactions.do?method=createOrder\Z=ROLE_ANONYMOUS,ROLE_USER </value>
</property>

Thanks...

**Ben Alex** · Mar 7th, 2005, 06:21 AM

It's not the best way of doing it. You can't reliably parse for a parameter name/value in a query string and allow/deny accordingly. People can, for example, re-order the query parameters or encode them. I suppose you could try to write them in order, with a catch-all to detect re-ordering. eg:

foo.bar?gender=male&animal=donkey=role_male
foo.bar?gender=female&animal=cat=role_female
foo.bar*=deny

It's a lot safer to achieve security by moving the access decision to the services layer. Typically, your web controller uses RequestUtils.getStringParameter(HttpServletRequest ,String) and then passes the resulting String to a services layer method that has a custom AccessDecisionVoter. For example, AnimalServices.getByGender(String), which has a GenderDecisionVoter that applies different role requirements based on the String argument being passed to the services layer.

HTH clarify the recommended approach.

Thread: I want to authenticate according to url's params

Thread Tools

Display

I want to authenticate according to url's params

exclude ? = in reg exp

Similar Threads

JstlView, extensionless URLs, /* matching and loops

Where does Acegi store params of link while being logged in?

Search engine friendly URLs

Authenticate based on user id

How do I exclude URLs?

Posting Permissions