Originally Posted by
sousa1981
I would suggest to you look at spring documentation "org.springframework.security.vote.AffirmativeBase d" and "allowIfAllAbstainDecisions":
Code:
<bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false" />
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.vote.RoleVoter" >
<property name="rolePrefix" value="" />
</bean>
<bean class="org.springframework.security.vote.AuthenticatedVoter"/>
</list>
</property>
</bean>
For example for procedure bellow work:
I did override the lookupAttributes() like this:
1) Check if the URL exists in my authorization tables
2) If the URL exists read the ROLES and populate the 'ConfigAttributeDefinition' object
3) If the URL does not exist then return NULL
I suggest to modify step 3 to be: If the URL does not exist then associate it with an ROLE without access, so it will be receive an AccessDenied message.
Hello, I have a strange trouble about this.
Code:
public class RoleVoterImp extends RoleVoter {
public int vote(Authentication authentication, Object object,
ConfigAttributeDefinition config) {
if(config.contains(new SecurityConfig("ROLE_NO_ACCESS"))){
return AccessDecisionVoter.ACCESS_DENIED;
}
return super.vote(authentication, object, config);
}
}
Correctly, I can not display the url of the menu that are not in the db, but in practice I can get the url in my browser.
Example:
HomePage
<link>/admin/print.do</link> //invisible because i can't access
In my html homepage, I don't see the link /admin/print.do but if I put this url in the browser I do not obtain ACCESS DENIED !!
I do :
Code:
..
List roleNamesList = userManager.findRolessByUrl(trimmedUrl);
if(rolesNamesList == null){
configAttr.addConfigAttribute(new SecurityConfig("ROLE_NO_ACCESS"));
return configAttr
}
..
Member
Posting Permissions
