SimpleFormController security check

[bobmanc]

I would like to look at a users session info after they attemp to access a SimpleFormController. If they are not authorized I want to redirect them to an error page. It would seem like you should be able to override handleRequestInternal and check there but it is marked as final in the AbstractFormController. I can't seem to find a place to put the code that could redirect to the error page.

[Alef Arendsen]

Checking things before and after the calling of a controller can be done using handler interceptors. Have a look at the reference manual (sect. 12.4.3). Inside a HandlerInterceptor you can check what controller is being called so you should be able to perform your checks there.

Alef

[Luke Taylor]

Hi,

You could do this by adding an interceptor to your handler mappings in your spring-servlet.xml file

e.g.

Code:

  <bean id="urlMapping" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
    <property name="interceptors">
      <list>
        <ref local="accessControlInterceptor"/>
      </list>
    </property>
    <property name="mappings">
      <props>
  ...

and

Code:

  <bean id="acessControlInterceptor" class="mypkg.AccessControlInterceptor">
  </bean>

Your interceptor class should extend

org.springframework.web.servlet.handler.HandlerInt erceptorAdapter

http://monkeymachine.co.uk/spring/xr...orAdapter.html

and override the preHandle method. Look at the Javadoc for HandlerInterceptor:

http://monkeymachine.co.uk/spring/ap...terceptor.html

HTH,

Luke.

[bobmanc]

Thanks. The current app I'm working on needs to check before every form is displayed. Rather than hide this in the interceptor I would rather do it in the controller. This seemed like such an obvious thing that I figured I just missed something. I guess I can create my own Abstract controller if the interceptor is the only way.

[davison]

Thanks. The current app I'm working on needs to check before every form is displayed.

Do you mean for multiple form controllers? The interceptor can be wrapped around any number of form controllers making it still the best choice for what you want to do. Here's an example from the PetStore sample shipped with Spring..

Code:

<bean id="secureHandlerMapping" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
		<property name="interceptors">
			<list>
				<ref bean="signonInterceptor"/>
			</list>
		</property>
		<property name="urlMap">
			<map>
				<entry key="/shop/editAccount.do"><ref local="secure_editAccount"/></entry>
				<entry key="/shop/listOrders.do"><ref local="secure_listOrders"/></entry>
				<entry key="/shop/newOrder.do"><ref local="secure_newOrder"/></entry>
				<entry key="/shop/viewOrder.do"><ref local="secure_viewOrder"/></entry>
			</map>
		</property>
	</bean>

Logically too, that behaviour belongs somewhere outside of the controller.

[irbouho]

Thanks. The current app I'm working on needs to check before every form is displayed.

You can also use a Filter to check for user signon. Filters can access HttpSession attributes as well as Spring Framework WebContext (Using WebApplicationContextUtils).

[mraible]

You could override the showForm() method. For example:

Code:

    protected ModelAndView showForm(HttpServletRequest request,
            HttpServletResponse response, BindException errors) throws Exception {
        if (value-from-database-is-bad) {
            response.sendError(HttpServletResponse.SC_FORBIDDEN);
            return null;
        }
        return super.showForm(request, response, errors);
    }

Matt

[lemiorhan]

Hi,

It is not the best way but you may control if the requester is authorized in the first line of the onSubmit, referenceData and formBackingObject. For example,

Code:

protected ModelAndView onSubmit(.....) throws Exception {
    HttpSession session = request.getSession(false);
    isSessionValid(session);
    ...
}

isSessionValid(session) checks all controls.

--
Lemi Orhan Ergin