从数据库或属性获取Spring Security拦截URL

希望这是非常简单的,存在的,而且我正在俯视我的鼻子下面的东西。我知道我可以通过注释限制访问:

@Secured({"ROLE_ADMIN"})

或通过配置:

<security:intercept-url pattern="/**" access="ROLE_USER, ROLE_ADMIN, ROLE_SUPER_USER" />

我希望从数据库中获取身份验证规则,例如:

<security:intercept-url provider="authProvider"/>

<bean id="authProvider" class="AuthProviderImpl">

<property name="userDetailsService" ref="userDetailsService"/>

</bean>

最坏的情况是,必须有一种通过属性文件填充的方法吗?

/admin/**=ROLE_ADMIN

/**=ROLE_USER

<security:intercept-url props="classpath:urls.properties"/>

等等

请告诉我这存在,否则我的大脑会爆炸!!!Grails的spring-security插件开箱即用,所以我知道这必须存在。请不要让我的大脑爆炸!!!

编辑:

弄清楚了…

您必须提供一个自定义org.springframework.security.intercept.web.FilterSecurityInterceptor并提供objectDefinitionSource

<bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">

<security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" />

<property name="authenticationManager" ref="authenticationManager" />

<property name="accessDecisionManager" ref="accessDecisionManager" />

<property name="objectDefinitionSource">

<value>

CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON

PATTERN_TYPE_APACHE_ANT

/**login.html=IS_AUTHENTICATED_ANONYMOUSLY

/user/**=ROLE_ADMIN

</value>

</property>

</bean>

我想我将使用FactoryBean:

public class RequestMappingFactoryBean implements FactoryBean {

private final static String EOL = System.getProperty("line.separator");

public Object getObject() throws Exception {

StringBuffer sb = new StringBuffer();

sb.append("CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON");

sb.append(EOL);

sb.append("PATTERN_TYPE_APACHE_ANT");

sb.append(EOL);

sb.append("/**login.html=IS_AUTHENTICATED_ANONYMOUSLY");

sb.append(EOL);

sb.append("/user/**=ROLE_ADMIN");

return sb.toString();

}

@SuppressWarnings("unchecked")

public Class getObjectType() {

return String.class;

}

public boolean isSingleton() {

return true;

}

}

将其传递给DAO等

<bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">

<security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" />

<property name="authenticationManager" ref="authenticationManager" />

<property name="accessDecisionManager" ref="accessDecisionManager" />

<property name="objectDefinitionSource" ref="requestMappings" />

</bean>

<bean id="requestMappings" class="RequestMappingFactoryBean" />

回答:

已经有一段时间了,但是您可以创建Voter对象,该对象可以帮助决定是否允许访问URL。Voter对象可以从数据库或文件中加载数据,或者只是随机返回Allow,Deny或Abstain。

以上是 从数据库或属性获取Spring Security拦截URL 的全部内容, 来源链接: utcz.com/qa/407975.html

回到顶部