StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<h2>Disclaimer</h2> <p>As the Spring Security <a href="http://docs.spring.io/spring-security/site/faq/faq.html#faq-dynamic-url-metadata" rel="nofollow noreferrer">FAQ</a> mentions, the first thing you should do is ask should I really do this? Security is complicated and the configuration should be tested extensively. Allowing the configuration to change dynamically only further complicates things making the application that much more vulnerable. If you really want to do this, the FAQ outlines a basic method to accomplish this. I have expanded upon the FAQ's answer below.</p> <h2>Implement Custom FilterInvocationSecurityMetadataSource</h2> <p>To obtain the security URL mappings dynamically you can implement your own FilterInvocationSecurityMetadataSource. An example implementation is given below.</p> <p><strong>NOTE:</strong> Keep in mind that getAttributes will be invoked for every request that Spring Security intercepts so you will most likely want some sort of caching. </p> <pre><code>public class JdbcFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource { public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException { FilterInvocation fi = (FilterInvocation) object; String url = fi.getRequestUrl(); HttpServletRequest request = fi.getHttpRequest(); // Instead of hard coding the roles lookup the roles from the database using the url and/or HttpServletRequest // Do not forget to add caching of the lookup String[] roles = new String[] { "ROLE_ADMIN", "ROLE_USER" }; return SecurityConfig.createList(roles); } public Collection<ConfigAttribute> getAllConfigAttributes() { return null; } public boolean supports(Class<?> clazz) { return FilterInvocation.class.isAssignableFrom(clazz); } } </code></pre> <h2>Create a BeanPostProcessor</h2> <p>You cannot use the namespace to wire it up, so taking another <a href="http://docs.spring.io/spring-security/site/faq/faq.html#faq-namespace-post-processor" rel="nofollow noreferrer">tip from the FAQ</a> you can use a BeanPostProcessor which might look like:</p> <pre><code>public class FilterInvocationSecurityMetadataSourcePostProcessor implements BeanPostProcessor, InitializingBean { private FilterInvocationSecurityMetadataSource securityMetadataSource; public Object postProcessAfterInitialization(Object bean, String name) { if (bean instanceof FilterSecurityInterceptor) { ((FilterSecurityInterceptor)bean).setSecurityMetadataSource(securityMetadataSource); } return bean; } public Object postProcessBeforeInitialization(Object bean, String name) { return bean; } public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource securityMetadataSource) { this.securityMetadataSource = securityMetadataSource; } public void afterPropertiesSet() throws Exception { Assert.notNull(securityMetadataSource,"securityMetadataSource cannot be null"); } } </code></pre> <h2>XML Configuration</h2> <p>Then, assuming both of the above beans are in the package sample, you would add the following configuration</p> <pre><code><bean class="sample.FilterInvocationSecurityMetadataSourcePostProcessor"> <property name="securityMetadataSource"> <bean class="sample.JdbcFilterInvocationSecurityMetadataSource"/> </property> </bean> </code></pre> <h2>Possible Problems</h2> <p>If you end up getting a ClassCastException, you are likely running into <a href="https://jira.springsource.org/browse/SEC-1957" rel="nofollow noreferrer">SEC-1957</a> which was fixed in Spring Security 3.1.1+ Try updating to the latest version to resolve this.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload