春季安全性:拦截URL模式访问=“#id == 1 [英] spring security:intercept-url pattern access="#id == 1

问题描述

我的项目分别是iam spring security 3.1.3和mvc 3.2

i have project were iam spring security 3.1.3 and mvc 3.2

我也希望允许路径中的用户ID与主体用户ID匹配的网址

i want too allow a url wehen in the userid in the path is matching the principal userid

    <security:intercept-url pattern="/user/{id}/edit" access="#id == principal.userId"/>

http use-expressions设置为true，并且当tryPrincipal.userId == 1时可以工作，但是我需要使用从URL中提取的值.

http use-expressions it set to true and when a try principal.userId == 1 it works but i need to use the extracted value from the url.

我已经尝试了所有可能的组合.

i already tried all possible combinations.

推荐答案

这是不可能的.但是还有另一种方式.您可以定义自己的网络表达式，该表达式将负责从URL中提取id参数.可能看起来像这样:

It's not possible. But there is another way. You can define you own web expression that will be responsible for extracting of id parameter from URL. It may looks like that:

<security:intercept-url pattern="/user/{id}/edit" access="getIdUrlPathParameter() == principal.userId"/>

为此，您需要:
1.添加扩展 WebSecurityExpressionRoot 的CustomWebSecurityExpressionRoot
2.添加getIdUrlPathParameter()方法.它将有权访问HttpServletRequest对象.
3.定义扩展 DefaultWebSecurityExpressionHandler 的CustomWebSecurityExpressionHandler.覆盖createSecurityExpressionRoot方法，然后在此处使用CustomWebSecurityExpressionRoot.
4.定义自定义访问决策管理器(下面的xml)
5.通过access-decision-manager-ref属性将其注入您的 http 元素

To do so you need:
1. Add CustomWebSecurityExpressionRoot that extends WebSecurityExpressionRoot
2. Add getIdUrlPathParameter() method. It will have access to HttpServletRequest object.
3. Define CustomWebSecurityExpressionHandler that extends DefaultWebSecurityExpressionHandler. Override createSecurityExpressionRoot method abd use your CustomWebSecurityExpressionRoot here.
4. Define custom access decision manager (xml below)
5. Inject it into your http element via access-decision-manager-ref attribute

<security:http access-decision-manager-ref="customAccessDecisionManagerBean" >
    <security:intercept-url pattern="/user/{id}/edit" access="getIdUrlPathParameter() == principal.userId"/>
</security:http>
<bean id="customWebSecurityExpressionHandler" class="com.domain.security.CustomWebSecurityExpressionHandler"/>
<bean id="customAccessDecisionManagerBean" class="org.springframework.security.access.vote.AffirmativeBased">
    <property name="decisionVoters">
        <list>
            <bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
                <property name="expressionHandler" ref="customWebSecurityExpressionHandler" />
            </bean>
        </list>
    </property>
</bean>

这篇关于春季安全性:拦截URL模式访问=“#id == 1的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！