spring security:intercept-url 模式访问="#id == 1 [英] spring security:intercept-url pattern access="#id == 1

问题描述

我的项目是 iam spring security 3.1.3 和 mvc 3.2

i have project were iam spring security 3.1.3 and mvc 3.2

我也希望在路径中的用户 ID 与主体用户 ID 匹配时允许 url

i want too allow a url wehen in the userid in the path is matching the principal userid

    <security:intercept-url pattern="/user/{id}/edit" access="#id == principal.userId"/>

http use-expressions 它设置为 true，当尝试 principal.userId == 1 时它可以工作，但我需要使用从 url 中提取的值.

http use-expressions it set to true and when a try principal.userId == 1 it works but i need to use the extracted value from the url.

我已经尝试了所有可能的组合.

i already tried all possible combinations.

推荐答案

这是不可能的.但还有另一种方式.您可以定义自己的网络表达式，负责从 URL 中提取 id 参数.它可能看起来像这样:

It's not possible. But there is another way. You can define you own web expression that will be responsible for extracting of id parameter from URL. It may looks like that:

<security:intercept-url pattern="/user/{id}/edit" access="getIdUrlPathParameter() == principal.userId"/>

为此，您需要:
1. 添加扩展WebSecurityExpressionRoot的CustomWebSecurityExpressionRoot
2.增加getIdUrlPathParameter()方法.它将有权访问 HttpServletRequest 对象.
3. 定义扩展DefaultWebSecurityExpressionHandler 的CustomWebSecurityExpressionHandler.覆盖 createSecurityExpressionRoot 方法并在此处使用您的 CustomWebSecurityExpressionRoot.
4.定义自定义访问决策管理器(xml如下)
5. 通过 access-decision-manager-ref 属性将其注入您的 http 元素

To do so you need:
1. Add CustomWebSecurityExpressionRoot that extends WebSecurityExpressionRoot
2. Add getIdUrlPathParameter() method. It will have access to HttpServletRequest object.
3. Define CustomWebSecurityExpressionHandler that extends DefaultWebSecurityExpressionHandler. Override createSecurityExpressionRoot method abd use your CustomWebSecurityExpressionRoot here.
4. Define custom access decision manager (xml below)
5. Inject it into your http element via access-decision-manager-ref attribute

<security:http access-decision-manager-ref="customAccessDecisionManagerBean" >
    <security:intercept-url pattern="/user/{id}/edit" access="getIdUrlPathParameter() == principal.userId"/>
</security:http>
<bean id="customWebSecurityExpressionHandler" class="com.domain.security.CustomWebSecurityExpressionHandler"/>
<bean id="customAccessDecisionManagerBean" class="org.springframework.security.access.vote.AffirmativeBased">
    <property name="decisionVoters">
        <list>
            <bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
                <property name="expressionHandler" ref="customWebSecurityExpressionHandler" />
            </bean>
        </list>
    </property>
</bean>

这篇关于spring security:intercept-url 模式访问="#id == 1的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！