从数据库或属性获取Spring Security拦截URL [英] Get Spring Security intercept urls from database or properties

问题描述

希望这是超级简单的，存在的，我可以忽略我鼻子下面的东西。我知道我可以通过注释来限制访问：

  @Secured（{ROLE_ADMIN}）
  

或通过配置：

  < security：intercept-url pattern =/ **access =ROLE_USER，ROLE_ADMIN，ROLE_SUPER_USER/> 
  

我宁愿从数据库中获取认证规则，例如：

 < security：intercept-url provider =authProvider/> 
 
< bean id =authProviderclass =AuthProviderImpl> 
< property name =userDetailsS​​erviceref =userDetailsS​​ervice/> 
< / bean> 
  

最糟糕的情况下，必须通过属性文件填充权限吗？...

/ admin / ** = ROLE_ADMIN

/ * * = ROLE_USER

 < security：intercept-url props =classpath：urls.properties /> 
  

等。

请告诉我这个存在或我的大脑会爆炸！ Grails弹簧安全插件随箱附带，因此我知道这个插件必须存在。请不要让我的大脑爆炸!!!

编辑：

想象出...

您必须提供自定义 org.springframework.security.intercept.web.FilterSecurityInterceptor 并提供 objectDefinitionSource ：

 < bean id =filterSecurityInterceptorclass =org.springframework .security.intercept.web.FilterSecurityInterceptor> 
< security：custom-filter before =FILTER_SECURITY_INTERCEPTOR/> 
< property name =authenticationManagerref =authenticationManager/> 
< property name =accessDecisionManagerref =accessDecisionManager/> 
< property name =objectDefinitionSource> 
<值> 
 CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON 
 PATTERN_TYPE_APACHE_ANT 
 /**login.html=IS_AUTHENTICATED_ANONYMOUSLY 
 / user / ** = ROLE_ADMIN 
< / value> 
< / property> 
< / bean> 
  

我想要使用FactoryBean：

  public class RequestMappingFactoryBean实现FactoryBean {
 
 private final static String EOL = System.getProperty（line.separator）; 
 
 public Object getObject（）throws Exception {
 StringBuffer sb = new StringBuffer（）; 
 sb.append（CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON）; 
 sb.append（EOL）; 
 sb.append（PATTERN_TYPE_APACHE_ANT）; 
 sb.append（EOL）; 
 sb.append（/ ** login.html = IS_AUTHENTICATED_ANONYMOUSLY）; 
 sb.append（EOL）; 
 sb.append（/ user / ** = ROLE_ADMIN）; 
 return sb.toString（）; 
 
 $ b $ @SuppressWarnings（unchecked）
 public Class getObjectType（）{
 return String.class; 
} 
 
 public boolean isSingleton（）{
 return true; 
} 
 
} 
  

传递一个DAO等

 < bean id =filterSecurityInterceptorclass =org.springframework.security.intercept.web.FilterSecurityInterceptor> 
< security：custom-filter before =FILTER_SECURITY_INTERCEPTOR/> 
< property name =authenticationManagerref =authenticationManager/> 
< property name =accessDecisionManagerref =accessDecisionManager/> 
< property name =objectDefinitionSourceref =requestMappings/> 
< / bean> 
 
< bean id =requestMappingsclass =RequestMappingFactoryBean/> 
  

解决方案

已经有一段时间了，但您可以创建一个Voter对象，它有助于决定是否允许访问URL。 Voter对象可以从数据库或文件加载数据，或者只是随机返回允许，拒绝或弃权。

Hopefully this is super simple, exists, and I'm overlooking something right under my nose. I know that I can restrict access via annotations:

@Secured({"ROLE_ADMIN"})

or via config:

<security:intercept-url pattern="/**" access="ROLE_USER, ROLE_ADMIN, ROLE_SUPER_USER" />

I would prefer to obtain authentication rules from a database, something like:

<security:intercept-url provider="authProvider"/>

<bean id="authProvider" class="AuthProviderImpl">
    <property name="userDetailsService" ref="userDetailsService"/>
</bean>

Worst case scenario, there has to be a way to populate via a properties file right?...

/admin/**=ROLE_ADMIN
/**=ROLE_USER

<security:intercept-url props="classpath:urls.properties"/>

etc.

Please tell me this exists or my brain will explode!!! The Grails spring-security plugin ships with this out of the box so I know this has to exist. Please don't let my brain explode!!!

EDIT:

Figured it out...

You have to provide a custom org.springframework.security.intercept.web.FilterSecurityInterceptor and provide the objectDefinitionSource:

<bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    <security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" />
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
    <property name="objectDefinitionSource">
        <value>
            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
            PATTERN_TYPE_APACHE_ANT
            /**login.html=IS_AUTHENTICATED_ANONYMOUSLY
            /user/**=ROLE_ADMIN
        </value>
    </property>
</bean>

And I think I'm going to use a FactoryBean:

public class RequestMappingFactoryBean implements FactoryBean {

    private final static String EOL = System.getProperty("line.separator");

    public Object getObject() throws Exception {
        StringBuffer sb = new StringBuffer();
        sb.append("CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON");
        sb.append(EOL);
        sb.append("PATTERN_TYPE_APACHE_ANT");
        sb.append(EOL);
        sb.append("/**login.html=IS_AUTHENTICATED_ANONYMOUSLY");
        sb.append(EOL);
        sb.append("/user/**=ROLE_ADMIN");
        return sb.toString();
    }

    @SuppressWarnings("unchecked")
    public Class getObjectType() {
        return String.class;
    }

    public boolean isSingleton() {
        return true;
    }

}

Pass it a DAO, etc.

<bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    <security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" />
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
    <property name="objectDefinitionSource" ref="requestMappings" />
</bean>

<bean id="requestMappings" class="RequestMappingFactoryBean" />

解决方案

It's been a while, but you can create a Voter object which helps decide whether to allow access to a URL. The Voter object can load data from the database, or a file, or just randomly return Allow, Deny, or Abstain.

这篇关于从数据库或属性获取Spring Security拦截URL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！