Announcement Announcement Module
Collapse
No announcement yet.
Spring security problem Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring security problem

    Hy guys!
    Im very new to Roo, so maybe i will have some basic questions.

    I have a simple problem, i want to protect some views from different Role-s.
    for example: a user could only access create photo section, and an admin could list them.
    this code doesnt work:
    Code:
    <intercept-url pattern="/pphotoes/create" access="hasRole('ROLE_USER')" />
    		<intercept-url pattern="/pphotoes/list" access="hasRole('ROLE_ADMIN')" />
    i tried list, list.jspx non of them are working.

    here is the complete applicationContext-security.xml file:

    Code:
    ?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
    	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schem...-beans-3.1.xsd
            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    	<!-- HTTP security configurations -->
    	<http auto-config="true" use-expressions="true">
    		<form-login login-processing-url="/resources/j_spring_security_check" 
    			login-page="/login" authentication-failure-url="/login?login_error=t" />  
    		<logout logout-url="/resources/j_spring_security_logout" />
    		<!-- Configure these elements to secure URIs in your application -->
    		<intercept-url pattern="/pcustomers/**" access="hasRole('ROLE_ADMIN')" />
    		
    		<intercept-url pattern="/pphotoes/**" access="hasRole('ROLE_ADMIN')" />
    		<intercept-url pattern="/pphotoes/create" access="hasRole('ROLE_USER')" />
    		
    		<intercept-url pattern="/porders/create.jspx" access="hasRole('ROLE_USER')" />
    		<intercept-url pattern="/porders/list.jspx" access="hasRole('ROLE_ADMIN')" />
    		
    		<intercept-url pattern="/member/**" access="isAuthenticated()" />
    		<intercept-url pattern="/resources/**" access="permitAll" />
    		
    	
    		<intercept-url pattern="/login" access="permitAll" />
    		
    		<intercept-url pattern="/*" access="isAuthenticated()" />
    		
    		
    	</http>
    
    	<beans:bean name="AuthenticationController"
    		class="phstore.web.AuthController">
    	</beans:bean>
    
    	<!-- Configure Authentication mechanism -->
    	<authentication-manager alias="authenticationManager">
    		<authentication-provider ref="AuthenticationController" />
    	</authentication-manager>
    </beans:beans>
    User login is working, and pcustomers views are hidden from User role.
    How to manage to hide some views from different roles?

  • #2
    OK, i found an interesting example in Spring cook book. (On page 325 according to original page numbers.)
    There is a section named: Configuring web request security.

    I tried the example, without LDAP backend.
    I posted my question on stack overflow, please check (something is wrong with maven build):
    http://stackoverflow.com/a/11475003/911862

    Comment


    • #3
      OK. this can be easy done by editing the menu.jspx.
      Code:
      <div xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:menu="urn:jsptagdir:/WEB-INF/tags/menu" xmlns:security="http://www.springframework.org/security/tags" xmlns:spring="http://www.springframework.org/tags" id="menu" version="2.0">

      Code:
      <security:authorize ifAnyGranted="ROLE_ADMIN"> .... </security:authorize>

      Comment


      • #4
        Your security:authorize is absolutely required - the isAuthorized tag in Spring's security taglib is NOT security, but convenience. They could still figure out the link and call it.

        Have you tried to use <security:intercept-url /> and use the method="POST/PUT/GET/DELETE" attribute too? Wouldn't that work for different users needing different action permissions against the same URL?

        Ken

        Comment

        Working...
        X