Announcement Announcement Module
No announcement yet.
How to dynamically decide <intercept-url> access attribute value in Spring Security? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to dynamically decide <intercept-url> access attribute value in Spring Security?

    In Spring Security we use the intercept-url tag to define the access for URLs as below:

    <intercept-url pattern="/**" access="ROLE_ADMIN" />
    <intercept-url pattern="/student" access="ROLE_STUDENT" />

    This is hard coded in applicationContext-security.xml. I want to read the access values from a database table instead. I have defined my own UserDetailsService and I read the roles for the logged in user from the database. How do I assign these roles to the URL patterns during runtime?

  • #2
    Do you mean at startup or every time someone accesses a URL?

    If at startup, you could write a custom PropertyPlaceholderConfigurer and replace the access attributes with placeholders.


    • #3
      I store the URL patterns and the roles which can access the patterns in a database table. Something like:

      URL Pattern Roles
      /student ROLE_STUDENT
      /admin ROLE_ADMIN

      When I load the application I read the values from the database and want to set the access as per these values. Essentially I want to perform the function of <intercept-url> tag using the values from the database.

      In short, I do not want to hard code the URL patterns and the roles in applicationConfig-security.xml. Instead I want to load them from a database table.


      • #4
        I put an answer to your question at stackoverflow:


        • #5
          You'll find a FAQ entry on this.


          • #6
            I followed the FAQ and the SO answer and some other tutorials. I have created my own filter chain as below:

            <beans:bean id="springSecurityFilterChain"
            class=" nProxy">
            <filter-chain-map path-type="ant">
            <filter-chain pattern="/css/**" filters="none" />
            <filter-chain pattern="/images/**" filters="none" />
            <filter-chain pattern="/Login.xhtml" filters="none" />
            <filter-chain pattern="/j_spring_security_check" filters="none" />
            <filter-chain pattern="/securepage.xhtml" filters="
            filterSecurityInterceptor" />

            I can access all pages directly except securepage.xhtml for which I get the login page. This is as expected. But when I try to login I get an error saying /j_spring_security_check is not available.

            If I simply use the namespace configuration http tag I can access /j_spring_security_check. But since I am using my own filter chain I have removed the http tag.

            I guess I am missing something which is setup by the http tag. Sorry, but I am really new to Spring Security. May be I am missing the most obvious thing


            • #7
              I have attached the contents of my applicationContext-security.xml if those would be helpful.

              Shortly, the problem is there is no https://localhost/myapp/j_spring_security_check resource for this configuration.

              If I insert
              <http><form-login login-page="/Login.xhtml" /></http> to the above file then /j_spring_security_check is accessible but then my springSecurityFilterChain has no effect.

              So I think I am missing something which <http><form-login /></http> does.


              • #8
                You have "filters='none'" for the "/j_spring_security_check" URL, so there is nothing available to handle it.


                • #9
                  Thanks Luke!

                  (I need to study a lot about Spring!)