Announcement Announcement Module
No announcement yet.
Testing whether user has access to certain URLs Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Testing whether user has access to certain URLs


    I'm iterating over the list of HandlerMethods which Spring did identify. I want to know, to which of those the currently logged in user has access.

    So I have access to the HandlerMethod, the RequestMappingInfo which was used (@RequestMapping annotation), the URL which stands for the HandlerMethod and ofcourse the principal.

    Is there any chance to identify, to which of a list of HandlerMethods the user has access with the information I have present?


  • #2
    After alot of research I was btw able to get this problem addressed now on my own.

    Getting achieved what I wanted was actually a 2-step process.
    • Getting to know whether the user may enter the URL at all. This can be very easily achieved using WebInvocationPrivilegeEvaluator, which is normally registered as a bean already and can therefor be injecting. It's just a matter of calling
      privilegeEvaluator.isAllowed(contextPath, url, "GET", currentUser);
    • The second part is a little bit more advanced. Unfortunately the first part does not analyze any @PreAuthorize annotations on the HandlerMethods. This goes back to the answer which has been given in this thread:

      Now what I actually did was going all the way of identifying whether the user may access the handler method "by hand". Well, actually I just stumpled together all the methods calls which return in the end a true or false.
      Here is the code to achieve this
      private boolean isAllowedByAnnotation(Authentication currentUser, HandlerMethod method) {
      	PreInvocationAuthorizationAdvice advice = new ExpressionBasedPreInvocationAdvice();
      	PreInvocationAuthorizationAdviceVoter voter = new PreInvocationAuthorizationAdviceVoter(advice);
      	MethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
          PrePostInvocationAttributeFactory factory = new ExpressionBasedAnnotationAttributeFactory(expressionHandler);
      	PrePostAnnotationSecurityMetadataSource metadataSource = new PrePostAnnotationSecurityMetadataSource(factory);
      	Class<?> controller = method.getBeanType();
      	MethodInvocation mi = MethodInvocationUtils.createFromClass(controller, method.getMethod().getName());
      	Collection<ConfigAttribute> attributes = metadataSource.getAttributes(method.getMethod(), controller);
      	return PreInvocationAuthorizationAdviceVoter.ACCESS_GRANTED ==, mi, attributes);

    If someone has any better idea to solve this, I'm happy to listen, otherwise, anyone else feel free to work with that, if you need something similar.