Announcement Announcement Module
Collapse
No announcement yet.
SpringSecurity 2.02 ,How to do url resource write in database Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Originally posted by jerryag View Post
    Hello.

    Can you show the entire applicationContext.xml (because I have doubts about how other related beans are declared).

    Thanks in advance.

    Jerry - Brazil
    Alo Jerry, siga a minha explicação, até porque no último post eu coloquei o applicationContext.xml completo, siga o post (este mesmo) e veja as últimas páginas

    Comment


    • #17
      Originally posted by sousa1981 View Post
      Alo Jerry, siga a minha explicação, até porque no último post eu coloquei o applicationContext.xml completo, siga o post (este mesmo) e veja as últimas páginas
      Obrigado Sousa! Vou seguir as suas instruções no tutorial que você postou.

      Thanks Sousa! I'll follow the directions posted by you.

      Comment


      • #18
        Hello Sousa1981, in my post:
        http://forum.springframework.org/sho...2&postcount=12

        Code:
        public class ObjectDefinitionSource extendsPathBasedFilterInvocationDefinitionMap {
        	
        	private MyManager userManager;
        
        	public ConfigAttributeDefinition lookupAttributes(String url) {
        		ConfigAttributeDefinition configAttr = null;
        
        		try {
                               ...trimmedUrl = transfrom(url);
        			List roleNamesList = userManager.findRolesByUrl(trimmedUrl);
        			// If the URL has roles associated !!
        			if (roleNamesList.size() != 0) 
        				configAttr = new ConfigAttributeDefinition();
        			Iterator it = roleNamesList.iterator();
        			while (it.hasNext()) {
        				String s = (String) it.next();
        				configAttr.addConfigAttribute(new SecurityConfig(s));
        			}
                        if(configAttr != null)
                           addSecureUrl(trimmedUrl, configAttr);
        		} catch (Exception e) {
        			configAttr = null;
        		}
        
        		return configAttr;
        
        	}
        why can I access to url not mapped and I don't receive an AccessDenied message?

        thanks

        Comment


        • #19
          I would suggest to you look at spring documentation "org.springframework.security.vote.AffirmativeBase d" and "allowIfAllAbstainDecisions":

          Code:
          <bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
          		<property name="allowIfAllAbstainDecisions" value="false" />
          		<property name="decisionVoters">
          			<list>
          				<bean class="org.springframework.security.vote.RoleVoter" >
          					<property name="rolePrefix" value="" />	
          				</bean>
          				<bean class="org.springframework.security.vote.AuthenticatedVoter"/>
          			</list>
          		</property>
          	</bean>
          For example for procedure bellow work:

          I did override the lookupAttributes() like this:
          1) Check if the URL exists in my authorization tables
          2) If the URL exists read the ROLES and populate the 'ConfigAttributeDefinition' object
          3) If the URL does not exist then return NULL

          I suggest to modify step 3 to be: If the URL does not exist then associate it with an ROLE without access, so it will be receive an AccessDenied message.

          Comment


          • #20
            Originally posted by sousa1981 View Post
            .....
            3) If the URL does not exist then return NULL

            I suggest to modify step 3 to be: If the URL does not exist then associate it with an ROLE without access, so it will be receive an AccessDenied message.
            Thank, It works :
            Solution as simple as efficacious

            Comment


            • #21
              You are welcome

              Comment


              • #22
                Originally posted by sousa1981 View Post
                I would suggest to you look at spring documentation "org.springframework.security.vote.AffirmativeBase d" and "allowIfAllAbstainDecisions":

                Code:
                <bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
                		<property name="allowIfAllAbstainDecisions" value="false" />
                		<property name="decisionVoters">
                			<list>
                				<bean class="org.springframework.security.vote.RoleVoter" >
                					<property name="rolePrefix" value="" />	
                				</bean>
                				<bean class="org.springframework.security.vote.AuthenticatedVoter"/>
                			</list>
                		</property>
                	</bean>
                For example for procedure bellow work:

                I did override the lookupAttributes() like this:
                1) Check if the URL exists in my authorization tables
                2) If the URL exists read the ROLES and populate the 'ConfigAttributeDefinition' object
                3) If the URL does not exist then return NULL

                I suggest to modify step 3 to be: If the URL does not exist then associate it with an ROLE without access, so it will be receive an AccessDenied message.
                Hello, I have a strange trouble about this.
                Code:
                public class RoleVoterImp extends RoleVoter {
                
                	public int vote(Authentication authentication, Object object,
                			ConfigAttributeDefinition config) {
                		if(config.contains(new SecurityConfig("ROLE_NO_ACCESS"))){
                				return AccessDecisionVoter.ACCESS_DENIED;
                		}
                		return super.vote(authentication, object, config);
                	}
                }
                Correctly, I can not display the url of the menu that are not in the db, but in practice I can get the url in my browser.
                Example:
                HomePage
                <link>/admin/print.do</link> //invisible because i can't access

                In my html homepage, I don't see the link /admin/print.do but if I put this url in the browser I do not obtain ACCESS DENIED !!

                I do :
                Code:
                ..
                List roleNamesList = userManager.findRolessByUrl(trimmedUrl);
                if(rolesNamesList == null){
                configAttr.addConfigAttribute(new SecurityConfig("ROLE_NO_ACCESS"));
                return configAttr
                }
                ..

                Comment


                • #23
                  I resolved.
                  Passing from RC1 to final version:
                  ExceptionTranslationFilter no longer provides a sendAccessDenied() method. Use the new AccessDeniedHandler instead if custom handling is required.
                  http://www.acegisecurity.org/upgrade...e-090-100.html
                  Bye

                  Comment

                  Working...
                  X