Announcement Announcement Module
Collapse
No announcement yet.
Check if user w/Role is authorized to request a certain page Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Check if user w/Role is authorized to request a certain page

    I have the following piece of code defined in my applicationContext file;

    Code:
    <bean id="filterChainProxy" class="net.sf.acegisecurity.util.FilterChainProxy">
       <property name="filterInvocationDefinitionSource">
          <value>
    	  CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    	  PATTERN_TYPE_APACHE_ANT
              /**=.... some more filters....,securityEnforcementFilter
          </value>
       </property>
    </bean>
    
    <bean id="securityEnforcementFilter" class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter">
      <property name="filterSecurityInterceptor"><ref local="filterInvocationInterceptor"/></property>
      <property name="authenticationEntryPoint"><ref local="authenticationProcessingFilterEntryPoint"/></property>
    </bean>
    
    <bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
      <property name="authenticationManager"><ref bean="authenticationManager"/></property>
      <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
      <property name="objectDefinitionSource">
    	 <value>
    			CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    			PATTERN_TYPE_APACHE_ANT
    			
    			/index.jsp=ROLE_ANONYMOUS,ROLE_USER,ROLE_ADMIN,ROLE_RELEASE_VALIDATION
    			/login.jsp*=ROLE_ANONYMOUS,ROLE_USER,ROLE_ADMIN,ROLE_RELEASE_VALIDATION
    			/include/default.css=ROLE_ANONYMOUS,ROLE_USER,ROLE_ADMIN,ROLE_RELEASE_VALIDATION
    			/requests/newrequest*=ROLE_USER,ROLE_ADMIN,ROLE_RELEASE_VALIDATION
    			/requests/index*=ROLE_USER,ROLE_ADMIN,ROLE_RELEASE_VALIDATION
    			/requests/newedit*=ROLE_USER,ROLE_ADMIN,ROLE_RELEASE_VALIDATION
    			/requests/newdelete*=ROLE_USER,ROLE_ADMIN,ROLE_RELEASE_VALIDATION
    			/requests/view*=ROLE_USER,ROLE_ADMIN,ROLE_RELEASE_VALIDATION
    			/requests/**=ROLE_ADMIN,ROLE_RELEASE_VALIDATION
    			/pendingRequests/**=ROLE_USER,ROLE_ADMIN,ROLE_RELEASE_VALIDATION
    			/**=ROLE_USER,ROLE_ADMIN,ROLE_RELEASE_VALIDATION
    	 </value>
      </property>
    </bean>
    now, I have made some links at certain JSP-pages, and I want to check wether an authenticated user is authorized to go to a specific page (which is defined in my objectDefinitionSource).
    So I want do something like;

    <authz:isAuthorised value="requests/add"><a href="request/add">Add new Request</a></authz:isAuthorised>

    but can't figure out how..

  • #2
    Acegi Security does not currently offer a taglib that works with the URI patterns directly. However, the AuthorizeTag will allow you to work with the roles and include/exclude the links based on the roles. Writing your own taglib should not be too difficult given the FilterInvocationDefinitionSource (defined as ObjectDefinitionSource against FilterSecurityInterceptor) provides convenience lookup methods to discover the configuration attributes that apply to given URI patterns. It's actually a lot easier than it sounds - see AclTag for an example of how to access a collaborating bean (AclManager) from within a taglib (you'll need to access the ObjectDefinitionSource). If you do decide to write something to suit, please consider contributing it back as I am sure others would welcome it as well.

    Comment


    • #3
      Thank you for the reply.
      I did take a look at the AclTag, and came up with the following code (only works for the PathBasedFilterInvocationDefinitionMap;

      Code:
      import org.springframework.context.ApplicationContext;
      
      import java.util.Iterator;
      import java.util.Map;
      
      import net.sf.acegisecurity.Authentication;
      import net.sf.acegisecurity.context.ContextHolder;
      
      import net.sf.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap;
      import javax.servlet.jsp.tagext.Tag;
      import javax.servlet.jsp.JspException;
      import javax.servlet.jsp.PageContext;
      import javax.servlet.ServletContext;
      import org.springframework.web.context.support.WebApplicationContextUtils;
      import net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor;
      
      import net.sf.acegisecurity.ConfigAttributeDefinition;
      
      import org.apache.commons.logging.Log;
      import org.apache.commons.logging.LogFactory;
      
      import com.seagullsw.security.context.SeagullSecureContextImpl;
      
      import javax.servlet.jsp.tagext.TagSupport;
      import net.sf.acegisecurity.GrantedAuthority;
      
      public class PagAccTag extends TagSupport &#123;
      
      	protected static final Log logger = LogFactory.getLog&#40;PagAccTag.class&#41;;
      	FilterSecurityInterceptor securityFilter;
      	//ObjectDefinitionSource defSource;
      	PathBasedFilterInvocationDefinitionMap defSource;
      	ConfigAttributeDefinition requestedDefinition;
      	
      	private String value;
      	
      	public void setValue&#40;String value&#41; &#123;
      		this.value = value;
      	&#125;
      	public String getValue&#40;&#41; &#123;
      		return value;
      	&#125;
      	
      	
      	
      	public int doStartTag&#40;&#41; throws JspException &#123;
      		SeagullSecureContextImpl secureContext = &#40;&#40;SeagullSecureContextImpl&#41;ContextHolder.getContext&#40;&#41;&#41;; // this is the implementation I use
      		Authentication auth = secureContext.getAuthentication&#40;&#41;;
      		ApplicationContext context = getContext&#40;pageContext&#41;; 
      		
      		/*
      		 * get the role of the user
      		 */
      		GrantedAuthority&#91;&#93; authorities = auth.getAuthorities&#40;&#41;;
      		String role = authorities&#91;0&#93;.getAuthority&#40;&#41;;
      		
      		
      		Map beans = context.getBeansOfType&#40;FilterSecurityInterceptor.class, false, false&#41;;
      		
      		 if &#40;beans.size&#40;&#41; == 0&#41; &#123;
      			throw new JspException&#40;
      			"No FilterSecurityInterceptor would found the application context&#58; "
      			+ context.toString&#40;&#41;&#41;;
      		&#125;
      		  	
      		String beanName = &#40;String&#41; beans.keySet&#40;&#41;.iterator&#40;&#41;.next&#40;&#41;;
      		securityFilter = &#40;FilterSecurityInterceptor&#41; context.getBean&#40;beanName&#41;; 
      		
      		defSource = &#40;PathBasedFilterInvocationDefinitionMap&#41;securityFilter.getObjectDefinitionSource&#40;&#41;;
      		
      		if &#40;!value.startsWith&#40;"/"&#41;&#41; value = "/"+value;
      		
      		requestedDefinition = defSource.lookupAttributes&#40;value&#41;;
      		if &#40;requestedDefinition == null&#41;
      			throw new JspException&#40;"No attribute for the path "+value+" found"&#41;;
      		
      		
      		
      		boolean accessApproved = false;
      		Iterator defIt = requestedDefinition.getConfigAttributes&#40;&#41;;
      		while &#40;defIt.hasNext&#40;&#41;&#41; &#123;
      			if &#40;defIt.next&#40;&#41;.equals&#40;role&#41;&#41; &#123;
      				accessApproved = true;
      				break;
      			&#125;
      		&#125;
      		
      		if &#40;accessApproved&#41; return Tag.EVAL_BODY_INCLUDE;
      		else return Tag.SKIP_BODY;
      		
      	&#125;
      	
      	 protected ApplicationContext getContext&#40;PageContext pageContext&#41; &#123;
      	 	 ServletContext servletContext = pageContext.getServletContext&#40;&#41;;
      	 	 return WebApplicationContextUtils.getRequiredWebApplicationContext&#40;servletContext&#41;;
      	 &#125;	   	
      &#125;
      and it works allright. Not the greatest code ever written, but it fits my needs

      Comment


      • #4
        Thanks for sharing this with the community.

        Comment

        Working...
        X