Announcement Announcement Module
Collapse
No announcement yet.
Custom tag Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Custom tag

    Hello,

    I want to build a "authorized by link" security tag

    <custom:linkEnforcedAuthorization link="app_link">
    See this message if the current user has access to the given app_link.
    </custom:linkEnforcedAuthorization >

    so if the app_link is defined in security config as below

    <http>
    ...
    <intercept-url pattern="app_link*" access="PRIV_role1,PRIV_admin,..."/>
    ...
    </http>

    Basically I want to make sure that a certain link is displayed only if the user can click on it! In that way I can improve the readability and maintain the code/roles !


    Regards,
    Q

  • #2
    This is already available in the 3.0 codebase.

    Comment


    • #3
      I already built it yesterday - is there a simpler way for 2.0.3?

      Code:
      protected boolean canUserAccessURL( Authentication authentication, String url )
        {
          final String FILTER_LIST = "_filterChainList";
          final String ACCESS_DECISION_MANAGER = "accessDecisionManager";
          
          AccessDecisionManager accessDecisionManager = (AccessDecisionManager)BeanLocator.getBean( ACCESS_DECISION_MANAGER );
          FilterInvocation fi = new FilterInvocation( new URLDrivenHttpServletRequest( getRequest(), url ), getResponse(), new DummyFilterChain() );
          FilterChainList filterChainList = (FilterChainList)BeanLocator.getBean( FILTER_LIST );
          List filters = filterChainList.getFilters();
          for ( int i = 0; i < filters.size(); i++ )
          {
            Object obj = filters.get( i );
            if ( obj instanceof FilterSecurityInterceptor )
            {
              FilterSecurityInterceptor fsi = (FilterSecurityInterceptor)obj;
              ConfigAttributeDefinition attr = fsi.getObjectDefinitionSource().getAttributes( fi );
              try
              {
                accessDecisionManager.decide( authentication, fi, attr );
                return true;
              }
              catch( Exception e )
              {
                if ( log.isDebugEnabled() )
                {
                  String message = String.format( "Url %s cannot be access by user %s. Reason:%s", url, authentication.getPrincipal(), e.getMessage() );
                  log.debug( message );
                }
              }
              break;
            }
          }
          return false;
        }

      Comment

      Working...
      X