Announcement Announcement Module
Collapse
No announcement yet.
How to define custom DefaultWebInvocationPrivilegeEvaluator when using namespace? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to define custom DefaultWebInvocationPrivilegeEvaluator when using namespace?

    Hi All,

    I am using Spring Security 3.0.2. And I had extends FilterInvocationSecurityMetadataSource in order to load intercept-url from external source.

    This work well for blocking access to unauthorized URL pattern. However,when I use <security:authorize url=".." />, it is always true regardless if the user have right to access the page or not.

    After read the documentation on the taglib again, I found that it is due to the <security:authorize /> are based on an instance of DefaultWebInvocationPrivilegeEvaluator created when using xml namespace in context xml.

    So is there any idea about how to replace the default instance of DefaultWebInvocationPrivilegeEvaluator ?

    Below is part of my XML:

    Code:
    	<security:http auto-config="true" access-denied-page="/login/login.jsp?status=denied">
    		
    		<security:anonymous enabled="true" granted-authority="ROLE_ANONYMOUS"/>
    		
    		<security:form-login login-page="/login/login.jsp" 
    			authentication-failure-url="/login/login.jsp?status=failed" 
    			default-target-url="/home/home.jsp"/>
    			
    		<security:custom-filter before="FILTER_SECURITY_INTERCEPTOR"  ref="customFilterSecurityInterceptor"/>
    	</security:http>
    	
    	<security:authentication-manager alias="authenticationManager">
    		<security:authentication-provider>
    			<security:jdbc-user-service data-source-ref="userDs" 
    				users-by-username-query=
    					"select u_username,u_password,u_enabled from users_tab where u_username = ?"
    				authorities-by-username-query=
    					"select u.u_username as username, a.a_authority as authority 
    					from users_tab u, authorities_tab a, user_authorities_tab ua 
    					where u.u_username = ? and u.u_id = ua.ua_user_id and a.a_id = ua.ua_authority_id;"
    				group-authorities-by-username-query=
    					"select g.g_id as id, g.g_name as group_name, a.a_authority as authority 
    					from groups_tab g, group_authorities_tab ga, users_tab u, authorities_tab a, group_members_tab gm 
    					where u.u_username = ? and u.u_id = gm.gm_user_id and g.g_id = gm.gm_group_id 
    					and ga.ga_group_id = gm.gm_group_id and ga.ga_authority_id = a.a_id;" 
    				/>
    		</security:authentication-provider>
    	</security:authentication-manager>
    	
    	
    	
    	<beans:bean id="customFilterSecurityInterceptor"
    		class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    		<beans:property name="authenticationManager" ref="authenticationManager"/>
    		<beans:property name="accessDecisionManager" ref="accessDecisionManager"/>
    		<beans:property name="securityMetadataSource" ref="jdbcFilterSecurityMetadataSource"/>
    	</beans:bean>
    	
    	<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    		<beans:property name="decisionVoters">
    			<beans:list>
    				<beans:bean class="org.springframework.security.access.vote.RoleVoter" />
    				<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
    			</beans:list>
    		</beans:property>
    	</beans:bean>
    	
    	 
    	<!-- I create another instance here but it don't help -->
    	<beans:bean id="webPrivilegeEvaluator" class="org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator">
    		<beans:constructor-arg ref="customFilterSecurityInterceptor"/>
    	</beans:bean>
    	
    	 
    	<beans:bean id="jdbcFilterSecurityMetadataSource" class="com.unified.spring.security.JdbcFilterSecurityMetadataSource">
    		<beans:property name="dataSource" ref="userDs"/>
    	</beans:bean>
    Thank you
Working...
X