Announcement Announcement Module
Collapse
No announcement yet.
declarative access control for dynamic URLs depending on a principal's attribute Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • declarative access control for dynamic URLs depending on a principal's attribute

    Hi,

    in my application, a (externally authenticated) user is signed in to one of several "projects". These have urls like

    /projects/project1/...

    Is there a way to use <intercept-url /> to control access to projects? For I'm currently exposing the project as an attribute on the principal, so what I'm aiming for is something along the lines of

    <intercept-url pattern="/projects/{projectId}/**" access="principal.project==$projectId" />

    Alternatively, I guess I could expose the projectId as a role:

    <intercept-url pattern="/projects/{projectId}/**" access="hasRole($projectId)" />

    Since the projects are created from within the application, I don't know their Ids in advance. Is there a way to capture the path element and re-use it in the web security expression?

    Thanks,
    --Christopher

  • #2
    This might be more straightforward in a standard AccessDecisionVoter. Use something like

    Code:
    <intercept-url pattern="/**" access="PROJECT_ID_CHECK" />
    and then write a ProjectCheckVoter which acts on this attribute (see RoleVoter for a basic example). In the voter you have access to the FilterInvocaton (from which you can get the request and the path) and the current Authentication object, which gives you the assigned project ID.

    Comment


    • #3
      Thank you, that worked. I had to turn off EL-based authorization though. Is there a way to have both? I've run across http://forum.springsource.org/showpost.php?p=296694 which seems to describe a (rather roundabout) way to enable this.

      Happy holidays!
      --Christopher

      Comment

      Working...
      X