Announcement Announcement Module
Collapse
No announcement yet.
Default accessDecisionManager in FilterSecurityInterceptor Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Default accessDecisionManager in FilterSecurityInterceptor

    There is a typical configuration example in reference:
    Code:
    <bean id="filterSecurityInterceptor"
    class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="accessDecisionManager" ref="accessDecisionManager"/>
    <property name="securityMetadataSource">
    <security:filter-security-metadata-source>
    <security:intercept-url pattern="/secure/super/**" access="ROLE_WE_DONT_HAVE"/>
    <security:intercept-url pattern="/secure/**" access="ROLE_SUPERVISOR,ROLE_TELLER"/>
    </security:filter-security-metadata-source>
    </property>
    </bean>
    accessDecisionManager property is required there.
    But I don't need custom accessDecisionManager implementation. So how to set default accessDecisionManager?

    I only need to sequre URLs by role and expression based access control to methods, such as:
    Code:
    @PreAuthorize("hasRole('ROLE_USER')")
    public void create(Contact contact);

  • #2
    why don't you use namespace-based configurations? then you won't need to set an AccessDesionManager.

    If you do the spring beans version, you will have to configure the AccessDesionManager

    Comment


    • #3
      Following configuration should work for you,

      Code:
      <beans xmlns="http://www.springframework.org/schema/beans"
      	xmlns:security="http://www.springframework.org/schema/security"
      	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      	xsi:schemaLocation="http://www.springframework.org/schema/beans
                http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                http://www.springframework.org/schema/security
                http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
      
      	<security:global-method-security
      		secured-annotations="enabled" jsr250-annotations="enabled" />
      
      	<security:http auto-config="true">
      		<security:intercept-url pattern="/secure/super/**" access="ROLE_WE_DONT_HAVE"/>
      		<security:intercept-url pattern="/secure/**" access="ROLE_SUPERVISOR,ROLE_TELLER"/>
      	</security:http>
      	
      	<security:authentication-manager alias="authenticationManager">
      		<security:authentication-provider
      			ref="daoAuthenticationProvider" />
      	</security:authentication-manager>
      
      	<bean id="daoAuthenticationProvider"
      		class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
      		<!-- Your properties -->
      	</bean>
      </beans>
      Just assuming you are using a DaoAuthenticationProvider

      Comment


      • #4
        Originally posted by kostepanych View Post
        There is a typical configuration example in reference:
        Code:
        <bean id="filterSecurityInterceptor"
        class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="accessDecisionManager" ref="accessDecisionManager"/>
        <property name="securityMetadataSource">
        <security:filter-security-metadata-source>
        <security:intercept-url pattern="/secure/super/**" access="ROLE_WE_DONT_HAVE"/>
        <security:intercept-url pattern="/secure/**" access="ROLE_SUPERVISOR,ROLE_TELLER"/>
        </security:filter-security-metadata-source>
        </property>
        </bean>
        accessDecisionManager property is required there.
        But I don't need custom accessDecisionManager implementation. So how to set default accessDecisionManager?

        I only need to sequre URLs by role and expression based access control to methods, such as:
        Code:
        @PreAuthorize("hasRole('ROLE_USER')")
        public void create(Contact contact);
        I'm just wondering how is this a typical configuration? It seems more of a customized configuration

        Comment


        • #5
          Late post, but this example is considered "typical" because it's the example Spring documentation uses to show the filter configuration:
          http://static.springsource.org/sprin...b-filters.html

          On a sidenote, I assume the original question had to do instead with configuring filterchainproxies, which in case, you'd have to configure all filters manually, which is why he isn't using <http> to configure access filtering.

          Comment

          Working...
          X