I would like to create security rules based on custom URL parameters (path variables). In the example. Say I want a user to have administrator access to resources called Brand1 and Brand2, but he does not have access to a resource called Brand3. We can edit resources using the following links.
http://myapp/brand/edit/1
http://myapp/brand/edit/2
http://myapp/brand/edit/3
now in the security context I would like to do something like this
<security:intercept-url pattern="/brand/edit/{brandId}"
access="hasRole('ROLE_ADMIN') or
@authorizationService.hasBrandPermission(
#brandId, principal.username)"/>
The only thing I get is the username. BrandId is always null. I used to do this with @PreAuthorize and it worked, but now I would like to centralize the security configuration in a single XML file instead of distributing it to all controller classes. Moreover, when I used @PreAuthorize, my access-denied handler did not redirect me to the denied page, but threw an ugly AccessDeniedException inside.
I would really welcome any ideas.
source
share