Geek asks and answers

Custom class in @PreAuthorize

UPDATE (04/17/2012): So what I have.

root context.xml:

<context:annotation-config/>
<context:component-scan base-package="com.grsnet.qvs.controller.web"/>  
<security:global-method-security pre-post-annotations="enabled" />
<bean id="permissionManager" class="com.grsnet.qvs.auth.PermissionManager"/>

PermissionManager.java

package com.grsnet.qvs.auth;

import com.grsnet.qvs.model.Benutzer;

public class PermissionManager {

public PermissionManager() {}

public boolean hasPermissionU01(Object principal, Integer permissionLevel) {
    return ((Benutzer)principal).getPermission().getU_01() >= permissionLevel;
}
}

Controller:

@PreAuthorize("@permissionManager.hasPermissionU01(principal, 1)")
@RequestMapping(value = "/u01", method = RequestMethod.GET)
public String listU01(HttpServletRequest request, Map<String, Object> map) throws Exception {
    setGridFilters(map);
    return "u01panel";      
}

I set a breakpoint in PermissionManager.hasPermissionU01. it seems like my safety annotation is simply ignored.

What is the reason? Where is my mistake?

Thank.

END OF UPDATE

After hours of browsing the internet, I have to ask here. I have

  • Spring MVC Application
  • CustomUserDetailService

  • UserDetails User Class

    public class Benutzer extends User implements UserDetails {
...
  private Permission permission = null;
...
}

  • The permission class is not well implemented, but I have to use it.

    public class Permission {
... 
  private Integer u_01 = 0;
...
}

  • controller

    @Controller 
public class U01Controller {

    @RequestMapping(value = "/u01", method = RequestMethod.GET)
    public String listU01(HttpServletRequest request, Map<String, Object> map) throws Exception {

My task is to ensure the safety of the controller as a whole and protect the methods inside. I would like to write something like the following:

@PreAuthorize("principal.permission.u_01>0")
public class U01Controller {

and

@RequestMapping(value = "/u01", method = RequestMethod.GET)
@PreAuthorize("principal.permission.u_01=2")
public String listU01(HttpServletRequest request, Map<String, Object> map) throws Exception {

, ACL UserDetails . - ACL?

@PreAuthorize("(com.grsnet.qvs.model.Benutzer)principal.permission.u_01=2")

.

+1
2

, , , ( ?), , , , . , :

public class Decision {
    private Decision() {} // no instance, please

    // Type is probably a bit too wide...
    static boolean mayList(Object principal) {
        return ((com.grsnet.qvs.model.Benutzer)principal).permission.u_01 == 2;
    }

    // etc...
}

@PreAuthorize :

@PreAuthorize("Decision.mayList(principal)")

, bean . , Spring EL, ( , decider bean):

@PreAuthorize("@decider.mayList(principal)")

(, decider bean...)

+4

.

<security:global-method-security pre-post-annotations="enabled" />

.

servletContext.

, .

+1

More articles:


All Articles