angular-rest-springsecurity icon indicating copy to clipboard operation
angular-rest-springsecurity copied to clipboard
verified publisher icon philipsorst

Is it possible to load intercept url from database.

Open thekowsar opened this issue 9 years ago • 4 comments

I want to create dynamic role. For that need to save intercept url "<security:intercept-url method="GET" pattern="/rest/news/**" access="hasRole('USER')" />" in MySql DB then load it for DB.

Is it possible ?

Thanks for your help once again.

thekowsar avatar Sep 22 '16 08:09 thekowsar

Sorry, but I don't understand what you actually try to achieve. Which intercept url are you talking about? Can you elaborate a bit further?

philipsorst avatar Sep 22 '16 10:09 philipsorst

Thanks for your early reply. And sorry for my late reply.

In context.xml we put access url like security:intercept-url pattern="/rest/user/authenticate" access="permitAll" security:intercept-url method="GET" pattern="/rest/news/**" access="hasRole('USER')"

I want to save those access url in DB and want to load those url from DB.

Fro those try to use these

http://docs.spring.io/spring-security/site/faq/faq.html#faq-dynamic-url-metadata http://stackoverflow.com/questions/6893061/how-to-dynamically-decide-intercept-url-access-attribute-value-in-spring-secur

I think it is possible.

Thanks for your help

thekowsar avatar Sep 24 '16 06:09 thekowsar

Hi, from the Spring Docs "The first thing you should ask yourself is if you really need to do this. If an application requires securing, then it also requires that the security be tested thoroughly based on a defined policy." However, if you require it, the easiest way is to probably not secure by url pattern at all and do the checking within the resource methods itsself. You have access to the security context and to the database and can throw exceptions if the user does not have sufficient rights. The more complex way would be to rework the AccessDecisionManager i guess.

philipsorst avatar Sep 24 '16 14:09 philipsorst

Hi, I understand your opinion. I need to create role run time. For that I need to do this.

If I create a custom class that implements FilterInvocationSecurityMetadataSource, OptionsFromDataBaseFilterInvocationSecurityMetadataSource.

Then I implement these methods: Collection getAttributes(Object object), where you can access to database, searching for the 'object' being secured (normally the URL to access) to obtain the allowed ConfigAttribute's (normally the ROLE's) boolean supports(Class clazz) Collection getAllConfigAttributes()

like this - http://docs.spring.io/spring-security/site/faq/faq.html#faq-dynamic-url-metadata

Then what changes I have to made in context.xml.

Thanks a lot for you help.

thekowsar avatar Sep 25 '16 07:09 thekowsar