If you are not laughing at yourself, then you just didn't get the joke.
Arun Kumarr wrote:I'm just copy pasting from one of my documents. I used Spring security extensively for the web application built on the same ground (Spring MVC, Spring Security)
Add the tag:
Add this line to the JSP page.
<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>
Show/Hide Contents in JSP:
<security:authorize access="hasRole('ROLE_ADMIN')">
<!-- Add HTML, JSP contents what you want to show in the page -->
</security:authorize>
If the user is directly accessing the page via the URL - Then you can have a generic content which says, that you are not permitted to view this page.
Also are you not using @Secured annotations in your spring code?
If you are not laughing at yourself, then you just didn't get the joke.
Arun Kumarr wrote:Did you take a look at "hasPermission(...)" of spring security?
If you are not laughing at yourself, then you just didn't get the joke.
Arun Kumarr wrote:What's the difference between insert and add?
The issue because if you do ** it simply means all files under "/foldername/" can be accessed by the given role.
That said, if you want to control access to individual files by varying roles,
1. You can try using hasRoles(...) instead of hasRole(...).
2. Explicitly do a mapping for all pages and permissions like /foldername/addRole.html instead of /foldername/**. This is bad design, you can't have NxR lines added to your security configuration. (N - number of users, R - number of roles).
There are also other annotations like @PreAuthorize, which I prefer you should try first.
Another question is say if a user is accessing a wrong page, what is that you want to do? Do you want to take him to different page or simply send HTTP 403 message?
I can write something and give you the direct answer, but I'd rather let you think and make the changes. We can guide you, of course along the way.
, but why did you said this is a bad design, doing this i can add permissions to a Role without having to giving it all the permissions over a module, i can create a role XYZ and give this role only a crud operation over a module, without having to give it all the control over that module./foldername/addRole.html
This is bad design, you can't have NxR lines added to your security configuration. (N - number of users, R - number of roles).
If you are not laughing at yourself, then you just didn't get the joke.
Caused by: java.lang.IllegalArgumentException: An AuthenticationManager is required
at org.springframework.util.Assert.notNull(Assert.java:112)
If you are not laughing at yourself, then you just didn't get the joke.
Arun Kumarr wrote:
Caused by: java.lang.IllegalArgumentException: An AuthenticationManager is required
at org.springframework.util.Assert.notNull(Assert.java:112)
- You have not configured your authentication manager in your code.
You need to define a authentication manager in your code. Authentication Manager is linked to a (Pre) Authentication Provider in Spring in which you can customize the way your user details are loaded via a service.
The reason I suggested that first is you need to clean up the way you are creating the users and grant permissions. It's hard coded now and not in a way where you can plug-in spring components.
Another simpler way is in your @Preauthorize you can call a custom service using spring EL.
Here is link from spring which can help you understand how to call a custom service.
e.g.,
If you are not laughing at yourself, then you just didn't get the joke.
Consider Paul's rocket mass heater. |