GeeCON Prague 2014*
The moose likes Spring and the fly likes Restriction in a view Spring Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Restriction in a view Spring Security" Watch "Restriction in a view Spring Security" New topic
Author

Restriction in a view Spring Security

Luis Parente
Ranch Hand

Joined: Jan 17, 2012
Posts: 39
Hi,

I have search a little but I don't find anything.

I have a file view.xml where my definitions of views are defined. My final page is constituted by several myFile.jspx files.

If I use , when I have ROLE_USER I can see the form for create, I get the access denied page only if I click in save, because the save method is mapped to POST and the ROLE_USER doesn't have this privilege.


How a can restrict an view by url in my security configuration xml directly? I want to go directly to the access denied page?

By creating a custom filter? I need a little advice


Thanks in advance.
Bill Gorder
Bartender

Joined: Mar 07, 2010
Posts: 1650
    
    7

If I understand you question correctly you just need to remove



from what you already have.


[How To Ask Questions][Read before you PM me]
Luis Parente
Ranch Hand

Joined: Jan 17, 2012
Posts: 39
Hi,


well, if I have the ROLE_USER I want to go to the access denied page if I click in the link create user, but actually, I can see the form for create and only after click in the button save, I go to denied page.

thanks.

Bill Gorder
Bartender

Joined: Mar 07, 2010
Posts: 1650
    
    7

What I am trying to say is lets say you have a controller mapped like this



and this handles rendering the form for create.

and you also have a method like this



and this handles the save action for the create user form.


If you want to both of these to be access denied you want to change this



which only restricts the second to this



which will restrict it regardless of the HTTP method used.

Also another thing to be aware of when you are working on this is that when defining patterns remember that they are evaluated in the order they are defined, therefore more specific patterns should always be higher in the list than less specific patterns. I don't know if this is causing you issues since you just posted the one intercept-url but it is something you should keep in mind.
Luis Parente
Ranch Hand

Joined: Jan 17, 2012
Posts: 39
Thanks for your response!


Now I have added in my applicationContect-security.xml and in my controller:




I have the ROLE_USER and the annotation @PreAuthorize has no effect? I missing something?


Thanks.


Bill Gorder
Bartender

Joined: Mar 07, 2010
Posts: 1650
    
    7

For using method security typically this would go in the service layer on the service method that the controller calls to do its work not on the Controller methods, see This FAQ.

However if you insist on it being on the controller method you will need to use CGLIB proxies or set proxy-target-class = true.

Also be aware if you are putting this on your controllers defining <global-method-security pre-post-annotations="enabled"/> in your applicationContect-security.xml is not going to work.

Please read this part of the reference documentation.

http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-global-method

Note what it says here:

The annotated methods will only be secured for instances which are defined as Spring beans (in the same application context in which method-security is enabled). If you want to secure instances which are not created by Spring (using the new operator, for example) then you need to use AspectJ.


In your case your controller beans are most likely defined in your servlet-context.xml.

Hope this gives you enough to figure it out.

Luis Parente
Ranch Hand

Joined: Jan 17, 2012
Posts: 39
I see, it' better to put the annotations in the interfaces.


Just one more thing..... If I want to block an url like that: .

The url is mapped with this method in my controller

The solution is the

Thanks a lot!!

 
GeeCON Prague 2014
 
subject: Restriction in a view Spring Security