行使SQL查询的动态Spring安详性

您好我想建造一个拦截url模式并通过在spring security中行使sql查询动态会见.

凡是我们在XML中行使这种暗示法,我想从数据库中获取这些值(/ add-role和ROLE_ADMIN).

<intercept-url pattern="/add-role*" access="ROLE_ADMIN" />

有也许动态地这样做吗？

办理要领

正如Spring Security FAQ所提到的,你应该做的第一件事是问我应该真的这样做吗？安详性很伟大,应该对设置举办普及测试.应承设置动态变动只会使使应用措施更轻易受到进攻的工作变得越发伟大.假如你真的想这样做,FAQ概述了实现这一方针的根基要领.我已经扩展了以下常见题目解答的谜底.

实现自界说FilterInvocationSecurityMetadataSource

要动态获取安详URL映射,您可以实现本身的FilterInvocationSecurityMetadataSource.下面给出一个示例实现.

留意：请记着,将为Spring Security拦截的每个哀求挪用getAttributes,因此您很也许必要某种缓存.

public class JdbcFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {

    public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
        FilterInvocation fi = (FilterInvocation) object;

        String url = fi.getRequestUrl();
        HttpServletRequest request = fi.getHttpRequest();

        // Instead of hard coding the roles lookup the roles from the database using the url and/or HttpServletRequest
        // Do not forget to add caching of the lookup   
        String[] roles = new String[] { "ROLE_ADMIN","ROLE_USER" };
        return SecurityConfig.createList(roles);
    }

    public Collection<ConfigAttribute> getAllConfigAttributes() {
        return null;
    }

    public boolean supports(Class<?> clazz) {
        return FilterInvocation.class.isAssignableFrom(clazz);
    }
}

建设一个BeanPostProcessor

你不能行使定名空间来毗连它,以是拿另一个tip from the FAQ你可以行使一个看起来像这样的BeanPostProcessor：

public class FilterInvocationSecurityMetadataSourcePostProcessor implements BeanPostProcessor,InitializingBean {
    private FilterInvocationSecurityMetadataSource securityMetadataSource;

    public Object postProcessAfterInitialization(Object bean,String name) {
        if (bean instanceof FilterSecurityInterceptor) {
            ((FilterSecurityInterceptor)bean).setSecurityMetadataSource(securityMetadataSource);
        }
        return bean;
    }

    public Object postProcessBeforeInitialization(Object bean,String name) {
        return bean;
    }

    public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource securityMetadataSource) {
        this.securityMetadataSource = securityMetadataSource;
    }

    public void afterPropertiesSet() throws Exception {
        Assert.notNull(securityMetadataSource,"securityMetadataSource cannot be null");
    }
}

XML设置

然后,假设上述两个bean都在包示例中,您将添加以下设置

<bean class="sample.FilterInvocationSecurityMetadataSourcePostProcessor">
    <property name="securityMetadataSource">
        <bean class="sample.JdbcFilterInvocationSecurityMetadataSource"/>
    </property>
</bean>

也许的题目

假如最终获得ClassCastException,则也许会碰着在Spring Security 3.1.1中修复的SEC-1957.请实行更新到最新版本以办理此题目.

（编辑：湖南网）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!