Change the scroll of spring-security by bean

Asked

Viewed 487 times

13

I’m using the spring-security to authenticate my user, until then beauty, now I want to be able to exchange the user’s role for managed bean, someone has an idea?

Type I have several modules and each user has a role for each module so when he click on the module I want to get the session user to see in the database which is the role of it and then direct to the module.

inserir a descrição da imagem aqui

In other words, I have a screen where the user logs into the system and appears the modules he has access to but I did not load his permissions in each module when I click on the module I want to go to the bank and pick up the scroll that has access to this module, below the screen example: inserir a descrição da imagem aqui

you will see that I have a login with the role_root role and when he clicks on the SAR he has to have the role_user.

java spring-security

  • Paul, I don’t understand one thing. You want to change the role dynamically, that is, adding new roles to a logged-in user? Or would it be only a matter of checking if the user is allowed to access the XPTO resource?

  • This add new roles, because a user who has role_admin in one model sometimes he is role_user in another

  • Paulo, that’s not how Spring works. In this case, you should use independent roles. Example: role_admin_feature_1 and role_admin_feature_2.

  • I edited it to see if it’s clearer

  • 2

    Okay, in that case you should do more or less what I did in mine another issue on Spring Security, this is, replace the decision-making mechanism with a logic entirely of its own. In this case, you do not need to inject the roles into Sprign Security, just load the database data and run the logic based on the area of the system being accessed by the user. In this implementation it is possible to access session and request data.

  • I’ll take a look thank you

  • An alternative would be you create a list of strings with all the roles that the user has, and your entire system would run 'reading' if your list contains the required scroll, this would work for all system permissions, and if you wanted, you could increment your list at runtime by inserting or removing new permissions. If you are using spring it is very simple to use this functionality by changing the authentication and or athorization. You think that would suit your need?

Show 2 more comments

1 answer

1

To solve your problem you will have to implement HandlerInterceptorAdapter and validate by the called url’s.

Para isso adicione em suas configurações: 

    <mvc:interceptor>
        <mvc:mapping path="/**" />
        <bean class="com.exemplo.security.RequestInterceptor" />
    </mvc:interceptor>

And implement the same:

public class RequestInterceptor extends HandlerInterceptorAdapter {

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {


        if (request.getServletPath().endsWith("/login"))
            return super.preHandle(request, response, handler);

        // não validar requisição de arquivos do resources. CSS, JS
        if  (request.getServletPath().startsWith("/resources/")) {
            return super.preHandle(request, response, handler);
        }


        // valida URL
        String urlRequest = request.getServletPath();

        // faz sua regra de negocio

    }
}

Take from the database the system area the user can access and validate whether the url matches the area the user can access.

Browser other questions tagged java spring-security

You are not signed in. Login or sign up in order to post.