6

I would like to create security rules based on custom url parameters (path variables). In example. Let say I want to have user that has admin access for resources called Brand1 and Brand2 but has no access to resource called Brand3. We may edit resources using following links.

http://myapp/brand/edit/1
http://myapp/brand/edit/2
http://myapp/brand/edit/3

now in security context I would like to do something like that 

 <security:intercept-url pattern="/brand/edit/{brandId}" 
           access="hasRole('ROLE_ADMIN') or
                   @authorizationService.hasBrandPermission(
                   #brandId, principal.username)"/>

The only thing I get is username. BrandId is always null. I used to do that with @PreAuthorize and it worked but now I would like to centralized security configuration in single xml file instead of spreading it across all controller classes. Moreover when I was using @PreAuthorize my access-denied-handler did not redirect me into denied page but display ugly AccessDeniedException insead.

I would really aprecieate any ideas.

4

2 回答 2

2

将您的 Spring Security 版本更改pom.xml4.1.0.RELEASE

<spring-security.version>4.1.0.RELEASE</spring-security.version>

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-web</artifactId>
    <version>${spring-security.version}</version>
</dependency>

之后你可能需要清理你的 Maven 项目。

(我知道,这是一个老问题。尽管如此,三年后我遇到了同样的问题)。

于 2016-05-24T21:38:04.880 回答
1

您可以尝试使用正则表达式。

如果您使用 spring security 3.1 ,则需要在 http 元素中添加属性path-type="regex"或request-matcher="regex"

有关更多详细信息,请参阅文档

于 2012-08-01T14:43:02.087 回答