• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Jeanne Boyarsky
  • Ron McLeod
Sheriffs:
  • Paul Clapham
  • Liutauras Vilda
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

Restriction in a view Spring Security

 
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I have search a little but I don't find anything.

I have a file view.xml where my definitions of views are defined. My final page is constituted by several myFile.jspx files.

If I use , when I have ROLE_USER I can see the form for create, I get the access denied page only if I click in save, because the save method is mapped to POST and the ROLE_USER doesn't have this privilege.


How a can restrict an view by url in my security configuration xml directly? I want to go directly to the access denied page?

By creating a custom filter? I need a little advice


Thanks in advance.
 
Bartender
Posts: 1682
7
Android Mac OS X IntelliJ IDE Spring Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If I understand you question correctly you just need to remove



from what you already have.
 
Luis Parente
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,


well, if I have the ROLE_USER I want to go to the access denied page if I click in the link create user, but actually, I can see the form for create and only after click in the button save, I go to denied page.

thanks.

 
Bill Gorder
Bartender
Posts: 1682
7
Android Mac OS X IntelliJ IDE Spring Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What I am trying to say is lets say you have a controller mapped like this



and this handles rendering the form for create.

and you also have a method like this



and this handles the save action for the create user form.


If you want to both of these to be access denied you want to change this



which only restricts the second to this



which will restrict it regardless of the HTTP method used.

Also another thing to be aware of when you are working on this is that when defining patterns remember that they are evaluated in the order they are defined, therefore more specific patterns should always be higher in the list than less specific patterns. I don't know if this is causing you issues since you just posted the one intercept-url but it is something you should keep in mind.
 
Luis Parente
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for your response!


Now I have added in my applicationContect-security.xml and in my controller:




I have the ROLE_USER and the annotation @PreAuthorize has no effect? I missing something?


Thanks.


 
Bill Gorder
Bartender
Posts: 1682
7
Android Mac OS X IntelliJ IDE Spring Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
For using method security typically this would go in the service layer on the service method that the controller calls to do its work not on the Controller methods, see This FAQ.

However if you insist on it being on the controller method you will need to use CGLIB proxies or set proxy-target-class = true.

Also be aware if you are putting this on your controllers defining <global-method-security pre-post-annotations="enabled"/> in your applicationContect-security.xml is not going to work.

Please read this part of the reference documentation.

http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-global-method

Note what it says here:

The annotated methods will only be secured for instances which are defined as Spring beans (in the same application context in which method-security is enabled). If you want to secure instances which are not created by Spring (using the new operator, for example) then you need to use AspectJ.



In your case your controller beans are most likely defined in your servlet-context.xml.

Hope this gives you enough to figure it out.

 
Luis Parente
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I see, it' better to put the annotations in the interfaces.


Just one more thing..... If I want to block an url like that: .

The url is mapped with this method in my controller

The solution is the

Thanks a lot!!

 
World domination requires a hollowed out volcano with good submarine access. Tiny ads are optional.
Smokeless wood heat with a rocket mass heater
https://woodheat.net
reply
    Bookmark Topic Watch Topic
  • New Topic