search

philipsorst / angular-rest-springsecurity

An example AngularJS Application that uses a Spring Security protected Jersey REST backend based on Hibernate/JPA
Apache License 2.0
620 stars 367 forks source link

Is it possible to load intercept url from database. #32

Open thekowsar opened 8 years ago

thekowsar commented 8 years ago

I want to create dynamic role. For that need to save intercept url "" in MySql DB then load it for DB.

Is it possible ?

Thanks for your help once again.

philipsorst commented 8 years ago

Sorry, but I don't understand what you actually try to achieve. Which intercept url are you talking about? Can you elaborate a bit further?

thekowsar commented 8 years ago

Thanks for your early reply. And sorry for my late reply.

In context.xml we put access url like security:intercept-url pattern="/rest/user/authenticate" access="permitAll" security:intercept-url method="GET" pattern="/rest/news/**" access="hasRole('USER')"

I want to save those access url in DB and want to load those url from DB.

Fro those try to use these

http://docs.spring.io/spring-security/site/faq/faq.html#faq-dynamic-url-metadata http://stackoverflow.com/questions/6893061/how-to-dynamically-decide-intercept-url-access-attribute-value-in-spring-secur

I think it is possible.

Thanks for your help

philipsorst commented 8 years ago

Hi, from the Spring Docs "The first thing you should ask yourself is if you really need to do this. If an application requires securing, then it also requires that the security be tested thoroughly based on a defined policy." However, if you require it, the easiest way is to probably not secure by url pattern at all and do the checking within the resource methods itsself. You have access to the security context and to the database and can throw exceptions if the user does not have sufficient rights. The more complex way would be to rework the AccessDecisionManager i guess.

thekowsar commented 8 years ago

Hi, I understand your opinion. I need to create role run time. For that I need to do this.

If I create a custom class that implements FilterInvocationSecurityMetadataSource, OptionsFromDataBaseFilterInvocationSecurityMetadataSource.

Then I implement these methods: Collection getAttributes(Object object), where you can access to database, searching for the 'object' being secured (normally the URL to access) to obtain the allowed ConfigAttribute's (normally the ROLE's) boolean supports(Class clazz) Collection getAllConfigAttributes()

like this - http://docs.spring.io/spring-security/site/faq/faq.html#faq-dynamic-url-metadata

Then what changes I have to made in context.xml.

Thanks a lot for you help.