The main part of this piece of configuration is the secureResourceFilter, this is a class that implements FilterInvocationDefinitionSource and is called when Spring Security needs to check the Authorities for a requested page.
Here is the code for MySecureResourceFilter:
- package org.security.SecureFilter;
-
- import java.util.Collection;
- import java.util.List;
-
- import org.springframework.security.ConfigAttributeDefinition;
- import org.springframework.security.ConfigAttributeEditor;
- import org.springframework.security.intercept.web.FilterInvocation;
- import org.springframework.security.intercept.web.FilterInvocationDefinitionSource;
-
-
- public class MySecureResourceFilter implements FilterInvocationDefinitionSource {
-
- public ConfigAttributeDefinition getAttributes(Object filter) throws IllegalArgumentException {
-
- FilterInvocation filterInvocation = (FilterInvocation) filter;
-
- String url = filterInvocation.getRequestUrl();
-
-
- Resource resource = new Resource(url);
-
- if (resource == null) return null;
- else{
- ConfigAttributeEditor configAttrEditor = new ConfigAttributeEditor();
-
- List<Role> roles = resource.getRoles();
- StringBuffer rolesList = new StringBuffer();
- for (Role role : roles){
- rolesList.append(role.getName());
- rolesList.append(",");
- }
-
- if (rolesList.length() > 0)
- rolesList.replace(rolesList.length()-1, rolesList.length()+1, "");
- configAttrEditor.setAsText(rolesList.toString());
- return (ConfigAttributeDefinition) configAttrEditor.getValue();
- }
- }
-
- public Collection getConfigAttributeDefinitions() {
- return null;
- }
-
- public boolean supports(Class arg0) {
- return true;
- }
-
- }
package org.security.SecureFilter;
import java.util.Collection;
import java.util.List;
import org.springframework.security.ConfigAttributeDefinition;
import org.springframework.security.ConfigAttributeEditor;
import org.springframework.security.intercept.web.FilterInvocation;
import org.springframework.security.intercept.web.FilterInvocationDefinitionSource;
public class MySecureResourceFilter implements FilterInvocationDefinitionSource {
public ConfigAttributeDefinition getAttributes(Object filter) throws IllegalArgumentException {
FilterInvocation filterInvocation = (FilterInvocation) filter;
String url = filterInvocation.getRequestUrl();
// create a resource object that represents this Url object
Resource resource = new Resource(url);
if (resource == null) return null;
else{
ConfigAttributeEditor configAttrEditor = new ConfigAttributeEditor();
// get the Roles that can access this Url
List<Role> roles = resource.getRoles();
StringBuffer rolesList = new StringBuffer();
for (Role role : roles){
rolesList.append(role.getName());
rolesList.append(",");
}
// don't want to end with a "," so remove the last ","
if (rolesList.length() > 0)
rolesList.replace(rolesList.length()-1, rolesList.length()+1, "");
configAttrEditor.setAsText(rolesList.toString());
return (ConfigAttributeDefinition) configAttrEditor.getValue();
}
}
public Collection getConfigAttributeDefinitions() {
return null;
}
public boolean supports(Class arg0) {
return true;
}
}
This getAttributes() method above essentially returns the name of Authorities (which I call Roles) that are allowed access to the current Url.