在Spring Security中允许特定用户访问

Question

I'm using Spring Security to Secure my Web App. I have a page where I show foo objects for administrators.

<intercept-url pattern="/show_foo/**" access="hasRole('ROLE_ADMIN')" />

But now I have a requirement that a foo cannot be seen by all the Administrators, for example only administrators with city="New York" can access to the element.

I've did something in my controller to solve this :

@RequestMapping(method=RequestMethod.GET,value="/show_foo"
public ModelAndView showfunction(Principal user)
{
User user2 = userService.getUserByName(user.getName());
if(/* some checks on user2 */)
   /* show page */
else
  /* show error page*/
} 

So my question is : can I avoid the database call, because I need this almost in all of my pages and I find it ugly to check each time at the top of any controller the same thing over and over. Is there a Spring Security feature for this kind of use cases?.

Answer 1

With Expression based rules you can accesss principal even on rule. See: http://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html

For example if you can include needed information on principal object.

<intercept-url pattern="/show_foo/**" access="hasRole('ROLE_ADMIN') and principal.name=='xyzzy' " />

Answer 2

you have to put in some logic.

1.) Either load the user and country mapping and store somewhere in Static HashMap , remember to update the map if any changes done in mapping, can store same at session level.

2.) Load entries in 2nd level cache, or make queries cacheable, enable query caching as well.

Answer 3

You need to integrate Spring Security with Domain-ACLs. See a full explanation here .

Yo can consider mapping the relationship between Administrators and Cities using ACL_OBJECT_IDENTITY instances.