stackoom
  简体   繁体   中英

how to add interceptor in spring

 原文  2011-11-07 05:41:50       java/ spring/ spring-mvc/ spring-security

Question

I am using Spring Security 3.0.3 for a project.My user info is loaded from the database. I have following interceptor 

<intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
<intercept-url pattern="/**" access="ROLE_USER"/>

I want to add interceptor to user data. When I logging with user1(requester as role) he can see only specific user1 data. 

http://localhost:7009/Test/requester//30351?menuId=app.requester.new

but when I logging with another user2(requester as role) and Enter above URL in browser. 

http://localhost:7009/Test/requester//30351?menuId=app.requester.new.

he can see user1 data.

How can I add interceptor so that it restrict another user data.

Following is scenario 1> login with user1 and he can see following list of data 101 102 103 when i clicks on 102 data it opens details of 102 data. 

http://localhost:7009/Test/requester//102?menuId=app.requester.new.

2> login with user2 and he can see following list of data 104 105 106

when i clicks on 105 data it opens details of 105 data. 

http://localhost:7009/Test/requester//105?menuId=app.requester.new.

but when i copy user1 link 

 http://localhost:7009/Test/requester//102?menuId=app.requester.new.

and paste into browser . user2 can see details of user1 data.

2 answers

solution1
 0 ACCPTED  2011-11-07 06:52:06

You don't filter everything in the spring security configuration but rather do it in view or controller. Here is a very good tutorial which shows you how to use spring security in your case.

http://static.springsource.org/spring-security/site/petclinic-tutorial.html

If you use JSP for your view, you can use spring security taglib to handle the view of user own data and, for other user's data, you will need to put the filtering logic inside the controller and pass them as model to the view. However, the exact solution depends on your application.

solution2
 0  2011-11-07 15:50:04

One option to do this is to use the Spring Expression Language and a custom Permission Evaluator. Here's what we did to implement a department/sub-department authorization scheme how to control the user authentication using spring mvc . This will allow you to create custom logic to identify what user1 is allowed to see, etc.

Check out http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html . Take a look at the @PostFilter annotation - if your data set is returned as a collection or an array Spring Security can automatically filter out data elements based on your custom Permission Evaluator.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to map Spring Interceptor How to use @ExceptionHandler in Spring Interceptor? How to configure interceptor in Spring boot? Programatically add Spring interceptor without application desciptor Add custom header on interceptor spring boot how to add UsernameTokenInterceptor cxf interceptor How to add a EJB Interceptor programmatically? How to add opentrace interceptor to restTemplate? how to validate the session in spring mvc interceptor Spring annotation @Retryable - how to set an interceptor
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM