Spring Security - how can I define intercept-url dynamically using Database? -

-

i've been working on spring security , need know how can define intercept-url (in spring security) dynamically using database.

i've dug deep whole internet , not find unique (and of course useful) tutorial in area.

so here did:

first implemented filterinvocationsecuritymetadatasource abstract class:

public class myfiltersecuritymetadatasource implements filterinvocationsecuritymetadatasource {       public list<configattribute> getattributes(object object) {         filterinvocation fi = (filterinvocation) object;         string url = fi.getrequesturl();         list<configattribute> attributes = new arraylist<configattribute>();          attributes = getattributesbyurl(url);          return attributes;     }      public collection<configattribute> getallconfigattributes() {         return null;     }      public boolean supports(class<?> clazz) {         return filterinvocation.class.isassignablefrom(clazz);     }      public list<configattribute> getattributesbyurl(string inputurl)     {         list<configattribute> attributes = new arraylist<configattribute>();          connection connection = null;         string url = "jdbc:mysql://173.0.0.22:3306/";         string dbname = "kheirkhahandb";         string drivername = "com.mysql.jdbc.driver";         string username = "kheirkhahan";         string password = "kheirkhahan";         try{             class.forname(drivername).newinstance();             connection = drivermanager.getconnection(url+dbname, username, password);             try{                 statement stmt = connection.createstatement();                 string selectquery = "select * url_access url = '" + inputurl +"'";                 resultset rs = stmt.executequery(selectquery);                 while(rs.next()){                     myconfigattribute temp = new myconfigattribute();                     string attr = rs.getstring("access").tostring();                     temp.setattr(attr);                     attributes.add(temp);                 }             }             catch(sqlexception s){                 system.out.println(s);             }             connection.close();         }         catch (exception e){             e.printstacktrace();         }         return attributes;     }


, set security.xml as:

<bean id="springsecurityfilterchain" class="org.springframework.security.web.filterchainproxy">         <sec:filter-chain-map path-type="ant">             <sec:filter-chain pattern="/css/**" filters="none" />             <sec:filter-chain pattern="/images/**" filters="none" />             <sec:filter-chain pattern="/login.jsp*" filters="none" />             <sec:filter-chain pattern="/**"                 filters="             securitycontextpersistencefilter,             logoutfilter,             authenticationprocessingfilter,             exceptiontranslationfilter,             filtersecurityinterceptor" />         </sec:filter-chain-map>     </bean>      <bean id="securitycontextpersistencefilter"         class="org.springframework.security.web.context.securitycontextpersistencefilter">     </bean>      <bean id="exceptiontranslationfilter"         class="org.springframework.security.web.access.exceptiontranslationfilter">         <property name="authenticationentrypoint" ref="authenticationentrypoint" />         <property name="accessdeniedhandler" ref="accessdeniedhandler" />     </bean>      <bean id="authenticationentrypoint"         class="org.springframework.security.web.authentication.loginurlauthenticationentrypoint">         <property name="loginformurl" value="/login.jsp?error=entrypoint" />     </bean>      <bean id="accessdeniedhandler"         class="org.springframework.security.web.access.accessdeniedhandlerimpl">         <property name="errorpage" value="/login.jsp?error=access_denied" />     </bean>      <bean id="authenticationprocessingfilter"         class="org.springframework.security.web.authentication.usernamepasswordauthenticationfilter">         <property name="authenticationmanager" ref="authenticationmanager" />     </bean>      <bean id="filtersecurityinterceptor"         class="org.springframework.security.web.access.intercept.filtersecurityinterceptor">         <property name="authenticationmanager" ref="authenticationmanager" />         <property name="accessdecisionmanager" ref="accessdecisionmanager" />         <property name="securitymetadatasource" ref="myfilterinvocationsecuritymetadatasource" />     </bean>      <bean id="myfilterinvocationsecuritymetadatasource" class="com.datx.dao.myfiltersecuritymetadatasource">     </bean>      <bean id="logoutfilter"         class="org.springframework.security.web.authentication.logout.logoutfilter">         <constructor-arg value="/login.jsp?error=logout" />         <constructor-arg ref="logouthandler">         </constructor-arg>     </bean>      <bean id="logouthandler"         class="org.springframework.security.web.authentication.logout.securitycontextlogouthandler"></bean> <sec:authentication-manager alias="authenticationmanager">         <sec:authentication-provider>             <sec:jdbc-user-service data-source-ref="datasource"                 group-authorities-by-username-query="                                         select acg.id, acg.group_name, a.authority_name authority                                          access_groups acg, access_group_membership agm, group_authorities ga, authorities                                         agm.username = ? , acg.id = ga.group_id , acg.id = agm.group_id , ga.authority_id = a.id                                     "                 users-by-username-query="select username,password,is_active user username = ?"                 authorities-by-username-query="                                         select ua.username, a.authority_name authority                                          user_authorities ua, authorities                                          ua.username = ? , ua.authority_id = a.id                                     " />         </sec:authentication-provider>     </sec:authentication-manager>      <bean id="accessdecisionmanager"         class="org.springframework.security.access.vote.affirmativebased">         <property name="decisionvoters">             <list>                 <ref bean="rolevoter" />             </list>         </property>     </bean>     <bean id="rolevoter"         class="org.springframework.security.access.vote.rolehierarchyvoter">         <property name="roleprefix" value="" />         <constructor-arg ref="rolehierarchy" />     </bean>  <bean id="rolehierarchy" class="com.datx.dao.myrolehierarchyimpl">         <property name="rolehierarchyentrydaojdbc" ref="rolehierarchyentrydaojdbc" />     </bean>  </beans>


there problems cannot find out:
1. i've inserted pairs <"url" , "role"> url_access database. i'm not sure whether getattributes method working fine or not
2. have implement filters used in



3. i'm receiving exception when user uses wrong username/password or tries access not-permitted-pages, instead of being redirected login.jsp. why that?

thanks in advance

first ensure have consulted faq ensure want this. tom alluded to, not advisable place such information in database.

in terms of if/why current code working difficult without more details. example, errors seeing in logs? question in #2 not appear complete. spring security logs say?

if going stick plan, continue use namespace configuration , leverage beanpostprocessor (as discussed on faq) swap out filterinvocationservicesecuritymetadatasource. implementation might this:

public class filterinvocationservicesecuritymetadatasourcebeanpostprocessor      implements beanpostprocessor {      private filterinvocationservicesecuritymetadatasource metadatasource;      public void setmetadatasource(filterinvocationservicesecuritymetadatasource metadatasource) {         this.metadatasource = metadatasource;     }      public object postprocessbeforeinitialization(object bean, string beanname) {          if(bean instanceof filterinvocationsecuritymetadatasource) {              return metadatasource;          }          return bean;      }       public object postprocessafterinitialization(object bean, string beanname) {          return bean;      }  }

then custom filterinvocationservicesecuritymetadatasource specified in spring configuration along filterinvocationservicesecuritymetadatasourcebeanpostprocessor.

<bean id="fimds" class="filterinvocationservicesecuritymetadatasourcebeanpostprocessor">   <property name="metadatasource">     <bean id="myfilterinvocationsecuritymetadatasource" class="com.datx.dao.myfiltersecuritymetadatasource"/>   </property> </bean>

Comments

Post a Comment

Popular posts from this blog

django - How can I change user group without delete record -

-
on website user have 1 group. , user can change group. it's made user.groups.clear() and user.groups.add(new_group) but it's not efficient, because there 2 sql query: delete, insert. how can change group update query? user , group related each other using manytomanyfield . means intersection table exists relating both entities, , if don't specify model map (using through attribute) django creates 1 you. looking @ sources django.contrib.auth.models see that's case. fortunatly, can access intermediary model using through attribute of manager (in case, user.groups.through ). can use regular model. example: >>> alice = user.objects.create_user('alice', 'alice@example.com', 'alicepw') >>> employee = group.objects.create(name='employee') >>> manager = group.objects.create(name='manager') >>> alice.groups.add(employee) >>> alice.groups.all() [<group: employee...
Read more

java - Need to add SOAP security token -

-
i need set custom soap header attribute on jax-ws generated webservice client. case webservice calls must go through proxy server requiring specific token (recieved web request header) present in soap request header. e.g.: 1 carserviceservice service = null; 2 service = new carserviceservice(new url(url), new qname(qname); 3 carserviceendpoint port = service.getcarserviceport(); it seems in line 3 wsdl retrieved , call fails due missing security token. 1 point direction on how done? a detailed example has been mentioned here: creating , deploying jax-ws web service on tomcat 6 this article shows how create , use security token .
Read more

java - EclipseLink JPA Object is not a known entity type -

-
i have strange problem eclipselink , object want persist. have 1 object (keypointlistimpl) stores object keypointimpl in list. persisting keypointimpl objects works great if try persist keypointlistimpl object java.lang.illegalargumentexception says object keypointimpl isn't known entity type. here keypointimpl code: @entity @table(name="keypoints") public class keypointimpl implements keypoint { @id @generatedvalue(strategy = generationtype.identity) private int id; @enumerated(enumtype.string) private detectortype keypointtype; private float x; private float y; private float size; private float angle; private float response; private int octave; private int classid; ... } here keypointlistimpl code: @entity @table(name="keypointlists") public class keypointlistimpl implements keypointlist { @id @generatedvalue(strategy = generationtype.identity) private int id; @onetoone(cascade={ca...
Read more