Implementing A Controller for Authorization_问答_开发者

Implementing A Controller for Authorization

开发者 https://www.devze.com 2023-04-07 17:52 出处：网络

I use Spring and Spring Security 3 at my application. All my clients side are static HTML files. I have a navigation bar that includes buttons like:

List
Edit
Delete
Update

When a user clicks any of them another page loads at bottom. Users have roles at my application. Some users do not have edit and delete authorization, while others do. That buttons should be visible to users which have the authorization. If a user doesn't have edit the correct permission he/she must not see the edit button. I have the buttons defined in an HTML file: navigation.html. I figured out that: there will be many navigation.html files. One of them includes all buttons(for admin) one of the开发者_运维百科m just includes list button. If a user requests that navigation.html I want to send the correct one. So I can have that ability:

<logout logout-url="/j_spring_security_logout" logout-success-url="/login.html"/>

similar to that user will request that file from an URL(as like /navigation). There will be a controller to handle it so will return any of that navigation files.

Does that design sound correct? If so, how can I implement that? Any other simple solutions are welcome I am new to Spring and Spring Security.

For general Spring Security use, you don't need to write your own code to enable authorization. I generally configure Spring Security in XML to control access at a gross level to various resources based on Roles. Then, I annotate the controllers and/or handler methods to restrict more precisely.

Example:

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans 
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <security:global-method-security secured-annotations="enabled">
    </security:global-method-security>

    <security:http auto-config="true" disable-url-rewriting="true">
       <security:intercept-url pattern="/*.do" access="ROLE_USER" />
       <security:intercept-url pattern="/index.jsp" access="ROLE_USER" />
       <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
       <security:intercept-url pattern="/login.jsp" filters="none" />
       <security:form-login login-page="/login.jsp" />
       <security:logout />
    </security:http>

    <security:authentication-manager>
        <security:authentication-provider>
            <security:password-encoder hash="md5" />
            <security:jdbc-user-service data-source-ref="my-ds"/>
        </security:authentication-provider>
    </security:authentication-manager>

</beans:beans>

And then in the Controller:

@Secured({"ROLE_SPECIAL_USER"})
@RequestMapping("/somespecial.do")

Within a JSP:

<%@ taglib prefix="authz" uri="http://www.springframework.org/security/tags" %>
<authz:authorize ifAnyGranted="ROLE_SPECIAL_USER">
   ...some special JSP code...
</authz:authorize>

Based on your using static HTML, I would think that the design you specify would be reasonable.

Have a Controller that maps to navigation.html, and it would simply look at the granted authorities of the current user and return the correct static html view name for the html file that has all (and only) the appropriate controls.