In my case, i have some ArrayList of String in httpsession. i need to show a button the user, only if the button function name is available in that list. i have implement it via Spring Security ACL.
For that add ACL + spring security core jar in the classpath.
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-acl</artifactId>
<version>${spring.security.version}</version>
</dependency>
then, i have added the bean in xml.
<global-method-security pre-post-annotations="enabled">
<expression-handler ref="expressionHandler"/>
</global-method-security>
<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator" ref="permissionEvaluator"/>
</beans:bean>
<beans:bean id="permissionEvaluator" class="com.config.BasePermissionEvaluator"/>
then the handler class BasePermissionEvaluator, this class will evaluate, if that button has permission,
public class BasePermissionEvaluator implements PermissionEvaluator{
@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
boolean hasPermission = true;
// targetDomainObject [101001, 102001, 103001, 201001, 202001, 203001, 204001, 205001, 206001, 301001, 302001, 303001]permission : 303001
@SuppressWarnings("unchecked")
List<String> functionList =(List<String>) targetDomainObject;
if(!functionList.contains(permission.toString())) {
hasPermission = false;
}
return hasPermission;
}
@Override
public boolean hasPermission(Authentication authentication,
Serializable targetId, String targetType, Object permission) {
throw new RuntimeException("Id and Class permissions are not supperted by this application");
}
}
Finally in the jsp,
<%@taglib uri="http://www.springframework.org/security/tags"
prefix="sec"%>
<sec:accesscontrollist hasPermission="101001" domainObject="${USER_FUNCTIONS}">
<button type="reset" id ="clearMPId"><spring:message code="mp.clear"/></button>
</sec:accesscontrollist>
No comments:
Post a Comment