Thursday, 20 October 2016

Spring Security + ACL button level Authentication + URL Authentication


In my case, i have some ArrayList of String in httpsession. i need to show a button the user, only if the button function name is available in that list. i have implement it via Spring Security ACL.
For that add ACL + spring security core jar in the classpath.
<dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-core</artifactId>
        <version>${spring.security.version}</version>
    </dependency>       
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>${spring.security.version}</version>
    </dependency>       
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-acl</artifactId>
        <version>${spring.security.version}</version>
    </dependency>
then, i have added the bean in xml.
<global-method-security pre-post-annotations="enabled">
  <expression-handler ref="expressionHandler"/>
</global-method-security>    
<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
    <beans:property name="permissionEvaluator" ref="permissionEvaluator"/>
</beans:bean> 
<beans:bean id="permissionEvaluator" class="com.config.BasePermissionEvaluator"/>
then the handler class BasePermissionEvaluator, this class will evaluate, if that button has permission,
public class BasePermissionEvaluator implements PermissionEvaluator{
 @Override
 public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {

  boolean hasPermission = true;
  // targetDomainObject [101001, 102001, 103001, 201001, 202001, 203001, 204001, 205001, 206001, 301001, 302001, 303001]permission : 303001
    @SuppressWarnings("unchecked")
    List<String> functionList =(List<String>) targetDomainObject;       
    if(!functionList.contains(permission.toString())) {
        hasPermission = false;  
    }
  return hasPermission;
 }

 @Override
 public boolean hasPermission(Authentication authentication,
   Serializable targetId, String targetType, Object permission) {
    throw new RuntimeException("Id and Class permissions are not supperted by this application");
 }
}
Finally in the jsp,
    <%@taglib uri="http://www.springframework.org/security/tags"
 prefix="sec"%>

<sec:accesscontrollist hasPermission="101001"   domainObject="${USER_FUNCTIONS}"> 
                    <button type="reset" id ="clearMPId"><spring:message code="mp.clear"/></button>
  </sec:accesscontrollist>   

for URL authentication, please follow

https://stackoverflow.com/a/45354372/2573744

Hope it helps.

No comments:

Post a Comment