hope, from the title itself, you would have guess, yes URL restriction based on JAS response.
Case i)
got blocked in here..
googled.. tried implementing http://docs.spring.io/spring-security/site/docs/current/reference/html/el-access.html
i'm not sure you guys can follow the above link easily, however, in my case, i can. i say you why, i have implemented a functionality of disabling a button in JSP page.
so, it looks like the continuation of that, thought will complete in some time. but it says, not so easy buddy. 😄
Case i)
earlier, i had the object in the session and i can get object as ${OBJECT} and give permission.
<sec:accesscontrollist hasPermission="101001" domainObject="${USER_FUNCTIONS}">
Now it is opposite, need to do the same implementation in JAVA used @PreAuthorize("hasPermission(OBJECT,'TEST123')"), thought it would work. But it didn't.got blocked in here..
current scenario,
* having the object in the session, nee to get that object and make the @PreAuthorize to work. but, how i ll set the session object in the annotation.
i tried getting the session object gloabally using,
* having the object in the session, nee to get that object and make the @PreAuthorize to work. but, how i ll set the session object in the annotation.
i tried getting the session object gloabally using,
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder
.currentRequestAttributes()).getRequest();
HttpSession session = request.getSession();
List<String> functionList = (List<String>)session.getAttribute("OBJECT");
since in spring, the controller will compile in the run time itself, i got error.
case ii)
since the case i) didn't worked, another !dea spared.
doing the restriction in the configuration itself, using
<intercept-url pattern="/test/edit/**" access="hasPermission(OBJECT,'TEST123')"/>
this also didn't worked.
Finding a way to fix it.
Finally, after a long waiting fixed it
https://stackoverflow.com/a/45354372/2573744
case ii)
since the case i) didn't worked, another !dea spared.
doing the restriction in the configuration itself, using
<intercept-url pattern="/test/edit/**" access="hasPermission(OBJECT,'TEST123')"/>
this also didn't worked.
Finding a way to fix it.
Finally, after a long waiting fixed it
https://stackoverflow.com/a/45354372/2573744