I am working to configure Spring-Security with an existing application, for just basic security (i.e. what pages a user can see based on their roles). The question came up wondering if we could set what roles are required fo开发者_开发知识库r each page in java instead of the ApplicationContext.xml.
The idea is to store them in a table in our database, so we can easily change them with out a redeployment. Is this possible? How?
Yes you can configure Spring-Security programmatically. But I don't think that is what you want / need to do.
The question came up wondering if we could set what roles are required for each page in java instead of the ApplicationContext.xml.
You could implement your own AccessDecisionManager
class that queries your database to fetch the rules (or whatever) for each resource / page. This is described in Section IV of the SpringSecurity manual.
Alternatively, you could embed your own custom access control logic inside your MVC controller. Use SpringSecurityContext
to fetch the request's Authorization
object, fish out the identity and/or authorities, and implement the decision making however you want to.
We did this using Interceptors. Basically a MethodInterceptor proxies any call to any method you want (i.e. getting an object from your database). You can then, programmatically intercept the object and check the current user and do pretty much anything you want in terms of access control. If that means querying the database for a list of users who has access (and hence a list you can changes without modifying code) the so be it.
精彩评论