开发者

Spring Security 2 and FormBean field permissions

开发者 https://www.devze.com 2023-02-06 16:56 出处:网络
Let\'s say I have a handler in a Spring MVC controller: @RequestMapping public String myHandler(Model m, @RequestParam MyEntity entity)

Let's say I have a handler in a Spring MVC controller:

@RequestMapping
public String myHandler(Model m, @RequestParam MyEntity entity)

However, MyEntity has sev开发者_C百科eral fields, some of which need different permissions to be able to view or update. Currently I am populating a FormBean from the entity object but at that point I don't know what has been set by the request so I can't check field by field. Any ideas on how to handle this correctly? I want to be able to specify a specific Role for each field that is required to view or update it.


If you are using container security and have access to the HttpServletRequest, you can perhaps leverage the use of the 'isUserInRole' method on the HttpServletRequest ( http://download.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole%28java.lang.String%29 )

eg:

boolean canEditEmail = request.isUserInRole("ROLE_EDIT_EMAIL");


The best way I've seen to address this is using the InitBinder and setAllowedFields functionality, the following forum post discusses this:

http://forum.springframework.org/showthread.php?t=10820

0

精彩评论

暂无评论...
验证码 换一张
取 消