Spring Security with path variable parameters

Question

I would like to create security rules based on custom url parameters (path variables). In example. Let say I want to have user that has admin access for resources called Brand1 and Brand2 but has no access to resource called Brand3. We may edit resources using following links.

http://myapp/brand/edit/1
http://myapp/brand/edit/2
http://myapp/brand/edit/3

now in security context I would like to do something like that

 <security:intercept-url pattern="/brand/edit/{brandId}" 
           access="hasRole('ROLE_ADMIN') or
                   @authorizationService.hasBrandPermission(
                   #brandId, principal.username)"/>

The only thing I get is username. BrandId is always null. I used to do that with @PreAuthorize and it worked but now I would like to centralized security configuration in single xml file instead of spreading it across all controller classes. Moreover when I was using @PreAuthorize my access-denied-handler did not redirect me into denied page but display ugly AccessDeniedException insead.

I would really aprecieate any ideas.

Answer 1

Change the Spring Security version in your pom.xml to 4.1.0.RELEASE:

<spring-security.version>4.1.0.RELEASE</spring-security.version>

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-web</artifactId>
    <version>${spring-security.version}</version>
</dependency>

You may need to clean your maven project after that.

(I know, it's an old question. Nonetheless, I faced same issue 3 years later).

Answer 2

you can try using regular expression.

you will need to add the attribute path-type="regex" in your http element or request-matcher="regex" if your using spring security 3.1

see the documentation for more details