CODEWITHSUNDEEP
javaspringspring-security
george
george

Reputation: 3211

pass HttpServletRequest in a hasPermission expression

In my spring security config I've got the following settings:

    @Override
      protected void configure(HttpSecurity http) throws Exception
      {
          http
        .authorizeRequests()  
            .antMatchers("/login.htm", "/signup.htm").permitAll()
            .antMatchers("/page1.htm", "/page2.htm", "/page3.htm").access("@permission.hasPermission(principal.username))
    ....
    }

The @permission which contains the method hasPermission is a @Component bean which decides whether the principal username has an access to the pages. In the bean I use my dao methods to determine this. However, I need more knowledge to make the decision because it's not a single page. For instance, is there any way to know what page the user has requested and pass that in the hasPermission method? In other words, I want to do something like:

 .antMatchers("/page1.htm", "/page2.htm", "/page3.htm").access("@permission.hasPermission(principal.username, HttpServletRequest http))

See the 2nd parameter of the method. It's the http request which is the requested page so I will know whether the user requested page1, page2 or page3.. Or if I cannot pass that as a parameter how can I get the current requested page in my implementation of the hasPermission method?

Upvotes: 1

Views: 579

Answers (1)

Rob Winch
Rob Winch

Reputation: 21720

You should be able to access it using the following:

  @Override
  protected void configure(HttpSecurity http) throws Exception
  {
      http
        .authorizeRequests()  
            .antMatchers("/login.htm", "/signup.htm").permitAll()
            .antMatchers("/page1.htm", "/page2.htm", "/page3.htm").access("@permission.hasPermission(principal.username,request))
....
}

This is due to the fact that the WebSecurityExpressionRoot.request property is exposed as a public final variable

Upvotes: 1

Related Questions