Spring Security Authorize Access Role with a Wildcard
Is it possible at all for me to use a wildcard in the access property of the <sec:authorize />
tag.
Currently I have
<s开发者_运维问答ec:authorize access="hasRole('TICKET_VIEW') or hasRole('TICKET_EDIT')">
but I would like to be able to use
<sec:authorize access="hasRole('TICKET_*')">
Is this possible or does anyone know a work-around that would accomplish the same thing?
Thanks
It's possible in Spring EL starting from Spring 3.x. The expression you're looking for is hasAnyRole(..)
.
So it should look like this:
<sec:authorize access="hasAnyRole('TICKET_VIEW', 'TICKET_EDIT')">
...
</sec:authorize>
Here's a link for some more Spring EL expressions: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html
I realize that this is an old question, but this answer might help future searchers.
1) Allow Single Role from a Fixed Set: This is the simple base case.
<security:authorize access="hasRole('ROLE_ADMIN_ABC')">
You are allowed to see these admin links.
</security:authorize>
2) Allow Any Role from a Fixed Set: For cases where you want to allow "any role that starts with ADMIN", you know all of the role names in advance, and you just have a few roles, jzelenkov's answer is perfectly correct. However, if you have too many roles to deal with, you will probably want to create a custom method call that can make the access decision, and insert it into the access attribute with SpEL. This solution is closer to the wildcard question that was originally asked.
<bean id="mySecurityBean" class="com.sample.MySecurityBean" />
<security:authorize access="@mySecurityBean.roleStartsWith(principal, 'ROLE_ADMIN_')">
You are allowed to see these admin links.
</security:authorize>
public class MySecurityBean {
/**
* Returns true if any role starts with some prefix.
*/
public boolean roleStartsWith(UserDetails user, String rolePrefix) {
for (GrantedAuthority auth : user.getAuthorities()) {
if (auth.getAuthority().startsWith(rolePrefix)
return (true);
}
return (false);
}
}
3) Allow Single Role from a Dynamic Set: For cases where you want to allow "a specific role that starts with ADMIN", but you don't necessarily know all of the allowed role suffixes, you can insert the role name at render time with JSTL. As an example, consider an app with many workspaces, each with a unique code. You want to create a ROLE_ADMIN_workspaceName role for each workspace. When someone is visiting the ABC workspace page, you only want the admin links to appear if the user has the ROLE_ADMIN_ABC role. Let us assume that every workspace uses the same JSP view, and the name is passed into the model as ${workspaceName}.
<sec:authorize access="hasRole('ROLE_ADMIN_${workspaceName}')">
You are allowed to see these admin links.
</sec:authorize>
4) Allow Any Role from a Dynamic Set: This is identical to the solution for #2.
精彩评论