Spring Security 2 and FormBean field permissions
Let's say I have a handler in a Spring MVC controller:
@RequestMapping
public String myHandler(Model m, @RequestParam MyEntity entity)
However, MyEntity
has sev开发者_C百科eral fields, some of which need different permissions to be able to view or update. Currently I am populating a FormBean
from the entity object but at that point I don't know what has been set by the request so I can't check field by field. Any ideas on how to handle this correctly? I want to be able to specify a specific Role for each field that is required to view or update it.
If you are using container security and have access to the HttpServletRequest, you can perhaps leverage the use of the 'isUserInRole' method on the HttpServletRequest ( http://download.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole%28java.lang.String%29 )
eg:
boolean canEditEmail = request.isUserInRole("ROLE_EDIT_EMAIL");
The best way I've seen to address this is using the InitBinder
and setAllowedFields
functionality, the following forum post discusses this:
http://forum.springframework.org/showthread.php?t=10820
精彩评论