使用 spring security 3 动态创建 <intercept-url pattern>

Question

您好，我是 Spring security 3 的新手，但在此站点的帮助下，我成功开发了身份验证和授权。现在我想从我的 context-security.xml 中删除拦截 URL 模式。我正在寻找特定用户表单数据库的权限并动态创建。我做到了……

在 context-security.xml 中

<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
            <custom-filter before="FIRST" ref="requestMappings"/>
            <beans:property name="authenticationManager" ref="authenticationManager" />
            <beans:property name="accessDecisionManager" ref="accessDecisionManager" />
            <beans:property name="objectDefinitionSource" ref="requestMappings" />
        </beans:bean>

        <beans:bean id="requestMappings" class="com.nmmc.common.security.repository.RequestMappingFactoryBean" />

    <http auto-config="true" once-per-request="false">

        <!-- Restrict URLs based on role -->
        <intercept-url pattern="/login.works" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/login/validate.works" access="IS_AUTHENTICATED_ANONYMOUSLY" />     
        <intercept-url pattern="/css/*" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 

        <form-login login-page="/login.works" login-processing-url="/j_spring_security_check"
            default-target-url="/login/validate.works"
            authentication-failure-url="/login.works" />
        <logout logout-url="/j_spring_security_logout"
            logout-success-url="/login.works" invalidate-session="true" />

        <session-management invalid-session-url="/login.works"
            session-fixation-protection="none">
            <concurrency-control max-sessions="50"
                error-if-maximum-exceeded="true" />
        </session-management>
    </http>

    <authentication-manager>
        <authentication-provider ref="customAuthenticationProvider"></authentication-provider>
    </authentication-manager>

    <beans:bean id="customAuthenticationProvider"
        class="com.nmmc.common.security.repository.CustomAuthenticationProvider"></beans:bean>

在 RequestMappingFactoryBean 中

import org.springframework.beans.factory.FactoryBean;

public class RequestMappingFactoryBean implements FactoryBean{
    private final static String EOL = System.getProperty("line.separator"); 
    public Object getObject() throws Exception
    {
        StringBuffer sb = new StringBuffer();
        sb.append("CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON");
        sb.append(EOL);
        sb.append("PATTERN_TYPE_APACHE_ANT");
        sb.append(EOL);
        sb.append("/**login.works=IS_AUTHENTICATED_ANONYMOUSLY");
        sb.append(EOL);
        sb.append("/user/**=ROLE_ADMIN");
        return sb.toString();    
    }    
    public Class getObjectType()
    {       
        return String.class;
    }
    public boolean isSingleton()
    {       
        return true;
    }   
}

当我从中删除 ref 时

<custom-filter before="FIRST" ref="requestMappings"/>

如果我定义它并运行我的应用程序，它也会给出错误，也必须定义 ref 它会给出类似的错误

org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Security namespace does not support decoration of element [custom-filter]

这就是我定义为给定的原因。 运行它的代码是否有任何更改？

Answer 1

在How to dynamically decide <intercept-url> access attribute value in Spring Security?阅读第一个答案

它有一个解决方案的大纲。