Class UrlAccessRestrictionCheckingProcessor
- java.lang.Object
-
- org.craftercms.security.processors.impl.UrlAccessRestrictionCheckingProcessor
-
- All Implemented Interfaces:
RequestSecurityProcessor
public class UrlAccessRestrictionCheckingProcessor extends Object implements RequestSecurityProcessor
Processor that checks if the current user has permission to access the current request URL. To do this, the processor matches the URL against the keys of therestriction
map, which are ANT-style path patterns. If a key matches, the value is interpreted as a Spring EL expression, the expression is executed, and if it returns true, the processor chain is continued, if not anAccessDeniedException
is thrown. The expression should be one of this method calls that return a boolean:- isAnonymous()
- isAuthenticated()
- hasRole('role'})
- hasAnyRole({'role1', 'role2'})
- permitAll()
- denyAll()
Examples of user URL restrictions:
<entry key="/static-assets" value="permitAll()"/> <entry key="/user" value="hasAnyRole({'user', 'admin'})"/> <entry key="/admin" value="hasRole('admin')"/> <entry key="/**" value="isAuthenticated()"/>
WARN: Remember to put the more general restrictions (like /**) at the end so they're matched last.- Author:
- Alfonso Vásquez
- See Also:
AntPathMatcher
-
-
Field Summary
Fields Modifier and Type Field Description static org.slf4j.Logger
logger
protected org.springframework.util.PathMatcher
pathMatcher
protected Map<String,org.springframework.expression.Expression>
urlRestrictions
-
Constructor Summary
Constructors Constructor Description UrlAccessRestrictionCheckingProcessor()
Default constructor.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected Object
createExpressionRoot(javax.servlet.http.HttpServletRequest request)
protected String
getRequestUrl(javax.servlet.http.HttpServletRequest request)
Returns the request URL without the context path.protected Map<String,org.springframework.expression.Expression>
getUrlRestrictions()
protected boolean
isAccessAllowed(javax.servlet.http.HttpServletRequest request, org.springframework.expression.Expression expression)
void
processRequest(org.craftercms.commons.http.RequestContext context, RequestSecurityProcessorChain processorChain)
Matches the request URL against the keys of therestriction
map, which are ANT-style path patterns.void
setPathMatcher(org.springframework.util.PathMatcher pathMatcher)
Sets the path matcher to use to match the URLs for restriction checking.void
setUrlRestrictions(Map<String,String> restrictions)
Sets the map of restrictions.
-
-
-
Method Detail
-
setPathMatcher
public void setPathMatcher(org.springframework.util.PathMatcher pathMatcher)
Sets the path matcher to use to match the URLs for restriction checking.
-
setUrlRestrictions
public void setUrlRestrictions(Map<String,String> restrictions)
Sets the map of restrictions. Each key of the map is ANT-style path pattern, used to match the URLs of incoming requests, and each value is a Spring EL expression.
-
getUrlRestrictions
protected Map<String,org.springframework.expression.Expression> getUrlRestrictions()
-
processRequest
public void processRequest(org.craftercms.commons.http.RequestContext context, RequestSecurityProcessorChain processorChain) throws Exception
Matches the request URL against the keys of therestriction
map, which are ANT-style path patterns. If a key matches, the value is interpreted as a Spring EL expression, the expression is executed, and if it returns true, the processor chain is continued, if not anAccessDeniedException
is thrown.- Specified by:
processRequest
in interfaceRequestSecurityProcessor
- Parameters:
context
- the context which holds the current request and responseprocessorChain
- the processor chain, used to call the next processor- Throws:
Exception
-
getRequestUrl
protected String getRequestUrl(javax.servlet.http.HttpServletRequest request)
Returns the request URL without the context path.
-
isAccessAllowed
protected boolean isAccessAllowed(javax.servlet.http.HttpServletRequest request, org.springframework.expression.Expression expression)
-
createExpressionRoot
protected Object createExpressionRoot(javax.servlet.http.HttpServletRequest request)
-
-