Package org.craftercms.security.processors.impl

Class UrlAccessRestrictionCheckingProcessor

  • All Implemented Interfaces:
    RequestSecurityProcessor
    public class UrlAccessRestrictionCheckingProcessor
extends Object
implements RequestSecurityProcessor
    Processor that checks if the current user has permission to access the current request URL. To do this, the processor matches the URL against the keys of the restriction map, which are ANT-style path patterns. If a key matches, the value is interpreted as a Spring EL expression, the expression is executed, and if it returns true, the processor chain is continued, if not an AccessDeniedException is thrown. The expression should be one of this method calls that return a boolean:

    1. isAnonymous()
    2. isAuthenticated()
    3. hasRole('role'})
    4. hasAnyRole({'role1', 'role2'})
    5. permitAll()
    6. denyAll()

    Examples of user URL restrictions:

     <entry key="/static-assets" value="permitAll()"/>
 <entry key="/user" value="hasAnyRole({'user', 'admin'})"/>
 <entry key="/admin" value="hasRole('admin')"/>
 <entry key="/**" value="isAuthenticated()"/>
    WARN: Remember to put the more general restrictions (like /**) at the end so they're matched last.
    Author:
    Alfonso Vásquez
    See Also:
    AntPathMatcher

    • Field Detail

      • logger

        public static final org.slf4j.Logger logger

      • pathMatcher

        protected org.springframework.util.PathMatcher pathMatcher

      • urlRestrictions

        protected Map<String,​org.springframework.expression.Expression> urlRestrictions

    • Constructor Detail

      • UrlAccessRestrictionCheckingProcessor

        public UrlAccessRestrictionCheckingProcessor()
        Default constructor. Creates AntPathMatcher as default path matcher.

    • Method Detail

      • setPathMatcher

        public void setPathMatcher​(org.springframework.util.PathMatcher pathMatcher)
        Sets the path matcher to use to match the URLs for restriction checking.

      • setUrlRestrictions

        public void setUrlRestrictions​(Map<String,​String> restrictions)
        Sets the map of restrictions. Each key of the map is ANT-style path pattern, used to match the URLs of incoming requests, and each value is a Spring EL expression.

      • getUrlRestrictions

        protected Map<String,​org.springframework.expression.Expression> getUrlRestrictions()

      • processRequest

        public void processRequest​(org.craftercms.commons.http.RequestContext context,
                           RequestSecurityProcessorChain processorChain)
                    throws Exception
        Matches the request URL against the keys of the restriction map, which are ANT-style path patterns. If a key matches, the value is interpreted as a Spring EL expression, the expression is executed, and if it returns true, the processor chain is continued, if not an AccessDeniedException is thrown.
        Specified by:
        processRequest in interface RequestSecurityProcessor
        Parameters:
        context - the context which holds the current request and response
        processorChain - the processor chain, used to call the next processor
        Throws:
        Exception

      • getRequestUrl

        protected String getRequestUrl​(javax.servlet.http.HttpServletRequest request)
        Returns the request URL without the context path.

      • isAccessAllowed

        protected boolean isAccessAllowed​(javax.servlet.http.HttpServletRequest request,
                                  org.springframework.expression.Expression expression)

      • createExpressionRoot

        protected Object createExpressionRoot​(javax.servlet.http.HttpServletRequest request)