Class UrlAccessRestrictionCheckingProcessor
java.lang.Object
org.craftercms.security.processors.impl.UrlAccessRestrictionCheckingProcessor
- All Implemented Interfaces:
RequestSecurityProcessor
public class UrlAccessRestrictionCheckingProcessor
extends Object
implements RequestSecurityProcessor
Processor that checks if the current user has permission to access the current request URL. To do this,
the processor matches the URL against the keys of the restriction
map, which are ANT-style path patterns.
If a key matches, the value is interpreted as a Spring EL expression, the expression is executed, and if it returns
true, the processor chain is continued, if not an AccessDeniedException
is thrown. The expression should be
one of this method calls that return a boolean:
- isAnonymous()
- isAuthenticated()
- hasRole('role'})
- hasAnyRole({'role1', 'role2'})
- permitAll()
- denyAll()
Examples of user URL restrictions:
<entry key="/static-assets" value="permitAll()"/> <entry key="/user" value="hasAnyRole({'user', 'admin'})"/> <entry key="/admin" value="hasRole('admin')"/> <entry key="/**" value="isAuthenticated()"/>WARN: Remember to put the more general restrictions (like /**) at the end so they're matched last.
- Author:
- Alfonso Vásquez
- See Also:
-
AntPathMatcher
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final org.slf4j.Logger
protected org.springframework.util.PathMatcher
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected Object
createExpressionRoot
(javax.servlet.http.HttpServletRequest request) protected String
getRequestUrl
(javax.servlet.http.HttpServletRequest request) Returns the request URL without the context path.protected boolean
isAccessAllowed
(javax.servlet.http.HttpServletRequest request, org.springframework.expression.Expression expression) void
processRequest
(org.craftercms.commons.http.RequestContext context, RequestSecurityProcessorChain processorChain) Matches the request URL against the keys of therestriction
map, which are ANT-style path patterns.void
setPathMatcher
(org.springframework.util.PathMatcher pathMatcher) Sets the path matcher to use to match the URLs for restriction checking.void
setUrlRestrictions
(Map<String, String> restrictions) Sets the map of restrictions.
-
Field Details
-
logger
public static final org.slf4j.Logger logger -
pathMatcher
protected org.springframework.util.PathMatcher pathMatcher -
urlRestrictions
-
-
Constructor Details
-
UrlAccessRestrictionCheckingProcessor
public UrlAccessRestrictionCheckingProcessor()Default constructor. CreatesAntPathMatcher
as default path matcher.
-
-
Method Details
-
setPathMatcher
public void setPathMatcher(org.springframework.util.PathMatcher pathMatcher) Sets the path matcher to use to match the URLs for restriction checking. -
setUrlRestrictions
Sets the map of restrictions. Each key of the map is ANT-style path pattern, used to match the URLs of incoming requests, and each value is a Spring EL expression. -
getUrlRestrictions
-
processRequest
public void processRequest(org.craftercms.commons.http.RequestContext context, RequestSecurityProcessorChain processorChain) throws Exception Matches the request URL against the keys of therestriction
map, which are ANT-style path patterns. If a key matches, the value is interpreted as a Spring EL expression, the expression is executed, and if it returns true, the processor chain is continued, if not anAccessDeniedException
is thrown.- Specified by:
processRequest
in interfaceRequestSecurityProcessor
- Parameters:
context
- the context which holds the current request and responseprocessorChain
- the processor chain, used to call the next processor- Throws:
Exception
-
getRequestUrl
Returns the request URL without the context path. -
isAccessAllowed
protected boolean isAccessAllowed(javax.servlet.http.HttpServletRequest request, org.springframework.expression.Expression expression) -
createExpressionRoot
-