In our project we’re mixing xml and annotations based spring mvc security configuration. We’ve got quite a few lot of roles, a lot of controlers and frequently changing requirements about who should be able to do what. I thought it would be nice to have util class which will generate permission matrix like this.
What I’ve done so far is wrote simple classpath scanner which looks for all classes marked with @Controller and extract values of @PreAuthorize. Naming convention for controllers is straightforward: {Action}{Type}Controller (eg. NewOrderController) so its easy to generate human(and by human I mean non-programmer) readable csv file.
The problem is classpath scanning for annotation doesn’t cover what we’ve got in xml config.
I was wondering if there is any other way to query metadata used for access resolution by spring mvc itself.
EDIT:
Example xml configuration (largely simplified):
<security:http pattern="/static/**" security="none" />
<security:http auto-config="false"
use-expressions="true"
entry-point-ref="entryPoint"
security-context-repository-ref="securityContextRepository">
<security:intercept-url pattern="/product/**" access="hasAnyRole('PRODUCT_USER')" />
<security:intercept-url pattern="/admin/**" access="hasAnyRole('ADMIN_USER')" />
<!-- No security configuration for /order/** -->
</security:http>
Example of annotation driven configuration:
@Controller
@RequestMapping("/order/new/{id}")
public class NewOrderController {
@Autowired
public NewOrderController() {
}
@RequestMapping(method = RequestMethod.GET)
@PreAuthorize("hasRole('ORDER_USER')")
public ModelAndView display() {
return new ModelAndView(/*...*/);
}
@RequestMapping(method = RequestMethod.POST)
@PreAuthorize("hasRole('ORDER_USER')")
public RedirectView process() {
return new RedirectView(/*...*/);
}
}
I suppose this answer will help you construct the solution to parse and load the meta data on URL interceptors in order to gather the configured roles.