Implementation of dynamic Role permissions in Spring security 2

The main body of the security framework consists of two parts, namely the right of inspection and authorization. Spring Security2 can be a good implementation of these two processes. The biggest improvement to the predecessor Acegi of Spring Security2 is that it provides custom configuration labels that define HTTP and Authentication-provider tags through the security namespace, and the benefits of this are greatly simplifying the configuration of the framework , and it hides the details of the implementation of the framework, and is clearer in the presentation of the configuration, and generally improves the usability of the framework.

However, the framework defaults to the configuration of permissions in XML, and because the new version hides the implementation details, the ability to expand on dynamic permissions becomes smaller. In the process of the right of inspection, there are not many problems encountered. However, when authorized, if it is acegi, people can inherit the Abstractfilterinvocationdefinitionsource class to achieve the role of the resource before authorization (i.e., resource role and user role matching). The new version is being consolidated with a new label, and the process is hidden by the default class implementation, including filters, resource acquisition, and role definitions, which are implemented by the framework, so many people are using spring Security2 to change Defaultfilterinvocationdefinitionsource the acquisition of resources to implement dynamic roles in a database or file. However, such changes are relatively high intrusion, but also retained the traces of acegi, but also violate the principle of opening and closing.

In fact, we can solve this problem by using the custom voting mechanism provided by spring Security2 Accessmanager, which does not affect the existing URL-based configuration, but also adds its own dynamic permission configuration.

Its implementation strategy is as follows:

1 Define class Dynamicrolevoter implement Accessdecisionvoter, inject the dynamic role of the class that implements the interface Dynamicroleprovider (used to define the method to get the role)

2 Returns True in two supports methods

3 in the vote method, there are three parameters (authentication authentication, Object object,

Configattributedefinition config) obtains the user's permission collection by the first, and the second gets the resource object, which is then matched by the Dynamicroleprovider fetch to the role collection.

4 Add Dynamicrolevoter to the configuration file as follows:

<beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased"&g t;
<beans:property name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.vote.RoleVoter" />
<beans:bean class="org.springframework.security.vote.AuthenticatedVoter" />
<beans:bean class="DynamicRoleVoter">
　　　 <beans:property name="dynamicRoleProvider">
　　　　　　　 <beans:ref local="dynamicRoleProvider"/>
</beans:property>
</beans:bean>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id=” dynamicRoleProvider” class=”…”>
　　　 ……
</beans:bean>