Eu tenho trabalhado em uma segurança de primavera recentemente e eu preciso saber como eu posso definir intercept-url (no Spring Security) dinamicamente usando um banco de dados.

Eu já pesquisei profundamente toda a internet e não consegui encontrar nenhum tutorial único (e, claro, útil) nessa área.

Então aqui está o que eu fiz:

Primeiro eu implementei a classe abstrata FilterInvocationSecurityMetadataSource:

<p></p><pre><code>public class MyFilterSecurityMetadataSource implements FilterInvocationSecurityMetadataSource { public List<ConfigAttribute> getAttributes(Object object) { FilterInvocation fi = (FilterInvocation) object; String url = fi.getRequestUrl(); List<ConfigAttribute> attributes = new ArrayList<ConfigAttribute>(); attributes = getAttributesByURL(url); return attributes; } public Collection<ConfigAttribute> getAllConfigAttributes() { return null; } public boolean supports(Class<?> clazz) { return FilterInvocation.class.isAssignableFrom(clazz); } public List<ConfigAttribute> getAttributesByURL(String inputUrl) { List<ConfigAttribute> attributes = new ArrayList<ConfigAttribute>(); Connection connection = null; String url = "jdbc:mysql://173.0.0.22:3306/"; String dbName = "kheirkhahandb"; String driverName = "com.mysql.jdbc.Driver"; String userName = "kheirkhahan"; String password = "kheirkhahan"; try{ Class.forName(driverName).newInstance(); connection = DriverManager.getConnection(url+dbName, userName, password); try{ Statement stmt = connection.createStatement(); String selectquery = "select * from URL_ACCESS where URL = '" + inputUrl +"'"; ResultSet rs = stmt.executeQuery(selectquery); while(rs.next()){ MyConfigAttribute temp = new MyConfigAttribute(); String attr = rs.getString("ACCESS").toString(); temp.setAttr(attr); attributes.add(temp); } } catch(SQLException s){ System.out.println(s); } connection.close(); } catch (Exception e){ e.printStackTrace(); } return attributes; } </code></pre>

e eu configurei meu security.xml como:

<p></p><pre><code><bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy"> <sec:filter-chain-map path-type="ant"> <sec:filter-chain pattern="/css/**" filters="none" /> <sec:filter-chain pattern="/images/**" filters="none" /> <sec:filter-chain pattern="/login.jsp*" filters="none" /> <sec:filter-chain pattern="/**" filters=" securityContextPersistenceFilter, logoutFilter, authenticationProcessingFilter, exceptionTranslationFilter, filterSecurityInterceptor" /> </sec:filter-chain-map> </bean> <bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"> </bean> <bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter"> <property name="authenticationEntryPoint" ref="authenticationEntryPoint" /> <property name="accessDeniedHandler" ref="accessDeniedHandler" /> </bean> <bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> <property name="loginFormUrl" value="/login.jsp?error=entryPoint" /> </bean> <bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl"> <property name="errorPage" value="/login.jsp?error=access_denied" /> </bean> <bean id="authenticationProcessingFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> <property name="authenticationManager" ref="authenticationManager" /> </bean> <bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager" /> <property name="accessDecisionManager" ref="accessDecisionManager" /> <property name="securityMetadataSource" ref="myFilterInvocationSecurityMetadataSource" /> </bean> <bean id="myFilterInvocationSecurityMetadataSource" class="com.datx.dao.MyFilterSecurityMetadataSource"> </bean> <bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter"> <constructor-arg value="/login.jsp?error=logout" /> <constructor-arg ref="logoutHandler"> </constructor-arg> </bean> <bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"></bean> <sec:authentication-manager alias="authenticationManager"> <sec:authentication-provider> <sec:jdbc-user-service data-source-ref="dataSource" group-authorities-by-username-query=" SELECT acg.ID, acg.GROUP_NAME, a.AUTHORITY_NAME AS AUTHORITY FROM ACCESS_GROUPS acg, ACCESS_GROUP_MEMBERSHIP agm, GROUP_AUTHORITIES ga, AUTHORITIES a WHERE agm.USERNAME = ? and acg.ID = ga.GROUP_ID and acg.ID = agm.GROUP_ID and ga.AUTHORITY_ID = a.ID " users-by-username-query="SELECT USERNAME,PASSWORD,IS_ACTIVE FROM USER where USERNAME = ?" authorities-by-username-query=" SELECT ua.USERNAME, a.AUTHORITY_NAME AS AUTHORITY FROM USER_AUTHORITIES ua, AUTHORITIES a WHERE ua.USERNAME = ? and ua.AUTHORITY_ID = a.ID " /> </sec:authentication-provider> </sec:authentication-manager> <bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"> <property name="decisionVoters"> <list> <ref bean="roleVoter" /> </list> </property> </bean> <bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter"> <property name="rolePrefix" value="" /> <constructor-arg ref="roleHierarchy" /> </bean> <bean id="roleHierarchy" class="com.datx.dao.MyRoleHierarchyImpl"> <property name="roleHierarchyEntryDaoJdbc" ref="RoleHierarchyEntryDaoJdbc" /> </bean> </beans> </code></pre>

Existem alguns problemas que não consigo descobrir:
1. Eu inseri alguns pares como <"URL", "ROLE"> no banco de dados URL_ACCESS. Mas não tenho certeza se o método getAttributes está funcionando bem ou não
2. Preciso implementar todos esses filtros que usei em

3. Estou recebendo uma exceção quando um usuário usa um nome de usuário / senha incorreta ou tenta acessar páginas não permitidas, em vez de ser redirecionado para login.jsp. Por que é que?

desde já, obrigado