添加链接
link管理
链接快照平台
  • 输入网页链接,自动生成快照
  • 标签化管理网页链接

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

see spring-projects/spring-boot#3317
see #2672
see https://docs.spring.io/spring-security/site/docs/3.2.9.RELEASE/reference/htmlsingle/faq.html#faq-dynamic-url-metadata

Please provide an "easy" way, to provide a custom org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource
when using Java configuration.

We're currently trying to migrate an old Spring application to Spring Security 5.1.5. In this process we'd like to migrate the current xml-based configuration to a WebSecurityConfigurerAdapter subclass.

The urls handled by the appication represent Objects in a remote storage which has its own ACL system. Therefore we implemented our own FilterInvocationSecurityMetadataSource which queries the remote storage for the correct access restrictions for each object/url.

Ideally we'd like to do something like this:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().securityMetadataSource(myCustomMetadataSource);

Another option I looked into is using a custom AbstractInterceptUrlConfigurer in order to override its createMetadataSource() method, but the class is package-private and its public subclasses are final.

.authorizeRequests()
	.withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
		@Override
		public FilterSecurityInterceptor postProcess(FilterSecurityInterceptor filter) {
			filter.setSecurityMetadataSource(createMetadataSource());
			return filter;
  status: feedback-reminder
  We've sent a reminder that we need additional information before we can continue
 label
    Jul 10, 2019