Package org.craftercms.security.processors.impl

Class UrlAccessRestrictionCheckingProcessor

java.lang.Object
org.craftercms.security.processors.impl.UrlAccessRestrictionCheckingProcessor
All Implemented Interfaces:
RequestSecurityProcessor
public class UrlAccessRestrictionCheckingProcessor extends Object implements RequestSecurityProcessor

Processor that checks if the current user has permission to access the current request URL. To do this, the processor matches the URL against the keys of the restriction map, which are ANT-style path patterns. If a key matches, the value is interpreted as a Spring EL expression, the expression is executed, and if it returns true, the processor chain is continued, if not an AccessDeniedException is thrown. The expression should be one of this method calls that return a boolean:

  1. isAnonymous()
  2. isAuthenticated()
  3. hasRole('role'})
  4. hasAnyRole({'role1', 'role2'})
  5. permitAll()
  6. denyAll()

Examples of user URL restrictions:

 <entry key="/static-assets" value="permitAll()"/>
 <entry key="/user" value="hasAnyRole({'user', 'admin'})"/>
 <entry key="/admin" value="hasRole('admin')"/>
 <entry key="/**" value="isAuthenticated()"/>
WARN: Remember to put the more general restrictions (like /**) at the end so they're matched last.
Author:
Alfonso Vásquez
See Also:
  • AntPathMatcher

  • Field Details

    • logger

      public static final org.slf4j.Logger logger

    • pathMatcher

      protected org.springframework.util.PathMatcher pathMatcher

    • urlRestrictions

      protected Map<String,org.springframework.expression.Expression> urlRestrictions

  • Constructor Details

    • UrlAccessRestrictionCheckingProcessor

      public UrlAccessRestrictionCheckingProcessor(Map<String,String> restrictions)
      Default constructor. Creates AntPathMatcher as default path matcher.

  • Method Details

    • setPathMatcher

      public void setPathMatcher(org.springframework.util.PathMatcher pathMatcher)
      Sets the path matcher to use to match the URLs for restriction checking.

    • getUrlRestrictions

      protected Map<String,org.springframework.expression.Expression> getUrlRestrictions()

    • processRequest

      public void processRequest(org.craftercms.commons.http.RequestContext context, RequestSecurityProcessorChain processorChain) throws Exception
      Matches the request URL against the keys of the restriction map, which are ANT-style path patterns. If a key matches, the value is interpreted as a Spring EL expression, the expression is executed, and if it returns true, the processor chain is continued, if not an AccessDeniedException is thrown.
      Specified by:
      processRequest in interface RequestSecurityProcessor
      Parameters:
      context - the context which holds the current request and response
      processorChain - the processor chain, used to call the next processor
      Throws:
      Exception

    • getRequestUrl

      protected String getRequestUrl(jakarta.servlet.http.HttpServletRequest request)
      Returns the request URL without the context path.

    • isAccessAllowed

      protected boolean isAccessAllowed(jakarta.servlet.http.HttpServletRequest request, org.springframework.expression.Expression expression)

    • createExpressionRoot

      protected Object createExpressionRoot(jakarta.servlet.http.HttpServletRequest request)