{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 趁早两清 的问题《Is it possible to check permissions on a Spring Co》','https://www.manongdao.com/q-948842.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
The JS client of my REST API wants to know, is a query to a certain URL permitted or not. Permissions are configured on the controller methods using the standard annotations:
@Controller
@RequestMapping("/books")
public class BooksController {
@RequestMapping("read")
@Secured("ROLE_READER")
public ModelAndView read(int id) { ... }
@RequestMapping("write")
@Secured("ROLE_WRITER")
public ModelAndView write(int id, String contents) { ... }
}
@Controller
@RequestMapping("/util")
public class UtilController {
@RequestMapping("check")
public String check(String url) {
//if url is "/books/read" and isUserInRole("ROLE_READER")
//or url is "/books/write" and isUserInRole("ROLE_WRITER")
//return "true", otherwise "false"
}
}
For read-only methods it would be possible to program the JS client to try and access a URL itself, ignore the result and look only on the status (200 or 403-Forbidden). It's not best performance-wise, but at least correct functionally. But for the write method I see no way to work around. Hope there is a sane solution for this problem.
P.S. Thanks to @Bogdan for the solution. This is the full text of the method I need:
@Autowired
WebInvocationPrivilegeEvaluator evaluator;
@RequestMapping("/check")
public String check(String url, Authentication authentication) {
return Boolean.toString(evaluator.isAllowed(url, authentication));
}
For the
UtilControlleryou posted you could go with something like a WebInvocationPrivilegeEvaluator, maybe also have a look at how the authorize tag works.Additionally, depending on what you are doing, something like this could also work:
You can then check the status code for calling the new methods.