Creating New Roles and Permissions Dynamically in Spring Security 3

I am using Spring Security 3 in Struts 2 + Spring IOC project.

I have used Custom Filter, Authentication Provider etc. in my Project.

You can see my security.xml here

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns=""

<global-method-security pre-post-annotations="enabled">
        <expression-handler ref="expressionHandler" />

<beans:bean id="expressionHandler"
        class="" >
    <beans:property name="permissionEvaluator" ref="customPermissionEvaluator" />

<beans:bean class="code.permission.MyCustomPermissionEvaluator" id="customPermissionEvaluator" />

<!-- User Login -->

  <http auto-config="true" use-expressions="true" pattern="/user/*" >
<intercept-url pattern="/index.jsp" access="permitAll"/>
<intercept-url pattern="/user/showLoginPage.action" access="permitAll"/>
<intercept-url pattern="/user/showFirstPage" access="hasRole('ROLE_USER') or hasRole('ROLE_VISIT')"/>
<intercept-url pattern="/user/showSecondUserPage" access="hasRole('ROLE_USER')"/>
<intercept-url pattern="/user/showThirdUserPage" access="hasRole('ROLE_VISIT')"/>
<intercept-url pattern="/user/showFirstPage" access="hasRole('ROLE_USER') or hasRole('ROLE_VISIT')"/>
<form-login login-page="/user/showLoginPage.action" />
<logout invalidate-session="true"
<access-denied-handler ref="myAccessDeniedHandler" />

  <custom-filter before="FORM_LOGIN_FILTER" ref="myApplicationFilter"/>

    <beans:bean id="myAccessDeniedHandler" class="" />

    <beans:bean id="myApplicationFilter" class="">
        <beans:property name="authenticationManager" ref="authenticationManager"/>
        <beans:property name="authenticationFailureHandler" ref="failureHandler"/>
        <beans:property name="authenticationSuccessHandler" ref="successHandler"/>

    <beans:bean id="successHandler"
      <beans:property name="defaultTargetUrl" value="/user/showFirstPage">   </beans:property>

     <beans:bean id="failureHandler"
      <beans:property name="defaultFailureUrl" value="/user/showLoginPage.action?login_error=1"/>

    <beans:bean id= "myUserDetailServiceImpl" class="">

     <beans:bean id="myAuthenticationProvider" class="">
        <beans:property name="userDetailsService" ref="myUserDetailServiceImpl"/>


 <!-- User Login Ends -->

 <!-- Admin Login -->

    <http auto-config="true" use-expressions="true" pattern="/admin/*" >
    <intercept-url pattern="/index.jsp" access="permitAll"/>
    <intercept-url pattern="/admin/showSecondLogin" access="permitAll"/>
    <intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/>
    <form-login login-page="/admin/showSecondLogin"/>
    <logout invalidate-session="true"

    <access-denied-handler ref="myAccessDeniedHandlerForAdmin" />
    <custom-filter before="FORM_LOGIN_FILTER" ref="myApplicationFilterForAdmin"/> 

<beans:bean id="myAccessDeniedHandlerForAdmin" class="" />

  <beans:bean id="myApplicationFilterForAdmin" class="">
        <beans:property name="authenticationManager" ref="authenticationManager"/>
        <beans:property name="authenticationFailureHandler" ref="failureHandlerForAdmin"/>
        <beans:property name="authenticationSuccessHandler" ref="successHandlerForAdmin"/>

    <beans:bean id="successHandlerForAdmin"

    <beans:bean id="failureHandlerForAdmin"
       <beans:property name="defaultFailureUrl" value="/admin/showSecondLogin?login_error=1"/>

        <authentication-manager alias="authenticationManager">
    <authentication-provider ref="myAuthenticationProviderForAdmin" />
    <authentication-provider ref="myAuthenticationProvider" />

<beans:bean id="myAuthenticationProviderForAdmin" class="">
    <beans:property name="userDetailsService" ref="userDetailsServiceForAdmin"/>

<beans:bean id= "userDetailsServiceForAdmin" class="">

 <!-- Admin Login Ends -->

<beans:bean id="messageSource"
    <beans:property name="basenames">

Uptill now you can see, url-pattern I have mentioned is hard coded. I wanted to know if there is a way to create new ROLES and PERMISSIONS dynamically, not hard coded.

Like creating new roles and permissions and saving them to database and then accessing from database. I have searched on net, but I am not able to find out how to add new entries to code.


So this are at least two question:

  • How to make the granted authorities/privileges/Roles dynamic?
  • How to make the access restriction for the URLs dynamic?
1) How to make the granted authorities/privileges/Roles dynamic?

I will not answer this in great detail, because I belive this theme was discusses often enough.

The easiest way would be to store the complete user information: login, password and roles in a database (3 Tables: User, Roles, User2Roles) and use the JdbcDetailService. You can configure the two SQL Statements (for authentication and for granding the roles) very nicely in the xml.

But then the user needs to logout and login to get this new Roles. If this is not acceptable, you must also manipulate the Roles of the current logged in user. They are stored in the users session. I guess the easiest way to do that is to add a filter in the spring security filter chain that updates the Roles for every request, if they needs to be changed.

2) How to make the access restriction for the URLs dynamic?

Here you have at last two ways:

  • Hacking into the FilterSecurityInterceptor and updating the securityMetadataSource, the needed Roles should be stored there. At least you must manipulate the output of the method DefaultFilterInvocationSecurityMetadataSource#lookupAttributes(String url, String method)
  • The other way would be using other expressions for the access attribute instead of access="hasRole('ROLE_USER')". Example: access="isAllowdForUserPages1To3". Of course you must create that method. This is called a "custom SpEL expression handler" (If you have the Spring Security 3 Book it's around page 210. Wish they had chapter numbers!). So what you need to do now is to subclass WebSecurityExpressionRoot and introduce a new method isAllowdForUserPages1To3. Then you need to subclass DefaultWebSecurityExpressionHandler and modify the createEvaluationContext method so that its first request StandartEvaluationContext calls super (you need to cast the result to StandartEvaluationContext). Then, replace the rootObject in the StandartEvaluationContext using your new CustomWebSecurityExpressionRoot implementation. That's the hard part! Then, you need to replace the expressionHanlder attribute of the expressionVoter (WebExpressionVoter) in the xml configuration with your new subclassed DefaultWebSecurityExpressionHandler. (This sucks because you first need to write a lot of security configuration explicity as you can't access them directly from the security namespace.)

Need Your Help

Windows console - BAT compatibility

windows batch-file ffmpeg command-prompt windows-console

I have a command line statement which works perfectly when manually typing it into the console, however, when I put it in a bat file it doesn't work.

What's the right memory management pattern for buffer->CGImageRef->UIImage?

iphone uiimage core-graphics quartz-2d core-foundation

I have a function that takes some bitmap data and returns a UIImage * from it. It looks something like so:

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.