I wish to implement dynamically changeable menu (updating whenever annotated method or controller added) for my Spring MVC application.
What i want is to introduce new annotation (#RequestMenuMapping) which will go to #Controller beans and their methods (just like #RequestMapping works).
Heres is what i want, User class, producing menu like
Users
Index | List | Signup | Login
with following code:
#Controller
#RequestMapping("user")
#RequestMenuMapping("Users")
public class User {
#RequestMapping("")
#RequestMenuMapping("Index")
public String index(/* no model here - just show almost static page (yet with JSP checks for authority)*/) {
return "user/index.tile";
}
#RequestMapping("list")
#RequestMenuMapping("List")
public String list(Model model) {
model.addAttribute("userList",/* get userlist from DAO/Service */);
return "user/list.tile";
}
#RequestMapping("signup")
#RequestMenuMapping("Signup")
public String signup(Model model) {
model.addAttribute("user",/* create new UserModel instance to be populated by user via html form */);
return "user/signup.tile";
}
#RequestMapping("login")
#RequestMenuMapping("Login")
public String login(Model model) {
model.addAttribute("userCreds",/* create new UserCreds instance to be populated via html form with login and pssword*/);
return "user/login.tile";
}
}
I think that Spring AOP may help me to pointcut methods with #RequestMenuMapping annotation and via #AfterReturning add something representing web-site menu to model.
But this raises two questions:
How do i get Model instance in #AfterReturning advice method in case it is missing in adviced method (as in .index())?
How do i get all methods (as in java reflection Method) and classes (as in java reflection Class) annotated with #RequestMenuMapping in order to build complete menu index?
I think a better soultion would be a bean post processor to scan all controller classes for the #RequestMenuMapping and a HandlerInterceptor to add the menu items to every model map.
InterceptorDemo:
#Aspect
#Component
public class InterceptorDemo {
#Pointcut("#annotation(org.springframework.web.bind.annotation.RequestMapping)")
public void requestMapping() {
}
#Pointcut("#annotation(you.package.RequestMenuMapping)")
public void requestMenuMapping() {
}
#AfterReturning("requestMapping() && equestMenuMapping()")
public void checkServer(JoinPoint joinPoint,Object returnObj) throws Throwable {
Object[] args = joinPoint.getArgs();
Model m = (Model)args[0];
// use joinPoint get class or methd...
}
}
If you want to intercept Contoller with you own, you can wirte another pointcut and ProceedingJoinPoint object can get what you want.
Q1:
ModelAndView object create at org.springframework.web.servlet.DispatcherServlet.doDispatch()
// Actually invoke the handler.
mv = ha.handle(processedRequest, response, mappedHandler.getHandler());
// Do we need view name translation?
if (mv != null && !mv.hasView()) {
mv.setViewName(getDefaultViewName(request));
}
So, you can intercept handle method after returing or override the method.
Q2:As far as i know, there are two ways getting annotation methods.
1.Use AOP:
You can declare a pointcut like this:
#Pointcut("#annotation(you.package.RequestMenuMapping)")
public void requestMenuMappingPountcut() {
}
2.Use reflection.
Class clazz = Class.forName(classStr);
Method[] methods = clazz.getDeclaredMethods();
for (Method method : methods) {
if (method.isAnnotationPresent(RequestMapping.class)
&& method.isAnnotationPresent(RequestMenuMapping.class)) {
// do something
}
}
Related
I know you can get a username easily in a Spring controller by including Principal as a method argument like:
#GetMapping("/username")
#ResponseBody
public String currentUserName(Principal principal) {
return principal.getName();
}
But I am ultimately going to want access to members of a MyCustomUser class that I instantiate from a repository with a findBy method. I can put a helper method in the Controller to do the lookup and return the user based on principal.getName(), but can I go a step further and bind to MyCustomUser directly, like
#GetMapping("/stuff")
#ResponseBody
public String stuff(MyCustomUser user) {
return user.thing();
}
I was looking into creating a converter like (Ref):
#Component
public class PrincipalToMyCustomUserConverter implements Converter<Principal, MyCustomUser> {
private MyCustomUserRepository userRepository;
public PrincipalToApplicationUserConverter(MyCustomUserRepository userRepository) {
this.userRepository = userRepository;
}
#Override
public MyCustomUser convert(Principal source) {
return this.userRepository.findByUsername(source.getName());
}
}
But I don't know if that's an appropriate way to grab the repository, and I don't know how to pass the repository when registering the converter (Ref).
You're correct in that the converter you're proposing is not appropriate. Your converter can convert from an object of type Principal to an object of type MyCustomUser, however, there is no *Principal* by which to convert. The magic behind the principal injection is that Spring actually gets this from the SecurityContextHolder, it is not deserialized from request...though fields present in the request allow Spring to create the Principal. If you truly want to inject MyCustomUser, use a ModelAttribute. ModelAttributes are available to all of your Spring controller methods.
I generally like to keep stuff like this in it's own class, so I would define a class that held this and other #ControllerAdvice in one place, something like this:
#ControllerAdvice
public class SomeControllerAdvice {
#Autowired
private MyCustomUserRepository myCustomUserRepository;
#ModelAttribute
public MyCustomUser getUser(Principal principal) {
return myCustomUserRepository.findByUsername(principal.getName());
}
}
The above should suffice to make MyCustomUser available to all methods. I would note that you probably want a little error handling here, like skip over if principal is null and whatnot, also have your findByUsername method return an Optional so your can address empty returns.
see:
https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/bind/annotation/ModelAttribute.html
https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/bind/annotation/ControllerAdvice.html
In our web application we have a lot of REST services. Suddenly it found out that we need to modify one object inside of each request before we go on.
So let's say we have n different controllers with REST services. In each controller, before we call the service from next layer, we need to modify an object inside the request.
The question is how to achieve this without providing hundreds of changes inside the controllers... Is there any simple way to do this?
UPDATE:
#RestController
public class OrderController {
#Autowired
private OrderService orderService;
#RequestMapping(path = "/order", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE)
public OrderResponse getOrderData(#RequestHeader HttpHeaders httpHeaders,
#RequestBody OrderDataRequest orderDataRequest) {
// Use here interceptor to modify the object Details
// (inside OrderDataRequest) before below call:
OrderResponse resp = orderService.getOrderData(orderDataRequest);
return resp;
}
#RequestMapping(path = "/cancel/{orderId}", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE)
public boolean cancelOrder(#RequestHeader HttpHeaders httpHeaders,
#RequestBody Details details, #PathVariable Integer orderId) {
// Use here interceptor to modify object Details before below call:
return orderService.cancelOrder(details, orderId);
}
}
In each controller I need to modift the object Details, which as you can see could be inside another object like in the first example or exist alone like in the second option.
You can use Spring AOP to achieve this. Another option using traditional Filters.
You should consider writing an interceptor, that would allow you to do what you want .
You could also use AOP to do this.. though, I think it's quite over-complicated, especially when such a solution already exists through interceptors!
EDIT :
A few other links :
EDIT 2 :
Follow the "before advice" from mykong.com example, then go that way to edit your specific object according to its class (for exemple) :
package com.your.company;
import java.lang.reflect.Method;
import org.springframework.aop.MethodBeforeAdvice;
public class HijackBeforeMethod implements MethodBeforeAdvice
{
#Override
public void before(Method method, Object[] args, Object target)
throws Throwable {
for(Object arg : args) {
if(com.your.company.OrderDataRequest.class.isAssignableFrom(arg.getClass())) {
// update you object here
}
}
}
}
- Get response body
- Json To Java
I want to allow only a specific user to access their modification page.
For example, I want user 3 to be the only one to able access the url : /user/3/edit
For this, I have put in my SecurityConfiguration.java :
.authorizeRequests()
.antMatchers("/user/{id}/edit").access("#MyClass.checkId(#id)");
MyClass.java is the following:
#Component
public class MyClass{
public boolean checkId(Long id) {
if(id == SecurityUtils.getCurrentUserId()){ //I have this configured and working
return true;
}
return false;
}
}
Yet when go to the following url: user/4/edit logged in as user 3 (these are examples), I cannot seem to enter the checkId method, and nothing happens, and my page loads with everything in it.
Do you have any idea? Is antMatchers.access() the way to go?
Thank you for your time!
You'll need to subclass two classes.
First, set a new method expression handler
<global-method-security>
<expression-handler ref="myMethodSecurityExpressionHandler"/>
</global-method-security>
myMethodSecurityExpressionHandler will be a subclass of DefaultMethodSecurityExpressionHandler which overrides createEvaluationContext(), setting a subclass of MethodSecurityExpressionRoot on the MethodSecurityEvaluationContext.
For example:
#Override
public EvaluationContext createEvaluationContext(Authentication auth, MethodInvocation mi) {
MethodSecurityEvaluationContext ctx = new MethodSecurityEvaluationContext(auth, mi, parameterNameDiscoverer);
MethodSecurityExpressionRoot root = new MyMethodSecurityExpressionRoot(auth);
root.setTrustResolver(trustResolver);
root.setPermissionEvaluator(permissionEvaluator);
root.setRoleHierarchy(roleHierarchy);
ctx.setRootObject(root);
return ctx;
}
There is another solution and it can be accomplish in a very elegant way using Expression-Based Access Control, for this case you can use the #PreAuthorize annotation and inside it validate the principal user id. For example:
#PreAuthorize("#id == principal.userNumber")
#RequestMapping(method = RequestMethod.POST, value = "/user/{id}/edit")
public void userUpdate(Long id){ .. }
Please just make sure that the implementation of the UserDetails interface has the userNumber property.
You can see more information about Expression-Based Access Control
Another approach is to inject the Principal object into the Request handler method like this:
#RequestMapping(method = RequestMethod.POST, value = "/user/{id}/edit")
public void userUpdate(Long id, Principal myPrincipal){
MyUserDetails user = (MyUserDetails) myPrincipal;
if (user.getUserNumber == id) { ... }
....
}
I am currently using Play 2.3 and I have to deal with similar URL mappings:
GET /api/companyId/employeeId/tasks
GET /api/companyId/employeeId/timesheets
etc.
In every GET I need to perform similar logic:
public Promise<Result> getEmployeeTimesheets(Long companyId, Long employeeId) {
return promise(() -> {
if (!companyRepository.one(companyId).isPresent()) {
return notFound("Company doesn't exist");
}
if (!employeeRepository.one(employeeId).isPresent()) {
return notFound("Employee doesn't exist");
}
if (!employeeRepository.employeeWorksForCompany(companyId, employeeId)) {
return forbidden("Employee doesn't work for this company");
}
// some actual logic here
});
}
This code repeats over and over again. So far I used plain old inheritance and moved that repeating code into the parent controller class. It gets the job done, but it certainly isn't perfect solution (because I have to invoke parent method and inspect results manually in every controller action).
Is there some more declarative approach in Play that would automatically handle fragment of URL (/api/companyId/employeeId in our case) and either delegate the execution to an appropriate controller, or return an error response (for example 404 - Not Found).
You said you are calling the method again and again in each controller function instead you can use #With annotation.For ex
create a class CheckUrl.java
public class CheckUrl extends play.mvc.Action.Simple {
public F.Promise<SimpleResult> call(Http.Context ctx) throws Throwable {
String host = request().uri();
if (condition one satisfied) {
return F.Promise.pure(redirect("/someurl"));
}else if (condition two satisfied){
return F.Promise.pure(redirect(controllers.routes.SomeController.index()));
}
}
Place #With(CheckUrl.class) in class to apply to all its function.
#With(CheckUrl.class)
public class MyController extends Controller {
}
and for a particular function
public class MyController extends Controller {
#With(CheckUrl.class)
public static Result index() {
}
}
In the above cases CheckUrl.java is invoked before function in a controller
I am using the Struts2 framework and have the following method in a POJO class.
public String execute() {
setUserPrincipal();
//do something
someMethod(getUserPrincipal().getLoggedInUserId());
return SUCCESS;
}
the setUserPrincipal() method looks like this
public void setUserPrincipal() {
this.principal = (UserPrincipal) getServletRequest().getSession().getAttribute("principal");
}
Basically it is simply taking a session attribute named "principal" and setting it so that I can find out who the logged in user is. The call to setUserPrincipal() to do this is quite common in most of my POJOs and it also becomes a hassle when testing the method because I have to set a session attribute.
Is there a way to automatically inject the session attribute into the POJO either using Spring or something else?
I've only used Struts2 a bit, but they have an interceptor stack that you can tie to particular actions. You can create your own interceptor that injects the session variable.
public interface UserAware
{
void setUserPrincipal(String principal);
}
// Make your actions implement UserAware
public class MyInterceptor implements Interceptor
{
public String intercept(ActionInvocation inv) throws Exception
{
UserAware action = (UserAware) inv.getAction();
String principal = inv.getInvocationContext().getSession().get("principal");
action.setUserPrincipal(principal);
return inv.invoke();
}
}
Like I said, not much Struts2 experience so this is untested but I think the idea is there.
Don't know about injecting the session, but maybe having a piece of AOP code that sets principal before execute.
Here's some documentation:
http://static.springsource.org/spring/docs/2.5.x/reference/aop.html