SEC-2452: obtainSecurityMetadataSource from database

[spring-projects-issues]

zhangyuan (Migrated from SEC-2452) said:

Thank you for your great work , guys.
In our system, different users have different roles, different roles have different authorities, that is common, ritht?
The problem is before our system is start up, our programers have no idea which role have which kind of authorities, for example, they donn't konw '/produdt/insert.action' belongs to 'insert' role, so they cann't write this authorities code in our system. this should be done be a administrator in a web page, add a RequestMatcher and ConfigAttribute or some kind of that stuff in the web page, when the user login in the page, query the obtainSecurityMetadataSource from database each time or form the cache, that is what I'm looking for.
But in version like 3.2.0 or below, it is hard to extend some spring security classes to do the right thing, I have to write a lot of code by myself. I'm wondering is there any chances you guys can make a nicer interfate for me to extend?
Thank you.

[spring-projects-issues]

Rob Winch said:

There is already an interface to extend. See http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/faq.html#faq-dynamic-url-metadata

[spring-projects-issues]

zhangyuan said:

Thank you.
Yes. I know this kind of stuff can work. But still, there are a lot of things have to be done, like write a single filter and write a single class to implement FilterInvocationSecurityMetadataSource to get the attributes. Problems is I think there are so many people out there have the same needs like me, they will have to do the same work like me, right? Even myself have to do the same work in a different project, like copy the classes I write before to our new porject or something like that. All I want is you guys can add a simeple interface or a simple function in the core framework, like add jdbcAuthentication function in the AuthenticationManagerBuilder. So I can obtainSecurityMetadataSource from database in a easy way.
Again, Thank you.

[spring-projects-issues]

Rob Winch said:

As explained on the FAQ it is generally not recommended practice to do this so I doubt it will be included in the distribution. Of course if there was a well formed Pull Request the odds would go up slightly :)