I hope I'll be able to explain this properly. I'm developing a portlet for Liferay by using Spring. It's a pinboard system. So I have a view (Jsp) which shows the detail of a certain pinboard entry, given its id. Furthermore there is a link which goes to an AddCommentController for adding a new comment to the pinboard entry the user is currently watching at. The AddCommentController extends Spring's SimpleFormController and has also a validator attached to it:
<bean id="addCommentController" class="com.lifepin.controllers.AddCommentController" parent="lifePinControllerTemplate">
<property name="formView" value="addComment" />
<property name="successView" value="viewEntryDetail" />
<property name="validator" ref="commentValidator"/>
</bean>
The validator is really simple and looks as follows:
public class CommentValidator implements Validator {
public boolean supports(Class clazz) {
return clazz.equals(Comment.class);
}
public void validate(Object obj, Errors validationError) {
ValidationUtils.rejectIfEmptyOrWhitespace(validationError, "content", "err.content.empty", "This value is required");
}
}
Now the view where the user can enter his comment has two buttons, Save and cancel. Here are the two generators for the according urls.
<portlet:actionURL var="actionUrl">
<portlet:param name="action" value="addComment"/>
<portlet:param name="pinboardEntryId" value="${param.pinboardEntryId}"/>
</portlet:actionURL>
<portlet:renderURL var="cancelUrl">
<portlet:param name="action" value="viewPinboardEntry"/>
<portlet:param name="pinboardEntryId" value="${param.pinboardEntryId}"/>
</portlet:renderURL>
In the onSubmitAction of the AddCommentController I read out the parameter (see the 1st actionURL above) and pass it to the ActionResponse s.t. in the detail view of the pinboard entry I can again load the entry and display it.
public class AddCommentController extends SimpleFormController{
...
#Override
protected void onSubmitAction(ActionRequest request, ActionResponse response, Object command, BindException bindException)
throws Exception {
long pinboardEntryId = PortletRequestUtils.getLongParameter(request, ParameterNameConstants.PINBOARDENTRY_ID, -1);
...
}
...
}
This all works fine, except when a validation error occurs. In that case I loose the "pinboardEntryId" parameter from the URL, and I don't have any way to read that parameter in the CommentValidator to pass it to the response again since I don't have any PortletRequest or response.
For now I solved this problem by storing the id on the session and by retrieving it from there. I wanted to ask however if some of you has an alternative solution without having to use the session. I'm quite sure there is one.
Thanks,
Juri
An even easier solution is to set the renderParameters property. The renderParameters property is an array of parameter names that SimpleFormController will always forward. For example:
<bean id="addCommentController" class="...">
....
<property name="renderParameters">
<list>
<value>pinboardEntryId</value>
</list>
</property>
</bean>
This will cause the 'pinboardEntryId' parameter to be passed every time without any additional code.
On validation errors showForm(..) gets called again. You could overwrite this method and manipulate Request and Response as you like.
I first tried the showForm(..) approach suggested by Oliver Gierke (thanks for the feedback) but that didn't work out as expected. The showForm(..) wants to return a new ModelAndView which I don't want to care since that should be done by the onSubmitAction(...).
The right approach is to override the
#Override
protected void processFormSubmission(ActionRequest request, ActionResponse response, Object command, BindException errors){
...
}
There, all the needed information is available. I can check now the BindingException whether there have been validation errors by using errors.hasErrors(). If that's the case, I can read the needed parameters and forward them to the response to have them on the form again. Otherwise I just call the onSubmitAction(..), passing the needed parameters such as the request, reponse etc.. which I have available in the processFormSubmission.
Related
How do you parse spring (web) security expressions like hasRole('admin') programmatically (without using tags, annotations or ...)? (reference doc)
I've found Spring: What parser to use to parse security expressions - but I don't know how to find or build the EvaluationContext e.g. inside a spring controller.
Without providing an EvaluationContext gives
org.springframework.expression.spel.SpelEvaluationException: EL1011E:(pos 0): Method call: Attempted to call method hasRole(java.lang.String) on null context object
you need to add several things in order to get this thing working. You have to plug into the Spring's security API. Here's how I did it and it is working fine with Spring 3.2.
First as it was stated before you must have similar configuration in your spring-context.xml:
<security:http access-decision-manager-ref="customAccessDecisionManagerBean">
<security:http/>
<bean id="customWebSecurityExpressionHandler"
class="com.boyan.security.CustomWebSecurityExpressionHandler"/>
<bean id="customAccessDecisionManagerBean"
class="org.springframework.security.access.vote.AffirmativeBased">
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
<property name="expressionHandler" ref="customWebSecurityExpressionHandler" />
</bean>
</list>
</property>
</bean>
This defines a new expressionHandler to override the default one for the WebExpressionVoter. Then we add this new decision voter to the decision manager. CustomWebSecurityExpressionHandler's purpose it to control the creation of SecurityExpressionRoot. So far so good. The question is why do you need a CustomWebSecurityExpressionRoot and the answer is simple as that - you define your custom security methods there. Having this in mind we can write the following classes:
public class CustomWebSecurityExpressionHandler extends DefaultWebSecurityExpressionHandler {
#Override
protected SecurityExpressionOperations createSecurityExpressionRoot(
Authentication authentication, FilterInvocation fi) {
CustomWebSecurityExpressionRoot expressionRoot =
new CustomWebSecurityExpressionRoot(authentication, delegationEvaluator);
return expressionRoot;
}
}
}
public class CustomWebSecurityExpressionRoot extends WebSecurityExpressionRoot {
public CustomWebSecurityExpressionRoot(Authentication auth, FilterInvocation fi) {
super(auth, fi);
}
// in here you must define all of the methods you are going to invoke in #PreAuthorize
// for example if you have an expression with #PreAuthorize('isBoyan(John)')
// then you must have the following method defined here:
public boolean isBoyan(String value) {
//your logic goes in here
return "Boyan".equalsIgnoreCase(value);
}
}
If you want to get a reference to the ExpressionParser you can use the following method AbstractSecurityExpressionHandler.getExpressionParser(). It is accessible through CustomWebSecurityExpressionHandler. Also you can take a look at its API if you want to do something more specific.
I hope this answers you question.
Let's say I want to do the same thing the Masterpage's code behind does on ASP.NET side. I'm currently learning Spring MVC and Im using JSP for my views. I know for the JSP side, everytime I create a page I include header.jsp and footer.jsp.
Lets say I have this var in my header.jsp ${ItemsQty} I would have to tho this in all controllers request mappings to get the value inserted.
model.addAttribute("ItemsQty", ItemsServices.count());
What's the correct way to set this value? adding the attribute in all controllers, all request methods?
Regards.
You could create an interceptor that adds the attribute to the modelmap. Interceptors can be mapped to any URL you like.
<mvc:annotation-driven>
<mvc:interceptors>
<mvc:mapping path="/items/**" />
<bean="my.package.items.ItemsInterceptor"/>
</mvc:interceptors>
</mvc:annotation-driven>
When the url matches mapping /items/** this interceptor will add the attribute to the modelmap after the handler is called.
class ItemsInterceptor extends HandlerInterceptorAdapter {
#Autowired
private ItemsServices service;
public void postHandle(
HttpServletRequest request,
HttpServletResponse response,
Object handler,
ModelAndView modelAndView)
throws Exception {
if (modelAndView != null) {
modelAndView.addObject("ItemsQty", service.count());
}
}
}
What's the correct way to set this value? adding the attribute in all controllers, all request methods?
No. These attributes are session scoped attributes. Session scoped attributes are specified in Spring MVC using #SessionAttributes. So in your case it would be
#SessionAttributes({"ItemsQty"})
So the first time you add "ItemsQty" to the model, it will stay there (across multiple requests) until SessionStatus.setComplete() is called.
I've seen that you can control cache http headers with the AnnotationMethodHandlerAdapter bean.
My problem is that I need to have a fine grane control on the cache (at method level).
The best think would be to have something like an annotation like "#RequestCache(expire=60)".
Is there anything like this?
What is the best way to accomplish this task?
Thanks,
Andrea
Update:
pap suggest to use an HandlerInterceptor, but I've seen multiple forum's post saying that it's not possible to get the target method inside an HandlerInterceptor and suggest to use regular AOP instead (not specifically for caching).
The problem is that I don't want to add the request parameter to all my methods, only to make it accessible to the aspect. Is there a way to avoid this?
You can use the following approach described in
Spring mvc reference manual
Support for the 'Last-Modified' Response Header To Facilitate Content Caching
#RequestMapping(value = "/modified")
#ResponseBody
public String getLastModified(WebRequest request) {
if (request.checkNotModified(lastModified.getTime())) {
logger.error("Was not modified.");
return null;
}
logger.error("Was modified.");
//processing
return "viewName";
}
One way (that I have used myself) is to create your own HandlerInterceptor.
public class CacheInterceptor implements HandlerInterceptor {
#Override
public boolean preHandle(HttpServletRequest request,
HttpServletResponse response, Object handler) throws Exception {
Class<?> o = AopUtils.getTargetClass(handler);
if (o.isAnnotationPresent(RequestCache.class)) {
response.setDateHeader("Expires", o.getAnnotation(RequestCache.class).expire());
}
return true;
}
...
}
and then
<bean class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping">
<property name="interceptors">
<array>
<bean class="bla.bla.CacheInterceptor " />
</array>
</property>
</bean>
I have a Spring controller it needs to set a message in the request scope and sends the user back to a form because of errors. Here is the method signature:
public String update(HttpServletRequest request,
Model model,
#ModelAttribute("command") User user,
BindingResult result, SessionStatus status)
In the method the request object is available, here is my way of setting a message in the request scope, which I feel is convoluted.
.....
WebApplicationContext ctx = RequestContextUtils.getWebApplicationContext(reque st);
Locale locale = RequestContextUtils.getLocale(request);
request.setAttribute("formError", ctx.getMessage("errors.unique.value", new Object[]{new DefaultMessageSourceResolvable(new String[]{"label.userName"})}, locale));
.......
Here are my questions:
Is the above way correct for setting a message?
Is any better or simpler way?
Thanks for help!
Are you trying to give a feedback to the user? Then you should have a look at result.rejectValue(field, property)
http://static.springsource.org/spring/docs/2.5.x/api/org/springframework/validation/Errors.html#rejectValue%28java.lang.String,%20java.lang.String%29
Example:
if the field on which the validation didnt passed is called "new_password" and the language property is named "new_passwort_invalid" then you could handle it like this:
result.rejectValue("new_password", "new_passwort_invalid");
greets
(Even if the post is old, I hope this can be useful for others)
In servlet-context.xml configuration we declare the bean:
<beans:bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<beans:property name="basename" value="/WEB-INF/locale/messages" />
<beans:property name="defaultEncoding" value="UTF-8" />
</beans:bean>
Then in controller we autowire the messageSource:
#Controller
public class SomeCtrl {
#Autowired
private MessageSource messageSource;
...
Finally in the action we can use the locale (by adding the locale formal parameter and using the message):
#RequestMapping(value="/doLogin", method=RequestMethod.POST)
#ResponseBody
public String tryLogin(
#ModelAttribute("loginBean") LoginBean loginBean,
BindingResult result, SessionStatus status,
Locale locale) {
....
....
String generalErrorMsg = messageSource.getMessage("login.generalError",new Object[] {}, locale);
....
....
I wrote an Spring request interceptor for authentication purposes, it extends the HandlerInterceptorAdapter. I've set it with this line in my servlet-context:
<mvc:interceptors>
<bean class = "it.jsoftware.jacciseweb.controllers.AuthInterceptor">
<property name="manServ" ref = "acciseService"></property>
</bean>
</mvc:interceptors>
and the pre handle method is
#Override
public boolean preHandle(HttpServletRequest request,
HttpServletResponse response, Object handler) throws Exception {
HttpSession sess = request.getSession();
String path = request.getPathTranslated();
boolean autenticated = maincont.isAuthenticated(sess);
if (!autenticated){
response.sendRedirect("accise?action=login");
return false;
}
return super.preHandle(request, response, handler);
}
like this anyway it will generate a redirect loop, because it will never reach the redirect page due to the interception and redirect.
There is many ways to solve this, but I don't know how to achieve them:
Detect the url of the request (but I don't know how) and don't check for authentication for the login page. Moreover I'd like to make this solution more flexible.
Select the login handler directly on the controller. How do I do that? Is it possible?
I've seen that in examples people specifies interceptor mapping using org.springframework.web.servlet.handler.SimpleUrlHandlerMapping, anyway I'm using annotations. Is there a way, using annotations, to specify a different mapping for the interceptor so that it doesn't fire with the above address (accise?action=login)? Or maybe to chain different mapping schemes?
Is there a specific reason for not using spring-security?
IMHO is simple, powerful and deeply tested.
You can simply implement and inject your custom authenticator, spring-security will handle the redirect.