How to programmatically access <INTERCEPT-URL> from <HTTP> element in spring security

Question

How can I programmatically access the contents of the intercept-url declarations (from the http://www.springframework.org/schema/security schema)? E.g.,

<http auto-config='true'>
    <intercept-url pattern="/static/**" filters="none" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <intercept-url pattern="/**" access="ROLE_USER" />
    ...
</http>

Spring security role mapping is used to restrict access to certain pages. I want to extract the same role mapping information (the pattern and accept attributes) to be able to only show those pages in the html-menu that each role has access to see.

I've had a look at the HttpConfigurationBuilder, but it's package protected and doesn't seem to offer so much information. I've also tried:

  FilterSecurityInterceptor interceptor = appContext.getBean(FilterSecurityInterceptor.class);
  if (interceptor != null) {
      for (ConfigAttribute attr : interceptor.getSecurityMetadataSource().getAllConfigAttributes()) {
          // Extract the attributes ... 
          attr.getAttribute();
      }
  }

but I only managed to access the roles, not the url patterns.

Answer 1

The configuration declared using a namespace support does not exists in the same "format" after application context is loaded.

If you want to preserve the role mapping information, you need to access it while configuration parsing - and save the data you need for the future use. You can do this by subclassing org.springframework.security.config.http.HttpSecurityBeanDefinitionParser, reading the data you want and delegating to super.

See Spring Security 3 - Appendix D. Extensible XML authoring for usage of custom BeanDefinitionParser implementations.

Answer 2

Perhaps you can check if getFilterChainMap() method of FilterChainProxy class gives you the relevant info.