Luke Taylor (Migrated from SEC-1246) said:
The use of a tag which uses something like and links in with the WebSecurityExpressionHandler in the application context would provide all the functionality of the existing authorize tag and much more. The implementation could extend the existing tag to continue to support the legacy syntax.
Luke Taylor said:
I've extended the existing authorize tag as described. So the preferred way of using it is to use the "access" attribute with an authorization expression, similar to those that are used in the intercept-url elements. Expressions must be enabled in the http block or, alternatively, a WebSecurityExpressionHandler bean must be present in the application context.
Wendy Cameron said:
Sorry about previous comment was the wrong Jira screen.
I have been debugging and using this:
I have :
<p>Hello Wendy was here and this is the security Mechanism.</p>
I added a break point in the ROLE_VOTER and the voter is not fired.
So I am wondering how through all of this access expression stuff the voters are fired.
Perhaps I havn't configured things correctly and the WebSecurityExpressionHandler doesnt use the accessDecisionManager. However I cant figure out how to make the DefaultWebSecurityExpressionHandler aware of my accessDecisionManager.
This issue supersedes #1136