SEC-1246: Introduce EL-based authorization tag #1494

spring-issuemaster opened this Issue Sep 15, 2009 · 4 comments


None yet

1 participant


Luke Taylor (Migrated from SEC-1246) said:

The use of a tag which uses something like and links in with the WebSecurityExpressionHandler in the application context would provide all the functionality of the existing authorize tag and much more. The implementation could extend the existing tag to continue to support the legacy syntax.


Luke Taylor said:

I've extended the existing authorize tag as described. So the preferred way of using it is to use the "access" attribute with an authorization expression, similar to those that are used in the intercept-url elements. Expressions must be enabled in the http block or, alternatively, a WebSecurityExpressionHandler bean must be present in the application context.


Wendy Cameron said:

The javascript validation also needs to be changed to implement this logic.


Wendy Cameron said:

Sorry about previous comment was the wrong Jira screen.

I have been debugging and using this:

I have :

<@sec.authorize access="hasAuthority('ROLE_USER')">
    <p>Hello Wendy was here and this is the security Mechanism.</p>

I added a break point in the ROLE_VOTER and the voter is not fired.
So I am wondering how through all of this access expression stuff the voters are fired.

Perhaps I havn't configured things correctly and the WebSecurityExpressionHandler doesnt use the accessDecisionManager. However I cant figure out how to make the DefaultWebSecurityExpressionHandler aware of my accessDecisionManager.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 RC1 milestone Feb 5, 2016

This issue supersedes #1136

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment