SEC-1294: Support bean access in expression language #1540

Closed
spring-issuemaster opened this Issue Nov 13, 2009 · 2 comments

1 participant

@spring-issuemaster

Florent Ramiere (Migrated from SEC-1294) said:

The expression language support in spring security is a great addition to the project.

Here is what we can currently do :

@PreAuthorize("hasRole('ROLE_USER')")
public void basic()

@PreAuthorize("#age > 18")
public void usingArgs(int age)

Here is what I wish we could also do :

@PreAuthorize("#age > #{mySpringBean.minAge}")
public void usingSpringBeansProperty(int age)

@PreAuthorize("#{mySpringBean.ageAuthorized(#age}}")
public void usingSpringBeansMethodAndArgs(int age)

Basically I wish we had the same functionnalities we have in spring core.
This is especially usefull for the Post

Currently I found the following way to use beans in the expression language

  • I access it via a custom method
  • that is defined in a custom MethodSecurityExpressionHandler
  • that overrides the "public EvaluationContext createEvaluationContext(Authentication auth, MethodInvocation mi)"
  • then set the
@spring-issuemaster

Luke Taylor said:

I've added a PropertyAccessor which looks up property names as beans in the application context. It is used in both method and web security expression handing. Not that the bean names should be used without a "#" prepended, unlike method arguments.

@spring-issuemaster

Stephane Rondal said:

Thanks for this fix. Is there any example/documentation on how to use this new possibility?
I cannot make it work using the examples given in the description.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment