Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
SEC-1452: spring-security-3.0.xsd misses expression-handler tag under http tag #1692
FilterInvocationSecurityMetadataSourceParser.createSecurityMetadataSource is able to set up a custom expression handler for security tags (I've checked with sec:authorize)
Therefore, while having custom handler for methods (via global-method-security), you can't have it for jsp tags
Adding the expression-handler declaration (attached simple patch) frees the developer
The need for this is that I've created my own WebSecurityExpressionRoot implementation with additional methods (hasFunction, hasApplication...)
Triqui Galletas said:
There has been some discussion about this issue in the forum.
The workaround I suggested was to add the expression handler before the http element, so that it would be used by authorize tags with the access atribute.
But the question remains, what are the plans for this?
I'm posting here the workaround for the people who don't have time to check that thread:
<security:http auto-config="true" use-expressions="true" access-decision-manager-ref="accessDecisionManager">
Andrew Largey said:
I ran into this issue as well. I have been able to solve the problem by implementing a BeanFactoryPostProcessor. This allows me to find the BeanDefinition for the DefaultWebSecurityExpressionHandler and change the class to my own subclass. Doing that in addition to defining the AccessDecisionManager made it so that I could use custom expressions in the intercept-url definitions and in the jsp tags.
I am hoping that in a future release I will be able to specify the expression-handler instead.