SEC-1452: spring-security-3.0.xsd misses expression-handler tag under http tag #1692

spring-issuemaster opened this Issue Mar 31, 2010 · 5 comments


None yet
1 participant

Federico Fissore (Migrated from SEC-1452) said:

FilterInvocationSecurityMetadataSourceParser.createSecurityMetadataSource is able to set up a custom expression handler for security tags (I've checked with sec:authorize)
but since the XSD is missing the tag declaration, you cannot declare that custom handler

Therefore, while having custom handler for methods (via global-method-security), you can't have it for jsp tags

Adding the expression-handler declaration (attached simple patch) frees the developer

The need for this is that I've created my own WebSecurityExpressionRoot implementation with additional methods (hasFunction, hasApplication...)

Luke Taylor said:

Not a bug, as this was deliberately left out of the 3 release.

Triqui Galletas said:

There has been some discussion about this issue in the forum.
The main point was how to use a custom expression handler instead of the default one created when working with jsp tags.

The workaround I suggested was to add the expression handler before the http element, so that it would be used by authorize tags with the access atribute.
And also to add a custom access decision manager with the same expression handler so that it would be used by authorize tags with the url attribute.

But the question remains, what are the plans for this?
Luke, you already answered in that thread, but if you would some time to read some of the post from page 3, I would like to know what you think about it.

I'm posting here the workaround for the people who don't have time to check that thread:

<security:http auto-config="true" use-expressions="true" access-decision-manager-ref="accessDecisionManager">


Stephen Todd said:


Is there any movement on this? Any updates on perhaps what has been decided?

Andrew Largey said:

I ran into this issue as well. I have been able to solve the problem by implementing a BeanFactoryPostProcessor. This allows me to find the BeanDefinition for the DefaultWebSecurityExpressionHandler and change the class to my own subclass. Doing that in addition to defining the AccessDecisionManager made it so that I could use custom expressions in the intercept-url definitions and in the jsp tags.

I am hoping that in a future release I will be able to specify the expression-handler instead.

Luke Taylor said:

Added as part of the work on SEC-1560 and SEC-1749.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC3 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment