Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-1456: Allow runtime expressions for security:authorize url-attribute #1696

Closed
spring-issuemaster opened this issue Apr 7, 2010 · 2 comments
Closed

Comments

@spring-issuemaster
Copy link

@spring-issuemaster spring-issuemaster commented Apr 7, 2010

Joakim Kemeny (Migrated from SEC-1456) said:

The security:authorize tablib doesn't allow you to use runtime expresssions for the url-attribute. This prevents us from using code like the following snippet:

...
<c:forEach items="${pages}" var="page">
<security:authorize url="${page.url}">

  • ....
  • /security:authorize /c:forEach ...

    My suggestion is to set rtexprvalue to true for the url-attribute.

    @spring-issuemaster

    This comment has been minimized.

    Copy link
    Author

    @spring-issuemaster spring-issuemaster commented Apr 21, 2010

    Luke Taylor said:

    Makes sense. Applied in 3.0.x and master branches.

    @spring-issuemaster

    This comment has been minimized.

    Copy link
    Author

    @spring-issuemaster spring-issuemaster commented Jun 14, 2010

    Gert Buys said:

    What if you wanted to have JSP EL in something like <security:authorize access="hasRole('${role}')" > ? Is it considered best practice to turn to the url attribute instead and link the url to roles in intercept-url? The access attribute seems rather inflexible then.

    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Projects
    None yet
    1 participant
    You can’t perform that action at this time.