SEC-1456: Allow runtime expressions for security:authorize url-attribute #1696

Closed
spring-issuemaster opened this Issue Apr 7, 2010 · 2 comments

Projects

None yet

1 participant

@spring-issuemaster

Joakim Kemeny (Migrated from SEC-1456) said:

The security:authorize tablib doesn't allow you to use runtime expresssions for the url-attribute. This prevents us from using code like the following snippet:

...
<c:forEach items="${pages}" var="page">
<security:authorize url="${page.url}">

  • ....
  • /security:authorize /c:forEach ...

    My suggestion is to set rtexprvalue to true for the url-attribute.

    @spring-issuemaster

    Luke Taylor said:

    Makes sense. Applied in 3.0.x and master branches.

    @spring-issuemaster

    Gert Buys said:

    What if you wanted to have JSP EL in something like <security:authorize access="hasRole('${role}')" > ? Is it considered best practice to turn to the url attribute instead and link the url to roles in intercept-url? The access attribute seems rather inflexible then.

    @spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment