Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1456: Allow runtime expressions for security:authorize url-attribute #1696

spring-issuemaster opened this Issue Apr 7, 2010 · 2 comments


None yet
1 participant

Joakim Kemeny (Migrated from SEC-1456) said:

The security:authorize tablib doesn't allow you to use runtime expresssions for the url-attribute. This prevents us from using code like the following snippet:

<c:forEach items="${pages}" var="page">
<security:authorize url="${page.url}">

  • ....
  • /security:authorize /c:forEach ...

    My suggestion is to set rtexprvalue to true for the url-attribute.

    Luke Taylor said:

    Makes sense. Applied in 3.0.x and master branches.

    Gert Buys said:

    What if you wanted to have JSP EL in something like <security:authorize access="hasRole('${role}')" > ? Is it considered best practice to turn to the url attribute instead and link the url to roles in intercept-url? The access attribute seems rather inflexible then.

    @spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016

    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment