Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1611: Allow runtime expressions for security:authorize access-attribute #1851

spring-issuemaster opened this Issue Nov 3, 2010 · 3 comments


None yet
1 participant

Stephen Brandwood (Migrated from SEC-1611) said:

Similar to SEC-1456, the security:authorize tablib doesn't allow you to use runtime expressions for the access-attribute. This prevents us from using the tag in any kind of dynamic fashion, instead roles must be hard coded into the JSPs.

Can runtime expressions be enabled?

Luke Taylor said:

The access attribute takes an EL expression. Could you expand on the kind of use case you're envisaging which would require it to be a runtime expression in the JSP?

Stephen Brandwood said:

I'm honestly not sure of the difference. I can see in 3.0.4's security.tld, that the access attribute has "false", whilst in response to SEC-1456 the url attribute has been given a value of true.

Currently I cannot do this:
<sec:authorize access="hasRole('${foo}')">

Meaning I'm not able to create a generic .tag to be shared amongst JSP, each needing different permissions.

Luke Taylor said:

It's pretty common for a URL to be dynamically generated, hence the use of a runtime value for the url attribute. Personally I would avoid logic which involves passing security attributes into JSPs. If you are going to add this kind of thing to the view model, then you would be as well performing the access check externally and passing the result to the view, keeping the view as dumb as possible.

However, it's a relatively innocuous change, so I've modified the tld to allow runtime expressions, should you wish to use them.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment