New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SEC-1663: Expression support in protect-pointcut xml config #1901
Comments
Luke Taylor said: I'm not sure there is such a pressing use-case for EL in protect-pointcuts. Since they are generally used across multiple methods and classes, you lose the ability to reference method arguments directly in an expression, which is where EL is most likely to add value. |
Andrew said: I believe that you don't loose ability to reference method arguments. You can create protect-pointcut for single method and reference it's arguments like:
also you can create a pointcut for many methods that has the same arguments like:
(all the UserService.update* methods must have 'username' parameter) I already implemented an AccessDecisionVoter that is capable of handling expressions. It uses the same MethodSecurityExpressionHandler as in annotations so all expressions from annotations should work. Sample configuration:
Class com.novage.security.MethodExpressionVoter:
Class MethodExpressionVoter uses caching to not parse same expressions many times (to work faster). This is basically not very good. I believe approach with custom MethodSecurityMetadataSource that parses the expressions and saves into custom ConfigAttribute should be used like it is already implemented in HTTP security schema with enabled expressions (i.e. <security:http use-expressions="true"> ... /security:http). |
+1 For this feature. I think it would be very useful. Another element of this along the same lines would be to add support for all method security expressions such as the Something like this would be very useful:
If I have a service that contains many methods for returning an object or collection (different queries for example), I don't want to have to duplicate the same annotation on each method. It is also error prone since when someone else comes along to add a new method to the service, they might forget to add the |
+1 |
Brian Relph (Migrated from SEC-1663) said:
Enable Spring-EL support for protect-pointcut xml.
Example:
<security:global-method-security pre-post-annotations="enabled">
<security:protect-pointcut expression="execution(* com.acl.controllers.Controller.(..))"
access="isFullyAuthenticated()" />
/security:global-method-security
The text was updated successfully, but these errors were encountered: