SEC-1749: hasPermission method in the AuthorizeTag #1983

Closed
spring-issuemaster opened this Issue May 18, 2011 · 4 comments

1 participant

@spring-issuemaster

Thomas Champagne (Migrated from SEC-1749) said:

For the moment, to check the permission on an object in JSP page, you can use the AccessControlListTag.

But, I think it would be a good idea to call hasPermission method from the AuthorizeTag :
where the book variable is provided from the page context.

Related issue : SEC-1560.

Now, when you call hasPermission method from AuthorizeTag, this throw a NullPointerException because the permissionEvaluator is not defined in the WebSecurityExpressionRoot :
Caused by: java.lang.NullPointerException
at org.springframework.security.access.expression.SecurityExpressionRoot.hasPermission(SecurityExpressionRoot.java:128)

@spring-issuemaster

Thomas Champagne said:

I created a patch for this feature :
In the DefaultWebSecurityExpressionHandler, override the createEvaluationContextInternal method and create a WebSecurityEvaluationContext.
In this WebSecurityEvaluationContext, override the lookupVariable method and lookup variables in the page context.
I also added unit tests on AuthorizeTag to test "access" attribute.

To configure your webapp correctly, you must define manually a DefaultWebSecurityExpressionHandler in your context and put in the http tag with the "access-decision-manager-ref" attribute : SEC-1452 :



/b:bean






/b:bean
/b:list
/b:property
/b:bean


...

I hope that this issue patch will be integrated in version 3.1 :-)

@spring-issuemaster

Luke Taylor said:

Hi Thomas. I already did some work on this following your comments in SEC-1560. I've pushed the changes to

http://git.springsource.org/~ltaylor/spring-security/lukes-spring-security/commits/jspPermissionEval

There are similarities with your patch, but the PageContext is used to lookup objects, rather than just the request. Also, some support in the namespace will be needed so that the expression handler can be shared between the AccessDecisionManager and the FilterSecurityInterceptor. There is already an issue open for that.

@spring-issuemaster

Luke Taylor said:

Ok, I've pushed the changes to master. The namespace support is added under SEC-1452.

@spring-issuemaster

Thomas Champagne said:

Thank you again for including this feature and others (like SEC-1452 and SEC-1560) in the version 3.1.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC3 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment