Thomas Champagne (Migrated from SEC-1749) said:
For the moment, to check the permission on an object in JSP page, you can use the AccessControlListTag.
But, I think it would be a good idea to call hasPermission method from the AuthorizeTag :
<sec:authorize access="hasPermission(#book, 'write')"> where the book variable is provided from the page context.
Related issue : SEC-1560.
Now, when you call hasPermission method from AuthorizeTag, this throw a NullPointerException because the permissionEvaluator is not defined in the WebSecurityExpressionRoot :
Caused by: java.lang.NullPointerException
Thomas Champagne said:
I created a patch for this feature :
In the DefaultWebSecurityExpressionHandler, override the createEvaluationContextInternal method and create a WebSecurityEvaluationContext.
In this WebSecurityEvaluationContext, override the lookupVariable method and lookup variables in the page context.
I also added unit tests on AuthorizeTag to test "access" attribute.
To configure your webapp correctly, you must define manually a DefaultWebSecurityExpressionHandler in your context and put in the http tag with the "access-decision-manager-ref" attribute : SEC-1452 :
<b:bean id="webSecurityExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<b:property name="permissionEvaluator" ref="permissionEvaluator"/>
<b:bean id="webAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<b:property name="expressionHandler" ref="webSecurityExpressionHandler"/>
I hope that this issue patch will be integrated in version 3.1 :-)
Luke Taylor said:
Hi Thomas. I already did some work on this following your comments in SEC-1560. I've pushed the changes to
There are similarities with your patch, but the PageContext is used to lookup objects, rather than just the request. Also, some support in the namespace will be needed so that the expression handler can be shared between the AccessDecisionManager and the FilterSecurityInterceptor. There is already an issue open for that.
Ok, I've pushed the changes to master. The namespace support is added under SEC-1452.
Thank you again for including this feature and others (like SEC-1452 and SEC-1560) in the version 3.1.