Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1749: hasPermission method in the AuthorizeTag #1983

Closed
spring-issuemaster opened this Issue May 18, 2011 · 4 comments

Comments

Projects
None yet
1 participant

Thomas Champagne (Migrated from SEC-1749) said:

For the moment, to check the permission on an object in JSP page, you can use the AccessControlListTag.

But, I think it would be a good idea to call hasPermission method from the AuthorizeTag :
<sec:authorize access="hasPermission(#book, 'write')"> where the book variable is provided from the page context.

Related issue : SEC-1560.

Now, when you call hasPermission method from AuthorizeTag, this throw a NullPointerException because the permissionEvaluator is not defined in the WebSecurityExpressionRoot :
Caused by: java.lang.NullPointerException
at org.springframework.security.access.expression.SecurityExpressionRoot.hasPermission(SecurityExpressionRoot.java:128)

Thomas Champagne said:

I created a patch for this feature :
In the DefaultWebSecurityExpressionHandler, override the createEvaluationContextInternal method and create a WebSecurityEvaluationContext.
In this WebSecurityEvaluationContext, override the lookupVariable method and lookup variables in the page context.
I also added unit tests on AuthorizeTag to test "access" attribute.

To configure your webapp correctly, you must define manually a DefaultWebSecurityExpressionHandler in your context and put in the http tag with the "access-decision-manager-ref" attribute : SEC-1452 :

<b:bean id="webSecurityExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<b:property name="permissionEvaluator" ref="permissionEvaluator"/>
/b:bean

<b:bean id="webAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<b:property name="decisionVoters">
<b:list>
<b:bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
<b:property name="expressionHandler" ref="webSecurityExpressionHandler"/>
/b:bean
/b:list
/b:property
/b:bean

...

I hope that this issue patch will be integrated in version 3.1 :-)

Luke Taylor said:

Hi Thomas. I already did some work on this following your comments in SEC-1560. I've pushed the changes to

http://git.springsource.org/~ltaylor/spring-security/lukes-spring-security/commits/jspPermissionEval

There are similarities with your patch, but the PageContext is used to lookup objects, rather than just the request. Also, some support in the namespace will be needed so that the expression handler can be shared between the AccessDecisionManager and the FilterSecurityInterceptor. There is already an issue open for that.

Luke Taylor said:

Ok, I've pushed the changes to master. The namespace support is added under SEC-1452.

Thomas Champagne said:

Thank you again for including this feature and others (like SEC-1452 and SEC-1560) in the version 3.1.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC3 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment