Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-1944: Add hasRoleRegex to SecurityExpressionRoot #2170

Closed
spring-issuemaster opened this issue Mar 21, 2012 · 4 comments
Closed

SEC-1944: Add hasRoleRegex to SecurityExpressionRoot #2170

spring-issuemaster opened this issue Mar 21, 2012 · 4 comments

Comments

@spring-issuemaster
Copy link

@spring-issuemaster spring-issuemaster commented Mar 21, 2012

Paul Austin (Migrated from SEC-1944) said:

Would it be possible to add a function like the following to check if the user has a role based on a regular expression?

public boolean hasRoleRegex(final String regex) {
final Pattern pattern = Pattern.compile(regex);
for (final String role : getAuthoritySet()) {
final Matcher matcher = pattern.matcher(role);
final boolean matches = matcher.matches();
if (matches) {
return true;
}
}
return false;
}

Also would it be possible to make getAuthoritySet protected so subclasses can get access to it.

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Mar 26, 2012

Chad Maron said:

Hello,

I recently had to implement something similar for our project. There is some existing code that is almost perfect:

[https://gist.github.com/1642655]

I say almost because to get this to work we had to extend more methods in DefaultMethodSecurityExpressionHandler, like the filter method (among others). It turns out DefaultMethodSecurityExpressionHandler explicitly uses MethodSecurityExpressionRoot (not SecurityExpressionRoot) and it's not possible to use your own without digging deeper into the code.

Our override is not ideal, but it works quite well. One way around this would be to extend MethodSecurityExpressionRoot and pass it along to the CustomMethodSecurityExpressionHandler, but this is not possible because MethodSecurityExpressionRoot is package private it cannot be extended by anyone else.

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Mar 26, 2012

Luke Taylor said:

I don't want to add a hasRoleRegex method as this is a corner case and could be achieved using other EL constructs (e.g. static method invocation) or with a custom root object.

@chad You might want to review the changes from SEC-1887 which are intended to make it easier to override the security expression behaviour.

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Mar 18, 2014

Deryl Spielman said:

I can't believe this was closed! For me to have to use this:

<intercept-url pattern="/test" access="authentication.authorities.?[authority matches '.*ROLE1.*|.*ROLE2.*']" />

instead of

<intercept-url pattern="/test" access="roleMatches('.*ROLE1.*|.*ROLE2.*')" />

The first is not as readable, more verbose, and impossible to discover from the Spring documentation and existing forums. The reasoning behind the resolution of this issue is basically saying, "Why even have hasRole('ROLE_ROLE1') when you can use the authorities and SpEL" .. why? cause we need it!

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Mar 18, 2014

Deryl Spielman said:

Actuall it would be:

<intercept-url pattern="/test" access="authentication.authorities.?[authority matches '.*ROLE1.*|.*ROLE2.*'].size() > 0" />
``` which is even longer.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.