Rob Winch (Migrated from SEC-1965) said:
The DefaultWebSecurityExpressionHandler no longer implements WebSecurityExpressionHandler which causes issues when using spring-webflow's AbstractAuthorizeTag which looks up the WebExpressionHandler for authorize statements. We should probably also look into getting webflow to use the provided AbstractAuthorizeTag (I haven't had time to investigate why they might have their own copy of this tag).
In the meantime, if someone wants to use authorize functions and sec:authentication tag of Spring Security 3.1.0 with JSF 2.0, this should help (see attachment)
Grzegorz Rozniecki said:
Also, reference to WebSecurityExpressionHandler in Spring Manual (in http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6860) should be removed.
Rob Winch said:
Thank you for pointing this out. You are correct that should be removed. However, it isn't exactly the same as this issue so I went ahead and created a separate ticket for it (see SEC-1985). Thanks again for taking the time to help may Spring Security better.
I have logged SWF-1557 to address consolidating SWF's Security taglib with Spring Security's taglib.
Pushed fixes out to master