Geek Answers Handbook

SecurityExpressionRoot custom method with Spring Security 3.1.3

I am updating my Spring protection from 3.1.0 to 3.1.3 and have come across a change that breaks my settings.

I used a special SecurityExpressionRoot to expose a method for use with capture-url entries.

<http entry-point-ref="forbiddenAccessEntryPoint" use-expressions="true" create-session="never" access-decision-manager-ref="webAccessDecisionManager"> <intercept-url pattern="/licenses*" access="hasProjectAuthority('LICENSES')"/>

SecurityExpressionRoot is entered through the user method DefaultMethodSecurityExpressionHandler.

This works fine in version 3.1.0, but after upgrading to Spring 3.1.3 it is not possible to evaluate the hasProjectAuthority method:

EL1004E: (pos 0): method call: hasProjectAuthority (java.lang.String) method cannot be found on org.springframework.security.web.access.expression.WebSecurityExpressionRoot type

Has this movement occurred?

+4
source share
1 answer
  • Try moving your code from a custom SecurityExpressionRoot to a custom WebSecurityExpressionRoot.
  • Make sure your own WebSecurityExpressionRoot is entered into your WebExpressionVoter using DefaultWebSecurityExpressionHandler.createSecurityExpressionRoot

Your xml might look like this:

 <security:http access-decision-manager-ref="customAccessDecisionManagerBean"> .... <security:http/> <bean id="customWebSecurityExpressionHandler" class="com.domain.security.CustomWebSecurityExpressionHandler"/> <bean id="customAccessDecisionManagerBean" class="org.springframework.security.access.vote.AffirmativeBased"> <property name="decisionVoters"> <list> <bean class="org.springframework.security.web.access.expression.WebExpressionVoter"> <property name="expressionHandler" ref="customWebSecurityExpressionHandler" /> </bean> </list> </property> </bean>
+7
source

More articles:


All Articles