Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.0 RC1
    • Component/s: Taglibs
    • Labels:
      None

      Description

      The use of a tag which uses something like <authorize access="some access-control expression" /> and links in with the WebSecurityExpressionHandler in the application context would provide all the functionality of the existing authorize tag and much more. The implementation could extend the existing tag to continue to support the legacy syntax.

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment -

          I've extended the existing authorize tag as described. So the preferred way of using it is to use the "access" attribute with an authorization expression, similar to those that are used in the intercept-url elements. Expressions must be enabled in the http block or, alternatively, a WebSecurityExpressionHandler bean must be present in the application context.

          Show
          Luke Taylor added a comment - I've extended the existing authorize tag as described. So the preferred way of using it is to use the "access" attribute with an authorization expression, similar to those that are used in the intercept-url elements. Expressions must be enabled in the http block or, alternatively, a WebSecurityExpressionHandler bean must be present in the application context.
          Hide
          Wendy Cameron added a comment -

          The javascript validation also needs to be changed to implement this logic.

          Show
          Wendy Cameron added a comment - The javascript validation also needs to be changed to implement this logic.
          Hide
          Wendy Cameron added a comment -

          Sorry about previous comment was the wrong Jira screen.

          I have been debugging and using this:

          I have :

          <@sec.authorize access="hasAuthority('ROLE_USER')">
              <p>Hello Wendy was here and this is the security Mechanism.</p>
          </@sec.authorize>
          

          I added a break point in the ROLE_VOTER and the voter is not fired.
          So I am wondering how through all of this access expression stuff the voters are fired.

          Perhaps I havn't configured things correctly and the WebSecurityExpressionHandler doesnt use the accessDecisionManager. However I cant figure out how to make the DefaultWebSecurityExpressionHandler aware of my accessDecisionManager.

          Show
          Wendy Cameron added a comment - Sorry about previous comment was the wrong Jira screen. I have been debugging and using this: I have : <@sec.authorize access= "hasAuthority('ROLE_USER')" > <p>Hello Wendy was here and this is the security Mechanism.</p> </@sec.authorize> I added a break point in the ROLE_VOTER and the voter is not fired. So I am wondering how through all of this access expression stuff the voters are fired. Perhaps I havn't configured things correctly and the WebSecurityExpressionHandler doesnt use the accessDecisionManager. However I cant figure out how to make the DefaultWebSecurityExpressionHandler aware of my accessDecisionManager.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Luke Taylor
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: