Spring Security
  1. Spring Security
  2. SEC-1294

Support bean access in expression language

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Complete
    • Affects Version/s: 3.0.0 RC1
    • Fix Version/s: 3.1.0.M1
    • Component/s: Core
    • Labels:
      None

      Description

      The expression language support in spring security is a great addition to the project.

      Here is what we can currently do :

      @PreAuthorize("hasRole('ROLE_USER')")
      public void basic()

      @PreAuthorize("#age > 18")
      public void usingArgs(int age)

      Here is what I wish we could also do :

      @PreAuthorize("#age > #

      {mySpringBean.minAge}

      ")
      public void usingSpringBeansProperty(int age)

      @PreAuthorize("#{mySpringBean.ageAuthorized(#age}}")
      public void usingSpringBeansMethodAndArgs(int age)

      Basically I wish we had the same functionnalities we have in spring core.
      This is especially usefull for the Post

      Currently I found the following way to use beans in the expression language

      • I access it via a custom method
      • that is defined in a custom MethodSecurityExpressionHandler
      • that overrides the "public EvaluationContext createEvaluationContext(Authentication auth, MethodInvocation mi)"
      • then set the <expression-handler ref="" />

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment -

          I've added a PropertyAccessor which looks up property names as beans in the application context. It is used in both method and web security expression handing. Not that the bean names should be used without a "#" prepended, unlike method arguments.

          Show
          Luke Taylor added a comment - I've added a PropertyAccessor which looks up property names as beans in the application context. It is used in both method and web security expression handing. Not that the bean names should be used without a "#" prepended, unlike method arguments.
          Hide
          Stephane Rondal added a comment -

          Thanks for this fix. Is there any example/documentation on how to use this new possibility?
          I cannot make it work using the examples given in the description.

          Show
          Stephane Rondal added a comment - Thanks for this fix. Is there any example/documentation on how to use this new possibility? I cannot make it work using the examples given in the description.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Florent Ramiere
            • Votes:
              3 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: