There has been some discussion about this issue in the forum.
The main point was how to use a custom expression handler instead of the default one created when working with jsp tags.
The workaround I suggested was to add the expression handler before the http element, so that it would be used by authorize tags with the access atribute.
And also to add a custom access decision manager with the same expression handler so that it would be used by authorize tags with the url attribute.
But the question remains, what are the plans for this?
Luke, you already answered in that thread, but if you would some time to read some of the post from page 3, I would like to know what you think about it.
I'm posting here the workaround for the people who don't have time to check that thread:
<!-- This must go before the http element in order to be used by security:authorize tags using the access attribute -->
<bean id="expressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<property name="roleHierarchy" ref="roleHierarchy" />
<security:http auto-config="true" use-expressions="true" access-decision-manager-ref="accessDecisionManager">
<!-- security:authorize tags using the url attribute will delegate to this accessDecisionManager -->
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<property name="expressionHandler" ref="expressionHandler" />
<bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
ROLE_A > ROLE_B
ROLE_B > ROLE_AUTHENTICATED