Spring Security
  1. Spring Security
  2. SEC-1452

spring-security-3.0.xsd misses expression-handler tag under http tag

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Complete
    • Affects Version/s: 3.0.2
    • Fix Version/s: 3.1.0.RC3
    • Component/s: Web
    • Labels:
      None

      Description

      FilterInvocationSecurityMetadataSourceParser.createSecurityMetadataSource is able to set up a custom expression handler for security tags (I've checked with sec:authorize)
      but since the XSD is missing the tag declaration, you cannot declare that custom handler

      Therefore, while having custom handler for methods (via global-method-security), you can't have it for jsp tags

      Adding the expression-handler declaration (attached simple patch) frees the developer

      The need for this is that I've created my own WebSecurityExpressionRoot implementation with additional methods (hasFunction, hasApplication...)

      1. xsd.patch
        0.7 kB
        Federico Fissore

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment -

          Not a bug, as this was deliberately left out of the 3 release.

          Show
          Luke Taylor added a comment - Not a bug, as this was deliberately left out of the 3 release.
          Hide
          Triqui Galletas added a comment -

          There has been some discussion about this issue in the forum.
          The main point was how to use a custom expression handler instead of the default one created when working with jsp tags.

          The workaround I suggested was to add the expression handler before the http element, so that it would be used by authorize tags with the access atribute.
          And also to add a custom access decision manager with the same expression handler so that it would be used by authorize tags with the url attribute.

          But the question remains, what are the plans for this?
          Luke, you already answered in that thread, but if you would some time to read some of the post from page 3, I would like to know what you think about it.

          I'm posting here the workaround for the people who don't have time to check that thread:

          applicationContext-security.xml
          <!-- This must go before the http element in order to be used by security:authorize tags using the access attribute -->
          <bean id="expressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
          	<property name="roleHierarchy" ref="roleHierarchy" />
          </bean>
          
          <security:http auto-config="true" use-expressions="true" access-decision-manager-ref="accessDecisionManager">
          	...
          </security:http>
          
          <!-- security:authorize tags using the url attribute will delegate to this accessDecisionManager -->
          <bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
          	<property name="decisionVoters">
          		<list>
          			<bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
          				<property name="expressionHandler" ref="expressionHandler" />
          			</bean>
          		</list>
          	</property>
          </bean>
          
          <bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
          	<property name="hierarchy">
          		<value>
          			ROLE_A > ROLE_B
          			ROLE_B > ROLE_AUTHENTICATED
          			ROLE_AUTHENTICATED >
          			ROLE_UNAUTHENTICATED
          		</value>
          	</property>
          </bean>
          
          Show
          Triqui Galletas added a comment - There has been some discussion about this issue in the forum . The main point was how to use a custom expression handler instead of the default one created when working with jsp tags. The workaround I suggested was to add the expression handler before the http element, so that it would be used by authorize tags with the access atribute. And also to add a custom access decision manager with the same expression handler so that it would be used by authorize tags with the url attribute. But the question remains, what are the plans for this? Luke, you already answered in that thread, but if you would some time to read some of the post from page 3, I would like to know what you think about it. I'm posting here the workaround for the people who don't have time to check that thread: applicationContext-security.xml <!-- This must go before the http element in order to be used by security:authorize tags using the access attribute --> <bean id= "expressionHandler" class= "org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" > <property name= "roleHierarchy" ref= "roleHierarchy" /> </bean> <security:http auto-config= " true " use-expressions= " true " access-decision-manager-ref= "accessDecisionManager" > ... </security:http> <!-- security:authorize tags using the url attribute will delegate to this accessDecisionManager --> <bean id= "accessDecisionManager" class= "org.springframework.security.access.vote.AffirmativeBased" > <property name= "decisionVoters" > <list> <bean class= "org.springframework.security.web.access.expression.WebExpressionVoter" > <property name= "expressionHandler" ref= "expressionHandler" /> </bean> </list> </property> </bean> <bean id= "roleHierarchy" class= "org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl" > <property name= "hierarchy" > <value> ROLE_A > ROLE_B ROLE_B > ROLE_AUTHENTICATED ROLE_AUTHENTICATED > ROLE_UNAUTHENTICATED </value> </property> </bean>
          Hide
          Stephen Todd added a comment -

          Hi!

          Is there any movement on this? Any updates on perhaps what has been decided?

          Show
          Stephen Todd added a comment - Hi! Is there any movement on this? Any updates on perhaps what has been decided?
          Hide
          Andrew Largey added a comment -

          I ran into this issue as well. I have been able to solve the problem by implementing a BeanFactoryPostProcessor. This allows me to find the BeanDefinition for the DefaultWebSecurityExpressionHandler and change the class to my own subclass. Doing that in addition to defining the AccessDecisionManager made it so that I could use custom expressions in the intercept-url definitions and in the jsp tags.

          I am hoping that in a future release I will be able to specify the expression-handler instead.

          Show
          Andrew Largey added a comment - I ran into this issue as well. I have been able to solve the problem by implementing a BeanFactoryPostProcessor. This allows me to find the BeanDefinition for the DefaultWebSecurityExpressionHandler and change the class to my own subclass. Doing that in addition to defining the AccessDecisionManager made it so that I could use custom expressions in the intercept-url definitions and in the jsp tags. I am hoping that in a future release I will be able to specify the expression-handler instead.
          Hide
          Luke Taylor added a comment -

          Added as part of the work on SEC-1560 and SEC-1749.

          Show
          Luke Taylor added a comment - Added as part of the work on SEC-1560 and SEC-1749 .

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Federico Fissore
            • Votes:
              9 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: