Spring Security
  1. Spring Security
  2. SEC-1456

Allow runtime expressions for security:authorize url-attribute

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.2
    • Fix Version/s: 3.0.3, 3.1.0.M1
    • Component/s: Taglibs
    • Labels:
      None

      Description

      The security:authorize tablib doesn't allow you to use runtime expresssions for the url-attribute. This prevents us from using code like the following snippet:

      ...
      <c:forEach items="$

      {pages}

      " var="page">
      <security:authorize url="$

      {page.url}

      ">
      <li>....</li>
      </security:authorize>
      </c:forEach>
      ...

      My suggestion is to set rtexprvalue to true for the url-attribute.

        Activity

        Hide
        Luke Taylor added a comment -

        Makes sense. Applied in 3.0.x and master branches.

        Show
        Luke Taylor added a comment - Makes sense. Applied in 3.0.x and master branches.
        Hide
        Gert Buys added a comment -

        What if you wanted to have JSP EL in something like <security:authorize access="hasRole('$

        {role}

        ')" > ? Is it considered best practice to turn to the url attribute instead and link the url to roles in intercept-url? The access attribute seems rather inflexible then.

        Show
        Gert Buys added a comment - What if you wanted to have JSP EL in something like <security:authorize access="hasRole('$ {role} ')" > ? Is it considered best practice to turn to the url attribute instead and link the url to roles in intercept-url? The access attribute seems rather inflexible then.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Joakim Kemeny
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: