Spring Security
  1. Spring Security
  2. SEC-1611

Allow runtime expressions for security:authorize access-attribute

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Complete
    • Affects Version/s: 3.0.4
    • Fix Version/s: 3.1.0.M2
    • Component/s: Taglibs
    • Labels:
      None

      Description

      Similar to SEC-1456, the security:authorize tablib doesn't allow you to use runtime expressions for the access-attribute. This prevents us from using the tag in any kind of dynamic fashion, instead roles must be hard coded into the JSPs.

      Can runtime expressions be enabled?

        Activity

        Hide
        Luke Taylor added a comment - - edited

        The access attribute takes an EL expression. Could you expand on the kind of use case you're envisaging which would require it to be a runtime expression in the JSP?

        Show
        Luke Taylor added a comment - - edited The access attribute takes an EL expression. Could you expand on the kind of use case you're envisaging which would require it to be a runtime expression in the JSP?
        Hide
        Stephen Brandwood added a comment -

        I'm honestly not sure of the difference. I can see in 3.0.4's security.tld, that the access attribute has "<rtexprvalue>false</rtexprvalue>", whilst in response to SEC-1456 the url attribute has been given a value of true.

        Currently I cannot do this:
        <sec:authorize access="hasRole('$

        {foo}

        ')">

        Meaning I'm not able to create a generic .tag to be shared amongst JSP, each needing different permissions.

        Show
        Stephen Brandwood added a comment - I'm honestly not sure of the difference. I can see in 3.0.4's security.tld, that the access attribute has "<rtexprvalue>false</rtexprvalue>", whilst in response to SEC-1456 the url attribute has been given a value of true. Currently I cannot do this: <sec:authorize access="hasRole('$ {foo} ')"> Meaning I'm not able to create a generic .tag to be shared amongst JSP, each needing different permissions.
        Hide
        Luke Taylor added a comment -

        It's pretty common for a URL to be dynamically generated, hence the use of a runtime value for the url attribute. Personally I would avoid logic which involves passing security attributes into JSPs. If you are going to add this kind of thing to the view model, then you would be as well performing the access check externally and passing the result to the view, keeping the view as dumb as possible.

        However, it's a relatively innocuous change, so I've modified the tld to allow runtime expressions, should you wish to use them.

        Show
        Luke Taylor added a comment - It's pretty common for a URL to be dynamically generated, hence the use of a runtime value for the url attribute. Personally I would avoid logic which involves passing security attributes into JSPs. If you are going to add this kind of thing to the view model, then you would be as well performing the access check externally and passing the result to the view, keeping the view as dumb as possible. However, it's a relatively innocuous change, so I've modified the tld to allow runtime expressions, should you wish to use them.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Stephen Brandwood
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: