Spring Security
  1. Spring Security
  2. SEC-1749

hasPermission method in the AuthorizeTag

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Complete
    • Affects Version/s: 3.0.5, 3.1.0.RC2
    • Fix Version/s: 3.1.0.RC3
    • Component/s: Taglibs
    • Labels:
      None

      Description

      For the moment, to check the permission on an object in JSP page, you can use the AccessControlListTag.

      But, I think it would be a good idea to call hasPermission method from the AuthorizeTag :
      <sec:authorize access="hasPermission(#book, 'write')"> where the book variable is provided from the page context.

      Related issue : SEC-1560.

      Now, when you call hasPermission method from AuthorizeTag, this throw a NullPointerException because the permissionEvaluator is not defined in the WebSecurityExpressionRoot :
      Caused by: java.lang.NullPointerException
      at org.springframework.security.access.expression.SecurityExpressionRoot.hasPermission(SecurityExpressionRoot.java:128)

      1. SEC-1749.patch
        15 kB
        Thomas Champagne

        Activity

        Hide
        Thomas Champagne added a comment -

        I created a patch for this feature :
        In the DefaultWebSecurityExpressionHandler, override the createEvaluationContextInternal method and create a WebSecurityEvaluationContext.
        In this WebSecurityEvaluationContext, override the lookupVariable method and lookup variables in the page context.
        I also added unit tests on AuthorizeTag to test "access" attribute.

        To configure your webapp correctly, you must define manually a DefaultWebSecurityExpressionHandler in your context and put in the http tag with the "access-decision-manager-ref" attribute : SEC-1452 :

        <b:bean id="webSecurityExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
        <b:property name="permissionEvaluator" ref="permissionEvaluator"/>
        </b:bean>

        <b:bean id="webAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
        <b:property name="decisionVoters">
        <b:list>
        <b:bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
        <b:property name="expressionHandler" ref="webSecurityExpressionHandler"/>
        </b:bean>
        </b:list>
        </b:property>
        </b:bean>

        <http use-expressions="true" access-decision-manager-ref="webAccessDecisionManager">
        ...
        </http>

        I hope that this issue patch will be integrated in version 3.1

        Show
        Thomas Champagne added a comment - I created a patch for this feature : In the DefaultWebSecurityExpressionHandler, override the createEvaluationContextInternal method and create a WebSecurityEvaluationContext. In this WebSecurityEvaluationContext, override the lookupVariable method and lookup variables in the page context. I also added unit tests on AuthorizeTag to test "access" attribute. To configure your webapp correctly, you must define manually a DefaultWebSecurityExpressionHandler in your context and put in the http tag with the "access-decision-manager-ref" attribute : SEC-1452 : <b:bean id="webSecurityExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"> <b:property name="permissionEvaluator" ref="permissionEvaluator"/> </b:bean> <b:bean id="webAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"> <b:property name="decisionVoters"> <b:list> <b:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"> <b:property name="expressionHandler" ref="webSecurityExpressionHandler"/> </b:bean> </b:list> </b:property> </b:bean> <http use-expressions="true" access-decision-manager-ref="webAccessDecisionManager"> ... </http> I hope that this issue patch will be integrated in version 3.1
        Hide
        Luke Taylor added a comment - - edited

        Hi Thomas. I already did some work on this following your comments in SEC-1560. I've pushed the changes to

        http://git.springsource.org/~ltaylor/spring-security/lukes-spring-security/commits/jspPermissionEval

        There are similarities with your patch, but the PageContext is used to lookup objects, rather than just the request. Also, some support in the namespace will be needed so that the expression handler can be shared between the AccessDecisionManager and the FilterSecurityInterceptor. There is already an issue open for that.

        Show
        Luke Taylor added a comment - - edited Hi Thomas. I already did some work on this following your comments in SEC-1560 . I've pushed the changes to http://git.springsource.org/~ltaylor/spring-security/lukes-spring-security/commits/jspPermissionEval There are similarities with your patch, but the PageContext is used to lookup objects, rather than just the request. Also, some support in the namespace will be needed so that the expression handler can be shared between the AccessDecisionManager and the FilterSecurityInterceptor. There is already an issue open for that.
        Hide
        Luke Taylor added a comment -

        Ok, I've pushed the changes to master. The namespace support is added under SEC-1452.

        Show
        Luke Taylor added a comment - Ok, I've pushed the changes to master. The namespace support is added under SEC-1452 .
        Hide
        Thomas Champagne added a comment -

        Thank you again for including this feature and others (like SEC-1452 and SEC-1560) in the version 3.1.

        Show
        Thomas Champagne added a comment - Thank you again for including this feature and others (like SEC-1452 and SEC-1560 ) in the version 3.1.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Thomas Champagne
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: