Announcement Announcement Module
Collapse
No announcement yet.
Question on "URL access checks in 'authorize' tags" Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Question on "URL access checks in 'authorize' tags"

    I am using expression true to enable Expression-Based Access Control
    <security:filter-security-metadata-source lowercase-comparisons="true" use-expressions="true">


    In my JSP page

    <security:authorize url="/setup*" >
    ---show setup page--
    </secu....>

    <security:authorize url="/profile*" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" >
    ---show profile page--
    </secu....>


    While rendering the jsp I am getting below error (from 1st line i.e, url="/setup*")

    javax.servlet.jsp.JspException: No visible WebInvocationPrivilegeEvaluator instance could be found in the application context. There must be at least one in order to support the use of URL access checks in 'authorize' tags.

    Help appreciated.

    Thanks

  • #2
    http://forum.springsource.org/showth...ilegeEvaluator

    Also explained in the section on the "authorize" tag in the manual.

    Comment


    • #3
      Thanks Luke.

      my understanding:
      since I am not using security:http namespace, I have to register an instance of WebInvocationPrivilegeEvaluator.

      Is there a way to associate the custom bean (which registers Create and register a WebInvocationPrivilegeEvaluator) with <security:filter-security-metadata-source....
      as I will not be using sec:http namespace.

      Thanks.

      Comment


      • #4
        Originally posted by [email protected] View Post
        my understanding:
        since I am not using security:http namespace, I have to register an instance of WebInvocationPrivilegeEvaluator.
        That's correct

        Is there a way to associate the custom bean (which registers Create and register a WebInvocationPrivilegeEvaluator) with <security:filter-security-metadata-source....
        Not quite sure what you mean here. You can either implement WebInvocationPrivilegeEvaluator yourself (and pass it a reference) or use DefaultWebInvocationPrivilegeEvaluator.

        The latter takes a reference to the security interceptor in its constructor and will attempt to obtain the FilterSecurityMetadataSource reference from the interceptor.

        Comment


        • #5
          Originally posted by Luke Taylor View Post
          You can either implement WebInvocationPrivilegeEvaluator yourself (and pass it a reference) or use DefaultWebInvocationPrivilegeEvaluator.
          <bean id="WebInvocationFilter" class="org.springframework.security.web.access.Def aultWebInvocationPrivilegeEvaluator" >
          <constructor-arg ref="filterInvocationInterceptor"/>
          </bean>

          <bean id="filterInvocationInterceptor" class="org.springframework.security.web.access.int ercept.FilterSecurityInterceptor">
          <property name="authenticationManager" ref="authenticationManager"/>
          <property name="accessDecisionManager" ref="accessDecisionManager"/>
          <property name="securityMetadataSource">
          <security:filter-security-metadata-source lowercase-comparisons="true" use-expressions="true">

          </security>
          </bean>

          can I use like above. now it dosn't throw error but neither it response properly to <security:authorize url="/setup"> tag. ie, it allows the user even though they don't have privilege.

          am I missing something.


          Thanks,

          Comment


          • #6
            I got it fixed. Thanks Luke.

            Added custom WIPEvaluator that implements WebInvocationPrivilegeEvaluator

            <bean id="webInvocationFilter" class="com.mypackage.WIPEvaluator" >
            <constructor-arg ref="filterInvocationInterceptor"/>
            </bean>

            <bean id="filterInvocationInterceptor" class="org.springframework.security.web.access.int ercept.FilterSecurityInterceptor">
            <property name="authenticationManager" ref="authenticationManager"/>
            <property name="accessDecisionManager" ref="accessDecisionManager"/>
            <property name="securityMetadataSource">
            <security:filter-security-metadata-source lowercase-comparisons="true" use-expressions="true">
            ...
            </bean>

            ---

            JSP

            <security:authorize url="/setup/*>
            </se..>

            Comment

            Working...
            X