Announcement Announcement Module
No announcement yet.
SpEL and Spring Security 3: accessing bean reference in @PreAuthorize Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • SpEL and Spring Security 3: accessing bean reference in @PreAuthorize

    I'm trying to access a bean reference in a @PreAuthorize annotation as follows:

    @PreAuthorize("#{ @testBean.getTestBoolean()}")
    public String testSpEL() {

    I have a test bean configured as follows:

    public class TestBean {
    public boolean getTestValue() {
    return true;

    When I try to access the testSpEL() method however, I'm confronted with the following exception:

    Caused by: org.springframework.expression.spel.SpelParseExcep tion: EL1043Epos 1): Unexpected token. Expected 'identifier' but was 'lcurly({)'
    at org.springframework.expression.spel.standard.Inter nalSpelExpressionParser.raiseInternalException(Int
    at org.springframework.expression.spel.standard.Inter nalSpelExpressionParser.eatToken(InternalSpelExpre
    at org.springframework.expression.spel.standard.Inter nalSpelExpressionParser.maybeEatFunctionOrVar(Inte
    at org.springframework.expression.spel.standard.Inter nalSpelExpressionParser.eatStartNode(InternalSpelE
    at org.springframework.expression.spel.standard.Inter nalSpelExpressionParser.eatPrimaryExpression(Inter
    at org.springframework.expression.spel.standard.Inter nalSpelExpressionParser.eatUnaryExpression(Interna
    at org.springframework.expression.spel.standard.Inter nalSpelExpressionParser.eatPowerExpression(Interna
    at org.springframework.expression.spel.standard.Inter nalSpelExpressionParser.eatProductExpression(Inter
    at org.springframework.expression.spel.standard.Inter nalSpelExpressionParser.eatSumExpression(InternalS
    at org.springframework.expression.spel.standard.Inter nalSpelExpressionParser.eatRelationalExpression(In
    at org.springframework.expression.spel.standard.Inter nalSpelExpressionParser.eatLogicalAndExpression(In
    at org.springframework.expression.spel.standard.Inter nalSpelExpressionParser.eatLogicalOrExpression(Int
    at org.springframework.expression.spel.standard.Inter nalSpelExpressionParser.eatExpression(InternalSpel
    at org.springframework.expression.spel.standard.Inter nalSpelExpressionParser.doParseExpression(Internal

    I have thoroughly done my research but I can't find anywhere what I need to change in my configuration to get this to work. Any pointers?


    Kind regards, Jonck

    P.S. I'm using Spring 3.0.5. The following seems to indicate this type of functionality should work:

  • #2
    Try just using "testBean.getTestBoolean()" (without the #{} or the @).

    Spring Security doesn't register any BeanResolvers with the EvaluationContext, but will resolve the bean names directly as properties against the ApplicationContext.


    • #3
      This causes a different exception:

      Caused by: org.springframework.expression.spel.SpelEvaluation Exception: EL1008Epos 0): Field or property 'testBean' cannot be found on object of type ' thod.MethodSecurityExpressionRoot'
      at org.springframework.expression.spel.ast.PropertyOr FieldReference.readProperty(PropertyOrFieldReferen
      at org.springframework.expression.spel.ast.PropertyOr FieldReference.getValueInternal(PropertyOrFieldRef
      at org.springframework.expression.spel.ast.CompoundEx pression.getValueInternal( 52)
      at org.springframework.expression.spel.ast.SpelNodeIm pl.getTypedValue(
      at org.springframework.expression.spel.standard.SpelE xpression.getValue(
      at ressionUtils.evaluateAsBoolean(ExpressionUtils.jav a:11)


      • #4
        Sorry, my mistake. This is only available in the 3.1 codebase:

        We should probably look at supporting the standard Spring syntax instead.


        • #5
          I have upgraded to Spring Security 3.1.0.RC1 and I can confirm that the syntax "testBean.getTestBoolean()" does indeed work now.

          Thanks for your help!
          Last edited by venercogo; Apr 22nd, 2011, 05:34 AM.


          • #6
            I've changed things to use the Spring '@' syntax and BeanResolver. So the next release will support "@testBean.getTestBoolean()" instead of the plain property name. See SEC-1723.


            • #7
              Shouldn't this then be "#{ @testBean.getTestBoolean()}" if you want to be compliant with standard SpEL syntax?


              • #8
                There's no need for delimiters since there is no need to differentiate between expressions and non-expressions, as there is when using them in an application context, for example.

                The expression is passed directly to the SpelExpressionParser, so the expression evaluation is entirely done by Spring.


                • #9
                  That makes sense, thanks for explaining!


                  • #10
                    I have written a blog post regarding this subject, you can find it here:



                    • #11
                      I have problem with @PreAuthorize and accessing bean in expression. Running Spring Security version is 3.1.0RC2.
                      INFO  [SpringSecurityCoreVersion:29] : You are running with Spring Security Core 3.1.0.RC2
                      INFO  [SecurityNamespaceHandler:57] : Spring Security 'config' module version is 3.1.0.RC2
                      <security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" />
                      Controller code:
                      class TestController {
                      	public boolean isOk() {
                      		return true;
                      	public String testPage() {
                      		return "test";
                      I get error:
                      java.lang.IllegalArgumentException: Failed to evaluate expression 'testController.isOk()'
                      Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1008E:(pos 0): Field or property 'testController' cannot be found on object of type ''
                      	at org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(
                      	at org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(
                      	at org.springframework.expression.spel.ast.CompoundExpression.getValueInternal(
                      	at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(
                      	at org.springframework.expression.spel.standard.SpelExpression.getValue(
                      	... 79 more
                      Anybody knows what is wrong with that ?
                      Last edited by marioosh; Sep 16th, 2011, 04:15 AM.


                      • #12

                        As Luke Taylor wrote, the syntax has been changed slightly in the new release.

                        "I've changed things to use the Spring '@' syntax and BeanResolver. So the next release will support "@testBean.getTestBoolean()" instead of the plain property name. See SEC-1723."

                        Try changing your syntax to match what Luke wrote.

                        Kind regards, Jonck


                        • #13
                          Doubt anyone is watching this thread anymore, but I created a small workaround to add support in Spring Security 3.0.x.

                          For anyone stuck on Spring Security 3.0.x I have a somewhat simple workaround. Add this class in your application-securityContext.xml (or whatever):


                          It injects a BeanFactoryResolver into the Spring Security code, which is all the Spring Security 3.1.x fix has. Support for the syntax is already in 3.0.x. It allows you to use the syntax from 3.1.x, ala: