Announcement Announcement Module
No announcement yet.
sec:authorize with url when having two http namespace elements with different pattern Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • sec:authorize with url when having two http namespace elements with different pattern

    I'm using Spring security 3.1.0-RELEASE and I have a problem using the authorize JSP tag with a url because I have two http elements:
    - The first for a particular pattern and associated to a custom authentication provider, entry point and filter.
    - The second for the rest (classical login).
    They use different type of principals.

    Pretty much like this (I simplified it a lot hoping it will only give the relevant information):
            <http use-expressions="true" pattern="/signage/**">
            <http use-expressions="true">
    		<http-basic  />
    		<form-login  />
    		<logout />
    I was wondering, how can I use the authorize tag with a Url given the fact that I have two potential WebInvocationPrivilegeEvaluator. In my case, I would like to use the authorize tag with the second one but the tag seems to take the first available one from the context and I cannot put it first because I need the most specific pattern to be first.

    Extract from AbstractAuthorizeTag:327:338
    private WebInvocationPrivilegeEvaluator getPrivilegeEvaluator() throws IOException {
            ApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(getServletContext());
            Map<String, WebInvocationPrivilegeEvaluator> wipes = ctx.getBeansOfType(WebInvocationPrivilegeEvaluator.class);
            if (wipes.size() == 0) {
                throw new IOException(
                        "No visible WebInvocationPrivilegeEvaluator instance could be found in the application "
                                + "context. There must be at least one in order to support the use of URL access checks in 'authorize' tags.");
            return (WebInvocationPrivilegeEvaluator) wipes.values().toArray()[0];
    In case there are many WebInvocationPrivilegeEvaluator, I would have expected a mechanism to select the right one according to the pattern set by the http element but maybe I missed something here.

    Any suggestion?