Announcement Announcement Module
Collapse
No announcement yet.
sec:accesscontrollist hasPermission only support single permission and name based Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • sec:accesscontrollist hasPermission only support single permission and name based

    In the spring security documentation http://static.springsource.org/sprin...e/taglibs.html section 20.4 mentioned that
    Code:
    <sec:accesscontrollist hasPermission="1,2" domainObject="${someObject}">
    
    This will be shown if the user has either of the permissions 
    represented by the values "1" or "2" on the given object.
    
    </sec:accesscontrollist>
    When I tested, it doesn't even work with integer value. It only works if the value is the name of the permission (e.g: ADMINISTRATION, WRITE, READ, etc). More over, it does not support multiple permissions. It boils down to AccessControlListTag.java, particularly in the following line
    Code:
     if (permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(),
                    domainObject, hasPermission)) {
                return evalBody();
            }
    which does not parse each individual permission before passing to the permissionEvaluator.

    I might be missing something here, but does anyone encountering something like this?

  • #2
    I just encountered the same problem. We currently use Spring 3.0.5 and Spring Security 3.0.5. I upgraded 3.1.2 and 3.1.1, respectively, and received error messages complaining about both comma-delimited permission names, and integer masks. I don't have any suggestion for a fix, but the behavior is unexpected.

    Comment


    • #3
      I logged SEC-2022 and SEC-2023. In the meantime you can either decorate your PermissionEvaluator interface or use the following:

      Code:
      <security:authorize access="hasPermission(#object,'READ') and hasPermission(#object,'WRITE')">
      <security:authorize access="hasPermission(#object,1) and hasPermission(#object,2)">

      Comment


      • #4
        Thanks for the quick response & fix!

        Comment


        • #5
          This has been my need to answer, today was finally discovered, thanks for your sharing, is really a good article.

          Comment

          Working...
          X