Announcement Announcement Module
Collapse
No announcement yet.
hasPermission in sec:authorize Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • hasPermission in sec:authorize

    Hi,

    I am using a custom PermissionEvaluator and i want to use em in my jsp-views. So i tryed to use the following Syntax:

    Code:
    <sec:authorize access="hasPermission(#user, 'update')">
    something secured
    </sec:authorize>
    But when i call this view i get the following exception (i shorted it):
    Code:
    WARNUNG: ApplicationDispatcher[/Omnibus] PWC1231: Servlet.service() for servlet jsp threw exception
    java.lang.NullPointerException
            at org.springframework.security.access.expression.SecurityExpressionRoot.hasPermission(SecurityExpressionRoot.java:137)
    That can only be the permissionEvaluator! How can i inject my permissionEvaluator into the SecurityExpressionRoot?

    thx for any help

  • #2
    Currently the authorize tag uses the WebExpressionHandler, which doesn't support the use of a PermissionEvaluator or "hasPermission()" expressions. Ideally it shouldn't throw a NPE though if you try to use them, so please open an issue and we'll try and tidy this up.

    Comment


    • #3
      Hi Luke.

      Quite interesting point!

      We are in the same situation. We use ACL and have a customized PermissionEvaluator. For example a user is granted access if he has explicit rights on the user in the acl tables or implicited rights because he has acl rights for the department of the user. This works fine with annotations in business layer, but what to do in the jsps?

      We found the authorize and accesscontrollist TAGs but both seem not to support any customized PermissionEvaluator. :-(

      So what would be the best solution to re-use our logic in the customized PermissionEvaluator?

      Thanks for any help,

      bye Horst

      Comment


      • #4
        Hi.

        We extended the AccessControlListTag and in doStartTag replaced the ACLService stuff with this code:
        Code:
        try {
                    permissionEvaluator = (WebcodesPermissionEvaluator) this.getContext(this.pageContext).getBean(
                        "permissionEvaluator");
                } catch (Exception e) {
                    return 0;
                }
        
        boolean pe = permissionEvaluator.hasPermission(authentication, this.domainObject, permission);
        Perhaps not the best solution, but it works.

        Comment


        • #5
          There is an issue about using PermissionEvaluator in authorize tag : SEC-1560.
          But for the moment, there is no plan to integrate in version 3.1.
          Thomas

          Comment


          • #6
            Probably it was fixed in 3.1 At least I got both authorize and accesscontrollist TAGs worrking with custom PermissionEvaluator:

            Code:
            <http entry-point-ref="casEntryPoint" use-expressions="true" >
            ...
                    <intercept-url pattern="/11*" access="hasPermission('strObject', 'truePermission')"/>
            
            ...
                    <expression-handler ref="webExpressionHandler"/>
            </http>
            ....
            <b:bean id="webExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
                    <b:property name="permissionEvaluator" ref="permissionEvaluator"/>
            </b:bean>
            Note:
            Code:
            <sec:authorize access="hasPermission(#varName, 'some_permission')">
            will try to resolve "varName" by using pageConext.findAttribute("varName"). Looks like accesscontrollist tag is easier to use.

            Comment

            Working...
            X