Announcement Announcement Module
No announcement yet.
Method Security\Controller with custom permission evaluator Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Method Security\Controller with custom permission evaluator

    Hi, I'm really a newb so I apologize if the question is out of place.

    I'm trying to get Method Security working with custom permission evaluator.
    Here is my configuration:


            <expression-handler ref="expressionHandler"/>
        <b:bean id="expressionHandler" class="">
            <b:property name="permissionEvaluator" ref="permissionEvaluator"/>
        <b:bean id="permissionEvaluator" class="">
        <http use-expressions="true" auto-config="true">
            <intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
            <!--<intercept-url pattern="/test" access="hasPermission('Moshe')"/>-->
            <form-login />
            <logout />
            <remember-me />
            <!--<custom-filter ref="switchUserProcessingFilter" position="SWITCH_USER_FILTER"/>-->
                <password-encoder hash="md5"/>
                    <user name="benny" password="42f4b247702c99bda0fc7bcc41c70d19" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_ADMIN" />
                    <user name="shira" password="d860b866e9023673fd802d97b97fc357" authorities="ROLE_USER" />
        <!-- Automatically receives AuthenticationEvent messages -->
        <b:bean id="loggerListener" class=""/>

    <bean name="/test" class="" />
        <bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
            <property name="prefix" value="/WEB-INF/views/"/>
            <property name="suffix" value=".jsp"/>
    I managed to get the @Secured annotation working, but not with 'hasPermission' expression - Is it possible to use both?

    If it's not possible I'd like to use hasPermission because I want to handle my own permissions, so I'd like to use it with the @PreAuthorize annotation which I couldn't get to work! Even when I didn't use hasPermission and used @PreAuthorize("hasRole('ROLE_ADMIN')") instead.

    I read this FAQ question and answer:
    I have added Spring Security's <global-method-security> element to my application context but if I add security annotations to my Spring MVC controller beans (Struts actions etc.) then they don't seem to have an effect.

    The application context which holds the Spring MVC beans for the dispatcher servlet is a child application context of the main application context which is loaded using the ContextLoaderListener you define in your web.xml. The beans in the child context are not visible in the parent context so you need to either move the <global-method-security> declaration to the web context or moved the beans you want secured into the main application context.
    But didn't really understand.
    The object I want to secure is an object in my domain, how do I register it with the access decision manager?

    Is there another way I can grant access using my own custom permission evaluator without using hasPermission?