You are here

Add custom spring securtiy expression method

Posted by jianyu on Apr 8, 2011

There are no offcial ways to add custom security expression, like hasRole / hasAuthority etc, the only way is to do some tweaking.
 
Solution 1. Create a static method and invoke by spel. Like below:
 
                <security:authorize access="T(com.Class).doSomething(request.parameterMap['parameterName'], 'ROLE_ADMIN')">
                   Is Admin
                </security:authorize>
 
Solution 2. Extends WebSecurityExpressionRoot and config spring to use it as default. In the extended class, method can be defined just as same as the hasRole. There are some limitations in this approach.
    1) Have to extend DefaultMethodSecurityExpressionHandler to create the customed WebSecurityExpressionRoot
    2) It's weird that the xml schema of spring-security doesn't allow expressionHandler inside security:http, while in the code FilterInvocationSecurityMetadataSourceParser.createSecurityMetadataSource, line 73, it will try to find a expression-handler.
 
A discussion related:
 
http://forum.springsource.org/showthread.php?t=75331
 

User login

Syndicate

Subscribe to Syndicate

Who's online

There are currently 0 users online.

Who's new

  • Kitten
  • jianyu