hernani
Sep 29th, 2010, 07:04 AM
Hello all, I have this problem. My project involves lots of custom logic for access control. So I implemented my own permissionEvaluator, and bound it to an expression handler, like this:
<beans:bean id="aclPermissionEvaluator" class="com.hrc.infrastructure.security.AclPermissionEvalu ator" />
<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.met hod.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator" ref="aclPermissionEvaluator"/>
</beans:bean>
Then I also have a custom role voter, which is bound to a an access decision manager, like this:
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.Affirmati veBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:bean class="com.hrc.infrastructure.security.RoleVoter" />
</beans:list>
</beans:property>
</beans:bean>
Each individual piece works perfectly when activate one at the time, for example, to use the cal permission evaluator only, I do:
<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled">
<security:expression-handler ref="expressionHandler"/>
</security:global-method-security>
To use only the role voter I do:
<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" access-decision-manager-ref="accessDecisionManager" />
But if I activate both at once, like this:
<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" access-decision-manager-ref="accessDecisionManager">
<security:expression-handler ref="expressionHandler"/>
</security:global-method-security>
then the permission evaluator is never hit.
When debugging, I see my role voter being "kindly asked" to handle the the SEL expressions with the acl stuff, so my guess is that instead of using the expression-handler tag I should use some other voter with the expression handler attached. But that's just an hunch :)
Anyone knows how to sort this one out?
<beans:bean id="aclPermissionEvaluator" class="com.hrc.infrastructure.security.AclPermissionEvalu ator" />
<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.met hod.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator" ref="aclPermissionEvaluator"/>
</beans:bean>
Then I also have a custom role voter, which is bound to a an access decision manager, like this:
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.Affirmati veBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:bean class="com.hrc.infrastructure.security.RoleVoter" />
</beans:list>
</beans:property>
</beans:bean>
Each individual piece works perfectly when activate one at the time, for example, to use the cal permission evaluator only, I do:
<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled">
<security:expression-handler ref="expressionHandler"/>
</security:global-method-security>
To use only the role voter I do:
<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" access-decision-manager-ref="accessDecisionManager" />
But if I activate both at once, like this:
<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" access-decision-manager-ref="accessDecisionManager">
<security:expression-handler ref="expressionHandler"/>
</security:global-method-security>
then the permission evaluator is never hit.
When debugging, I see my role voter being "kindly asked" to handle the the SEL expressions with the acl stuff, so my guess is that instead of using the expression-handler tag I should use some other voter with the expression handler attached. But that's just an hunch :)
Anyone knows how to sort this one out?