hasPermission in sec:authorize

Printable View

Mar 1st, 2011, 10:10 AM
BurnedToast

hasPermission in sec:authorize

Hi,

I am using a custom PermissionEvaluator and i want to use em in my jsp-views. So i tryed to use the following Syntax:

Code:

<sec:authorize access="hasPermission(#user, 'update')"> something secured </sec:authorize>

But when i call this view i get the following exception (i shorted it):

Code:

WARNUNG: ApplicationDispatcher[/Omnibus] PWC1231: Servlet.service() for servlet jsp threw exception java.lang.NullPointerException at org.springframework.security.access.expression.SecurityExpressionRoot.hasPermission(SecurityExpressionRoot.java:137)

That can only be the permissionEvaluator! How can i inject my permissionEvaluator into the SecurityExpressionRoot?

thx for any help :)
Mar 1st, 2011, 01:00 PM
Luke Taylor

Currently the authorize tag uses the WebExpressionHandler, which doesn't support the use of a PermissionEvaluator or "hasPermission()" expressions. Ideally it shouldn't throw a NPE though if you try to use them, so please open an issue and we'll try and tidy this up.
Apr 11th, 2011, 08:39 AM
Horst Krause

Hi Luke.

Quite interesting point!

We are in the same situation. We use ACL and have a customized PermissionEvaluator. For example a user is granted access if he has explicit rights on the user in the acl tables or implicited rights because he has acl rights for the department of the user. This works fine with annotations in business layer, but what to do in the jsps?

We found the authorize and accesscontrollist TAGs but both seem not to support any customized PermissionEvaluator. :-(

So what would be the best solution to re-use our logic in the customized PermissionEvaluator?

Thanks for any help,

bye Horst
Apr 14th, 2011, 03:47 AM
Horst Krause

Hi.

We extended the AccessControlListTag and in doStartTag replaced the ACLService stuff with this code:

Code:

try { permissionEvaluator = (WebcodesPermissionEvaluator) this.getContext(this.pageContext).getBean( "permissionEvaluator"); } catch (Exception e) { return 0; } boolean pe = permissionEvaluator.hasPermission(authentication, this.domainObject, permission);

Perhaps not the best solution, but it works.
May 17th, 2011, 10:38 AM
lafeuil

There is an issue about using PermissionEvaluator in authorize tag : SEC-1560.
But for the moment, there is no plan to integrate in version 3.1.
Thomas
Oct 4th, 2011, 05:09 PM
sergiuo

Probably it was fixed in 3.1 At least I got both authorize and accesscontrollist TAGs worrking with custom PermissionEvaluator:

Code:

<http entry-point-ref="casEntryPoint" use-expressions="true" > ... <intercept-url pattern="/11*" access="hasPermission('strObject', 'truePermission')"/> ... <expression-handler ref="webExpressionHandler"/> </http> .... <b:bean id="webExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"> <b:property name="permissionEvaluator" ref="permissionEvaluator"/> </b:bean>

Note:

Code:

<sec:authorize access="hasPermission(#varName, 'some_permission')">

will try to resolve "varName" by using pageConext.findAttribute("varName"). Looks like accesscontrollist tag is easier to use.