Authorize tag when using a custom Voter

Hi all,

I have a defined a custom Voter to check roles depending on business data that is in the http session (in fact it depends on the datasource we use).
I can secure my method like that (and it works like a charm)

Code:

---

   
    @Secured("DS_ROLE_EDITOR")
    public void deleteCustomer(String id){
    ...
    }

---

In this example, the datasourceRoleVoter checks if the connected user has the role "EDITOR" on the datasource currently used.

Now I would like to secure my JSP pages using these DS_ROLE_* roles.

I tried to use

Code:

---

        <sec:authorize  access="hasRole('DS_ROLE_EDITOR')">
        You are editor on this datasource
        </sec:authorize>

---

But it doesn't work.

How can I tell Spring security authorize tag to use my voter, so it will so check if the user is an EDITOR for that datasource ?

Here is my config file :

Code:

---

       
        <http auto-config="true" use-expressions="true"
                access-decision-manager-ref="webAccessDecisionManager">
                <http-basic />
                <intercept-url pattern="/**" access="isAuthenticated()" />
        </http>
       
        <global-method-security secured-annotations="enabled"
                jsr250-annotations="enabled" pre-post-annotations="enabled"
                access-decision-manager-ref="methodAccessDecisionManager">
        </global-method-security>

        <beans:bean id="methodAccessDecisionManager"
                class="org.springframework.security.access.vote.AffirmativeBased">
                <beans:property name="decisionVoters">
                        <beans:list>
                                <beans:ref bean="datasourceRoleVoter" />
                                <beans:ref bean="roleVoter" />
                                <beans:ref bean="authenticatedVoter" />
                        </beans:list>
                </beans:property>
        </beans:bean>

        <beans:bean id="webAccessDecisionManager"
                class="org.springframework.security.access.vote.AffirmativeBased">
                <beans:property name="decisionVoters">
                        <beans:list>
                                <beans:ref bean="datasourceRoleVoter" />
                                <beans:ref bean="roleVoter" />
                                <beans:ref bean="authenticatedVoter" />
                                <beans:ref bean="webExpressionVoter" />
                        </beans:list>
                </beans:property>
        </beans:bean>


        <beans:bean id="datasourceRoleVoter"
                class="com.mycompany.DataSourceRoleVoter">
                <beans:property name="rolePrefix" value="DS_ROLE_" />
        </beans:bean>
        <beans:bean id="webExpressionVoter"
                class="org.springframework.security.web.access.expression.WebExpressionVoter" />
        <beans:bean id="authenticatedVoter"
                class="org.springframework.security.access.vote.AuthenticatedVoter" />
        <beans:bean id="roleVoter"
                class="org.springframework.security.access.vote.RoleVoter" />

        ...

---

Thanks in advance for you answer.

Hervé

I finally created my own expression handlers and use them in both method and web security.

Code:

---

        <http auto-config="true" use-expressions="true">
                <http-basic />
                <expression-handler ref="datasourceRoleWebSecurityExpressionHandler"/>
                <intercept-url pattern="/**" access="isAuthenticated()" />
        </http>
       
        <beans:bean id="datasourceRoleWebSecurityExpressionHandler" class="com.ibm.bcc.adminapp.web.domain.datasource.security.DataSourceWebSecurityExpressionHandler"/>
       

        <global-method-security secured-annotations="enabled"
                jsr250-annotations="enabled" pre-post-annotations="enabled">
                <expression-handler ref="datasourceRoleMethodSecurityExpressionHandler"/>
        </global-method-security>
       
        <beans:bean id="datasourceRoleMethodSecurityExpressionHandler" class="com.ibm.bcc.adminapp.web.domain.datasource.security.DataSourceMethodSecurityExpressionHandler"/>

---

So now, I can use the same expression for web and method security.

Code:

---

<sec:authorize access="hasDsRole('EDITOR')"> The secured content </sec:authorize>

---

Code:

---

@PreAuthorize("hasDsRole('EDITOR')")
public void aSecuredMethod()

---