hasPermission in sec:authorize

**BurnedToast** · Mar 1st, 2011, 10:10 AM

Hi,

I am using a custom PermissionEvaluator and i want to use em in my jsp-views. So i tryed to use the following Syntax:

Code:

<sec:authorize access="hasPermission(#user, 'update')">
something secured
</sec:authorize>

But when i call this view i get the following exception (i shorted it):

Code:

WARNUNG: ApplicationDispatcher[/Omnibus] PWC1231: Servlet.service() for servlet jsp threw exception
java.lang.NullPointerException
        at org.springframework.security.access.expression.SecurityExpressionRoot.hasPermission(SecurityExpressionRoot.java:137)

That can only be the permissionEvaluator! How can i inject my permissionEvaluator into the SecurityExpressionRoot?

thx for any help

**Luke Taylor** · Mar 1st, 2011, 01:00 PM

Currently the authorize tag uses the WebExpressionHandler, which doesn't support the use of a PermissionEvaluator or "hasPermission()" expressions. Ideally it shouldn't throw a NPE though if you try to use them, so please open an issue and we'll try and tidy this up.

**Horst Krause** · Apr 11th, 2011, 08:39 AM

Hi Luke.

Quite interesting point!

We are in the same situation. We use ACL and have a customized PermissionEvaluator. For example a user is granted access if he has explicit rights on the user in the acl tables or implicited rights because he has acl rights for the department of the user. This works fine with annotations in business layer, but what to do in the jsps?

We found the authorize and accesscontrollist TAGs but both seem not to support any customized PermissionEvaluator. :-(

So what would be the best solution to re-use our logic in the customized PermissionEvaluator?

Thanks for any help,

bye Horst

**Horst Krause** · Apr 14th, 2011, 03:47 AM

Hi.

We extended the AccessControlListTag and in doStartTag replaced the ACLService stuff with this code:

Code:

try {
            permissionEvaluator = (WebcodesPermissionEvaluator) this.getContext(this.pageContext).getBean(
                "permissionEvaluator");
        } catch (Exception e) {
            return 0;
        }

boolean pe = permissionEvaluator.hasPermission(authentication, this.domainObject, permission);

Perhaps not the best solution, but it works.

**lafeuil** · May 17th, 2011, 10:38 AM

There is an issue about using PermissionEvaluator in authorize tag : SEC-1560.
But for the moment, there is no plan to integrate in version 3.1.
Thomas

**sergiuo** · Oct 4th, 2011, 05:09 PM

Probably it was fixed in 3.1 At least I got both authorize and accesscontrollist TAGs worrking with custom PermissionEvaluator:

Code:

<http entry-point-ref="casEntryPoint" use-expressions="true" >
...
        <intercept-url pattern="/11*" access="hasPermission('strObject', 'truePermission')"/>

...
        <expression-handler ref="webExpressionHandler"/>
</http>
....
<b:bean id="webExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
        <b:property name="permissionEvaluator" ref="permissionEvaluator"/>
</b:bean>

Note:

Code:

<sec:authorize access="hasPermission(#varName, 'some_permission')">

will try to resolve "varName" by using pageConext.findAttribute("varName"). Looks like accesscontrollist tag is easier to use.

Thread: hasPermission in sec:authorize

Thread Tools

Display

Hybrid View

hasPermission in sec:authorize

Posting Permissions