Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13

Thread: SpEL and Spring Security 3: accessing bean reference in @PreAuthorize

  1. Sep 16th, 2011, 04:04 AM #11
    marioosh
    marioosh is offline Junior Member
    Join Date
    Aug 2010
    Posts
    25

    Default

    I have problem with @PreAuthorize and accessing bean in expression. Running Spring Security version is 3.1.0RC2.
    Code:
    INFO  [SpringSecurityCoreVersion:29] : You are running with Spring Security Core 3.1.0.RC2
INFO  [SecurityNamespaceHandler:57] : Spring Security 'config' module version is 3.1.0.RC2
    applicationContext.xml:
    Code:
    <security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" />
    Controller code:
    Code:
    @Controller
class TestController {

	public boolean isOk() {
		return true;
	}
	
	@PreAuthorize("testController.isOk()")
	@RequestMapping("/test")
	public String testPage() {
		return "test";
	}

}
    I get error:
    Code:
    java.lang.IllegalArgumentException: Failed to evaluate expression 'testController.isOk()'
...
Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1008E:(pos 0): Field or property 'testController' cannot be found on object of type 'org.springframework.security.access.expression.method.MethodSecurityExpressionRoot'
	at org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:207)
	at org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:71)
	at org.springframework.expression.spel.ast.CompoundExpression.getValueInternal(CompoundExpression.java:52)
	at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:102)
	at org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:97)
	at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:11)
	... 79 more
    Anybody knows what is wrong with that ?
    Last edited by marioosh; Sep 16th, 2011 at 04:15 AM.
    Reply With Quote Reply With Quote
  2. Sep 16th, 2011, 04:32 AM #12
    venercogo
    venercogo is offline Junior Member
    Join Date
    Apr 2009
    Posts
    9

    Default

    Hi,

    As Luke Taylor wrote, the syntax has been changed slightly in the new release.

    "I've changed things to use the Spring '@' syntax and BeanResolver. So the next release will support "@testBean.getTestBoolean()" instead of the plain property name. See SEC-1723."

    Try changing your syntax to match what Luke wrote.

    Kind regards, Jonck
    Reply With Quote Reply With Quote
  3. Aug 13th, 2012, 07:09 AM #13
    nickspacek
    nickspacek is offline Member
    Join Date
    Mar 2011
    Posts
    47

    Default

    Doubt anyone is watching this thread anymore, but I created a small workaround to add support in Spring Security 3.0.x.

    For anyone stuck on Spring Security 3.0.x I have a somewhat simple workaround. Add this class in your application-securityContext.xml (or whatever):

    https://gist.github.com/3340059

    It injects a BeanFactoryResolver into the Spring Security code, which is all the Spring Security 3.1.x fix has. Support for the syntax is already in 3.0.x. It allows you to use the syntax from 3.1.x, ala:

    @PreAuthorize("@controller.theProperty")
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules