sec:accesscontrollist hasPermission only support single permission and name based

[winarto]

In the spring security documentation http://static.springsource.org/sprin...e/taglibs.html section 20.4 mentioned that

Code:

<sec:accesscontrollist hasPermission="1,2" domainObject="${someObject}">

This will be shown if the user has either of the permissions 
represented by the values "1" or "2" on the given object.

</sec:accesscontrollist>

When I tested, it doesn't even work with integer value. It only works if the value is the name of the permission (e.g: ADMINISTRATION, WRITE, READ, etc). More over, it does not support multiple permissions. It boils down to AccessControlListTag.java, particularly in the following line

Code:

 if (permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(),
                domainObject, hasPermission)) {
            return evalBody();
        }

which does not parse each individual permission before passing to the permissionEvaluator.

I might be missing something here, but does anyone encountering something like this?

[ericrath]

I just encountered the same problem. We currently use Spring 3.0.5 and Spring Security 3.0.5. I upgraded 3.1.2 and 3.1.1, respectively, and received error messages complaining about both comma-delimited permission names, and integer masks. I don't have any suggestion for a fix, but the behavior is unexpected.

[Rob Winch]

I logged SEC-2022 and SEC-2023. In the meantime you can either decorate your PermissionEvaluator interface or use the following:

Code:

<security:authorize access="hasPermission(#object,'READ') and hasPermission(#object,'WRITE')">
<security:authorize access="hasPermission(#object,1) and hasPermission(#object,2)">

[ericrath]

Thanks for the quick response & fix!

[ahrefony]

This has been my need to answer, today was finally discovered, thanks for your sharing, is really a good article.