Apr 6th, 2010, 09:16 AM
ACL EL - custom expression support
Is there a good way to make a my own custom expression like "hasCustomPermission()" in ACL EL approach.
I try to dig into the code base and wondered why MethodSecurityExpressionRoot is not extendible and why DefaultMethodSecurityExpressionHandler is not flexible enough to extend it and still use the filter function that it provides.
Ofcourse I can rewrite these two classes but i can see most of the code will be duplicated in my new classes.
I like spring security design because of its flexibility to plugin custom stuff. May be there is a good reason that this functionality isnt provided. is there ?
After all I want to to do something like
and inside this implementation I will fetch my business object on which I stored my permissions and use hasPermission(Object, permission) interface. This will give me flexibility that my client dont need to pass this business object everytime.
Does it make sense ?
Apr 7th, 2010, 03:25 PM
Just an update on the issue.
As of now I replaced MethodSecurityExpressionRoot and DefaultMethodSecurityExpressionHandler with my custom implementations and passed the business object directky into the SecurityExpressionRoot so that it can be used in expressions.
May be I dont need to do this in 3.1.0 when application bean references can be used in expressions directly - http://jira.springframework.org/browse/SEC-1294
So may be its not a problem in my case.
Apr 8th, 2010, 07:49 AM
Yes, currently what you describe is the only approach that works. Good job implementing it yourself!
Peter Mularien | Blog
Author, Spring Security 3 (Book) - Packt Publishing, Available in print and eBook form
SCJP 5, Oracle DBA
Any postings are my own opinion, and should not be attributed to my employer or clients.