How to define custom DefaultWebInvocationPrivilegeEvaluator when using namespace?

[thiamteck]

Hi All,

I am using Spring Security 3.0.2. And I had extends FilterInvocationSecurityMetadataSource in order to load intercept-url from external source.

This work well for blocking access to unauthorized URL pattern. However,when I use <security:authorize url=".." />, it is always true regardless if the user have right to access the page or not.

After read the documentation on the taglib again, I found that it is due to the <security:authorize /> are based on an instance of DefaultWebInvocationPrivilegeEvaluator created when using xml namespace in context xml.

So is there any idea about how to replace the default instance of DefaultWebInvocationPrivilegeEvaluator ?

Below is part of my XML:

Code:

	<security:http auto-config="true" access-denied-page="/login/login.jsp?status=denied">
		
		<security:anonymous enabled="true" granted-authority="ROLE_ANONYMOUS"/>
		
		<security:form-login login-page="/login/login.jsp" 
			authentication-failure-url="/login/login.jsp?status=failed" 
			default-target-url="/home/home.jsp"/>
			
		<security:custom-filter before="FILTER_SECURITY_INTERCEPTOR"  ref="customFilterSecurityInterceptor"/>
	</security:http>
	
	<security:authentication-manager alias="authenticationManager">
		<security:authentication-provider>
			<security:jdbc-user-service data-source-ref="userDs" 
				users-by-username-query=
					"select u_username,u_password,u_enabled from users_tab where u_username = ?"
				authorities-by-username-query=
					"select u.u_username as username, a.a_authority as authority 
					from users_tab u, authorities_tab a, user_authorities_tab ua 
					where u.u_username = ? and u.u_id = ua.ua_user_id and a.a_id = ua.ua_authority_id;"
				group-authorities-by-username-query=
					"select g.g_id as id, g.g_name as group_name, a.a_authority as authority 
					from groups_tab g, group_authorities_tab ga, users_tab u, authorities_tab a, group_members_tab gm 
					where u.u_username = ? and u.u_id = gm.gm_user_id and g.g_id = gm.gm_group_id 
					and ga.ga_group_id = gm.gm_group_id and ga.ga_authority_id = a.a_id;" 
				/>
		</security:authentication-provider>
	</security:authentication-manager>
	
	
	
	<beans:bean id="customFilterSecurityInterceptor"
		class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
		<beans:property name="authenticationManager" ref="authenticationManager"/>
		<beans:property name="accessDecisionManager" ref="accessDecisionManager"/>
		<beans:property name="securityMetadataSource" ref="jdbcFilterSecurityMetadataSource"/>
	</beans:bean>
	
	<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
		<beans:property name="decisionVoters">
			<beans:list>
				<beans:bean class="org.springframework.security.access.vote.RoleVoter" />
				<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
			</beans:list>
		</beans:property>
	</beans:bean>
	
	 
	<!-- I create another instance here but it don't help -->
	<beans:bean id="webPrivilegeEvaluator" class="org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator">
		<beans:constructor-arg ref="customFilterSecurityInterceptor"/>
	</beans:bean>
	
	 
	<beans:bean id="jdbcFilterSecurityMetadataSource" class="com.unified.spring.security.JdbcFilterSecurityMetadataSource">
		<beans:property name="dataSource" ref="userDs"/>
	</beans:bean>

Thank you