I am trying use hasPermission in my jsp pages from my spring project. I already use this with no problem in the methods from my controller / service classes. Reading the article:
http://docs.spring.io/spring-security/site/docs/4.0.0.M1/reference/htmlsingle/#the-accesscontrollist-tag
from official documentation, I understood that for do that I nwill need implement a class derived from DefaultPermission which would be loaded from a custom AclService class.
My problem it's i can't find any information of how implement all that classes, and even don't know if this approach it's the only one or if I understood the subject in the right way (the official documentation is very brief about this subject, and in the rest of internet i can't find more information).
Anyone can point me in the right direction here? Maybe indicate some tutorial or sample of code.
UPDATE
Reading other topics here from StackOverflow, I found this sugestion:
This is what I have done. I created my own permission evaulator:
> public class MyPermissionEvaluator implements PermissionEvaluator {
> ...
> }
Then I configured spring to use that evaulator via
> <beans:bean id="expressionHandler"
> class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
> <beans:property name="permissionEvaluator" ref="permissionEvaluator"/>
> </beans:bean>
>
> <beans:bean id="webExpressionHandler"
> class="com.bulb.learn.webapp.security.CustomWebSecurityExpressionHandler">
> <beans:property name="permissionEvaluator" ref="permissionEvaluator"/>
> </beans:bean>
>
> <beans:bean id="permissionEvaluator" class="my.domain.MyPermissionEvaluator" />
That way all expression handlers have access to my evaulator. Then, in JSP (actually, I am using jspx), I can make tags like this:
> <sec:authorize access="hasPermission(#childUnit, 'read')">
> ...
> </sec:authorize>
Hope that gets you heading in the right direction.
As I already have a Custom PermissionEvaluator, I try this method. It works partially, but now, even when the user has the permission, the element inside the tag isn't displayed. Also, the eclipse indicate an error related to this tag ('Syntax error on token(s), misplaced construct(s)'), despite the application being built and executed without errors.
In the console, this error is displayed:
un 03, 2014 7:48:40 PM org.springframework.security.access.expression.DenyAllPermissionEvaluator hasPermission
Advertência: Denying user klebermo permission 'cadastra_usuario' on object null
Jun 03, 2014 7:48:40 PM org.springframework.security.access.expression.DenyAllPermissionEvaluator hasPermission
Advertência: Denying user klebermo permission 'altera_usuario' on object null
Jun 03, 2014 7:48:40 PM org.springframework.security.access.expression.DenyAllPermissionEvaluator hasPermission
Advertência: Denying user klebermo permission 'remove_usuario' on object null
Jun 03, 2014 7:48:45 PM org.springframework.security.access.expression.DenyAllPermissionEvaluator hasPermission
Advertência: Denying user klebermo permission 'cadastra_permissao' on object null
Jun 03, 2014 7:48:45 PM org.springframework.security.access.expression.DenyAllPermissionEvaluator hasPermission
Advertência: Denying user klebermo permission 'altera_permissao' on object null
Jun 03, 2014 7:48:45 PM org.springframework.security.access.expression.DenyAllPermissionEvaluator hasPermission
Advertência: Denying user klebermo permission 'remove_permissao' on object null
Jun 03, 2014 7:48:57 PM org.springframework.security.access.expression.DenyAllPermissionEvaluator hasPermission
Advertência: Denying user klebermo permission 'cadastra_usuario' on object null
Jun 03, 2014 7:48:57 PM org.springframework.security.access.expression.DenyAllPermissionEvaluator hasPermission
Advertência: Denying user klebermo permission 'altera_usuario' on object null
Jun 03, 2014 7:48:57 PM org.springframework.security.access.expression.DenyAllPermissionEvaluator hasPermission
Advertência: Denying user klebermo permission 'remove_usuario' on object null
In the Internet, I found some articles sugesting I should implement a Interface for WebSecurityExpressionHandler.
Anyone know what the right step here?
UPDATE 2
Previously, I was using this tag:
<sec:accesscontrollist hasPermission="1,2" domainObject="${someObject}">
This will be shown if the user has either of the permissions represented by the values "1" or "2" on the given object.
</sec:accesscontrollist>
where no error was displayed in the console, but still doesn't work. My question which object I need implement to atribute domainObject of the tag?
Your CustomPermissionEvaluator
is not being called.
Try following code in your SecurityConfig.java.
...
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
...
public class SecurityConfig extends WebSecurityConfigurerAdapter {
...
@Override
public void configure(WebSecurity web) throws Exception {
DefaultWebSecurityExpressionHandler handler = new DefaultWebSecurityExpressionHandler();
handler.setPermissionEvaluator(new CustomPermissionEvaluator());
web.expressionHandler(handler);
}
}
WebApplicationInitializer
...
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
...
public class AnnotationConfigDispatcherServletInitializer extends
AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class[] {
SecurityConfig.class,
};
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With