I'm trying to access a bean reference in a @PreAuthorize annotation as follows:
@PreAuthorize("@testBean.getTestValue()")
public String testSpEL() {
....
}
I have a test bean configured as follows:
@Component(value="testBean")
public class TestBean {
public boolean getTestValue() {
return true;
}
}
When I try to access the testSpEL() method however, I'm confronted with the following exception:
Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1057E:(pos 1): No bean resolver registered in the context to resolve access to bean 'testBean'
at org.springframework.expression.spel.ast.BeanReference.getValueInternal(BeanReference.java:45)
at org.springframework.expression.spel.ast.CompoundExpression.getValueInternal(CompoundExpression.java:52)
at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:102)
at org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:97)
at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:11)
I have thoroughly done my research but I can't find anywhere what I need to change in my configuration to get this to work. Any pointers?
Thanks!
Kind regards, Jonck
P.S. I'm using Spring 3.0.5. The following seems to indicate this type of functionality should work:
https://jira.springsource.org/browse/SPR-7173
The real difference is that @PreAuthorize can work with Spring Expression Language (SpEL). You can: Access methods and properties of SecurityExpressionRoot . (Advanced feature) Add your own methods (override MethodSecurityExpressionHandler and set it as <global-method-security><expression-handler ... /></...> ).
The most obviously useful annotation is @PreAuthorize which decides whether a method can actually be invoked or not. For example (from the “Contacts” sample application) @PreAuthorize("hasRole('ROLE_USER')") public void create(Contact contact);
SpEL expressions can be used with XML or annotation based configuration metadata for defining BeanDefinitions. In both cases the syntax to define the expression is of the form #{ <expression string> } .
hasRole, hasAnyRole. These expressions are responsible for defining the access control or authorization to specific URLs and methods in our application: @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { ... .
I have posted a similar question at SpringSource, it turns out that indeed the above feature is not yet supported in Spring Security 3.0.5. Luckily version 3.1.0.RC1 does support it, though with non-standard SpEL syntax:
@PreAuthorize("testBean.getTestValue()")
public String testSpEL() {
....
}
Here is the url of the thread at SpringSource forum: SpringSource forum thread
Hope this helps someone!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With