Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Expression Language and Spring Security 3: accessing bean reference in @PreAuthorize

I'm trying to access a bean reference in a @PreAuthorize annotation as follows:

@PreAuthorize("@testBean.getTestValue()")
public String testSpEL() {
    ....
}

I have a test bean configured as follows:

@Component(value="testBean")
public class TestBean {
    public boolean getTestValue() {
        return true;
    }
}

When I try to access the testSpEL() method however, I'm confronted with the following exception:

Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1057E:(pos 1): No bean resolver registered in the context to resolve access to bean 'testBean'
    at org.springframework.expression.spel.ast.BeanReference.getValueInternal(BeanReference.java:45)
    at org.springframework.expression.spel.ast.CompoundExpression.getValueInternal(CompoundExpression.java:52)
    at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:102)
    at org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:97)
    at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:11)

I have thoroughly done my research but I can't find anywhere what I need to change in my configuration to get this to work. Any pointers?

Thanks!

Kind regards, Jonck

P.S. I'm using Spring 3.0.5. The following seems to indicate this type of functionality should work:

https://jira.springsource.org/browse/SPR-7173

like image 237
Jonck van der Kogel Avatar asked Apr 21 '11 11:04

Jonck van der Kogel


People also ask

What's the difference between @secured and @PreAuthorize in Spring Security?

The real difference is that @PreAuthorize can work with Spring Expression Language (SpEL). You can: Access methods and properties of SecurityExpressionRoot . (Advanced feature) Add your own methods (override MethodSecurityExpressionHandler and set it as <global-method-security><expression-handler ... /></...> ).

What is @PreAuthorize annotation in spring?

The most obviously useful annotation is @PreAuthorize which decides whether a method can actually be invoked or not. For example (from the “Contacts” sample application) @PreAuthorize("hasRole('ROLE_USER')") public void create(Contact contact);

Which annotations uses SpEL expression language to access the property values?

SpEL expressions can be used with XML or annotation based configuration metadata for defining BeanDefinitions. In both cases the syntax to define the expression is of the form #{ <expression string> } .

What is hasRole and hasAnyRole?

hasRole, hasAnyRole. These expressions are responsible for defining the access control or authorization to specific URLs and methods in our application: @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { ... .


1 Answers

I have posted a similar question at SpringSource, it turns out that indeed the above feature is not yet supported in Spring Security 3.0.5. Luckily version 3.1.0.RC1 does support it, though with non-standard SpEL syntax:

@PreAuthorize("testBean.getTestValue()")
public String testSpEL() {
    ....
}

Here is the url of the thread at SpringSource forum: SpringSource forum thread

Hope this helps someone!

like image 102
Jonck van der Kogel Avatar answered Nov 15 '22 17:11

Jonck van der Kogel