Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring security annotations with EL -- requires debug information compiled in?

Tags:

debugging

spring-security

acl

I am considering using Spring Security annotations for my application, with the EL (expression language) feature. For example:

@PreAuthorize("hasPermission(#contact, 'admin')")
public void deletePermission(Contact contact, Sid recipient, Permission permission);

I need the EL capability because I have built my own ACL implementation. However, to use this capability with the "#contact" type arguments, the Spring documentation says this:

You can access any of the method arguments by name as expression variables, provided your code has debug information compiled in.

This begs two questions:

  1. It is acceptable to have a production application commercially distributed with debug info in it?
  2. If not, is there any way around this?

Thanks for any guidance on this!

like image 240
HDave Avatar asked May 25 '10 14:05

HDave

2 Answers

As a workaround you can implement a custom ParameterNameDiscoverer with your own strategy. Here is an example which produces simple numbered names (arg0, etc):

public class SimpleParameterNameDiscoverer implements
        ParameterNameDiscoverer {

    public String[] getParameterNames(Method m) {
        return  getParameterNames(m.getParameterTypes().length);        
    }

    public String[] getParameterNames(Constructor c) {
        return getParameterNames(c.getParameterTypes().length);        
    }

    protected String[] getParameterNames(int length) {
        String[] names = new String[length];

        for (int i = 0; i < length; i++)
            names[i] = "arg" + i;

        return names;
    }
}

And configuration:

<global-method-security ...>
    <expression-handler ref = "methodSecurityExpressionHandler" />
</global-method-security>

<beans:bean id = "methodSecurityExpressionHandler" 
    class = "org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
    <beans:property name = "parameterNameDiscoverer">
        <beans:bean class = "foo.bar.SimpleParameterNameDiscoverer" />
    </beans:property>
</beans:bean>
like image 117
axtavt Avatar answered Sep 21 '22 14:09

axtavt

I guess this wasn´t an option when you approached the problem the first time, but now you can do this

@PreAuthorize("hasPermission(#contact, 'admin')")
public void deletePermission(@P("contact") Contact contact, Sid recipient, Permission permission);

http://docs.spring.io/spring-security/site/docs/current/reference/html/el-access.html#access-control-using-preauthorize-and-postauthorize

like image 33
irbian Avatar answered Sep 20 '22 14:09

irbian
Sign in to Comment

Related questions

How do I print values from C extensions?
Analyzing the root cause of OutOfMemoryException in WPF app with WinDbg
Function-like C macro without parentheses
Classic asp "Application debugging is disabled" in visual studio 2015
How to have LLDB print the locations of shared libraries in memory?
Console output filtering in xcode or appcode
turning off CLANG_ENABLE_MODULE_DEBUGGING consequences
How to get trace output from only the main package of a Perl program
GDB - What thread am I on?
The app freezes while debug
VS-Code won't pause debugger on exception inside Promise
Debugging ASM-generated bytecode with JDB (or similar)
gdbserver: Target description specified unknown architecture "aarch64"
.env with debugging breakpoint using vscode and dotenv npm
Is there way to verify my program has no memory leaks?
Why does DebugView not show debugging messages when Visual Studio does
Debugging FLEX/AS3 memory leaks
What are some tips for debugging Ruby erb files?
How does one automatically attach a debugger to a process at process start on OS X?
get_or_create generic relations in Django & python debugging in general

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!