问题
I am upgrading my Spring Security from 3.1.0 to 3.1.3 and ran into a change that is breaking my setup.
I had been using a custom SecurityExpressionRoot to expose a method for use with intercept-url entries.
<http entry-point-ref="forbiddenAccessEntryPoint" use-expressions="true" create-session="never"
access-decision-manager-ref="webAccessDecisionManager">
<intercept-url pattern="/licenses*" access="hasProjectAuthority('LICENSES')"/>
the SecurityExpressionRoot is injected through a custom DefaultMethodSecurityExpressionHandler.
This was working fine in 3.1.0 but after upgrading to 3.1.3 Spring cannot evaluate the "hasProjectAuthority" method:
EL1004E:(pos 0): Method call: Method hasProjectAuthority(java.lang.String) cannot be found on org.springframework.security.web.access.expression.WebSecurityExpressionRoot type
Did this move somewhere?
回答1:
- Try move your code from custom SecurityExpressionRoot into custom WebSecurityExpressionRoot.
- Be sure that your custom WebSecurityExpressionRoot is injected into your WebExpressionVoter via DefaultWebSecurityExpressionHandler.createSecurityExpressionRoot
Your xml may looks like this:
<security:http access-decision-manager-ref="customAccessDecisionManagerBean">
....
<security:http/>
<bean id="customWebSecurityExpressionHandler" class="com.domain.security.CustomWebSecurityExpressionHandler"/>
<bean id="customAccessDecisionManagerBean" class="org.springframework.security.access.vote.AffirmativeBased">
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
<property name="expressionHandler" ref="customWebSecurityExpressionHandler" />
</bean>
</list>
</property>
</bean>
来源:https://stackoverflow.com/questions/14141834/custom-securityexpressionroot-method-with-spring-security-3-1-3