Specifying more than one method parameters in sec:authorize access implementation

Question

I am trying to implement a custom method by extending WebSecurityExpressionRoot for use in a sec:autorize taglig as follows:

<sec:authorize access="uiAuthz('allevents', 'myVal')">
...
</sec:authorize>

The implementation is as:

public class CustomWebSecurityExpressionRoot extends WebSecurityExpressionRoot {
   public boolean uiAuthz(String uiElement, String val) {
   ...
   }
   ...
}

However, whatever I try, the arguments to uiAuthZ method are always seen as a single String argument "'allevents, myVal'".

Is there any way I can actually get Spring Security framework to parse them as multiple arguments?

It might seem that I can use StringTokenizer etc. for a simple case as in the example above but things on when I have to pass a ArrayList of Strings.

Answer 1

How are you integrating your CustomWebExpressionRoot with the application? To do this you need to ensure to create a custom WebExpressionHandler that registers the custom root. For example:

CustomExpressionHandler.java

public class CustomExpressionHandler extends DefaultWebSecurityExpressionHandler {
    @Override
    protected SecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, FilterInvocation fi) {
        WebSecurityExpressionRoot root = new CustomWebSecurityExpresssionRoot(authentication, fi);
        root.setPermissionEvaluator(this.getPermissionEvaluator());
        root.setTrustResolver(new AuthenticationTrustResolverImpl());
        root.setRoleHierarchy(this.getRoleHierarchy());
        return root;
    }
}

security.xml

<http ...>
  <expression-handler ref="webExpressionHandler"/>
</http>

<b:bean id="webExpressionHandler"
  class="sample.CustomExpressionHandler"/>

You can find a complete example at https://github.com/rwinch/spring-security-sample/tree/custom-webexpressionroot