1

I have a spring Service and want to use a method in the service combined with the current user in a spring security expression. I saw another question on stackoverflow that led me to believe something like this was possible. I'm using spring 3.1.2.

@Service("orgService")
public class DefaultOrganizationService implements OrganizationService {
    @Override
    @Transactional
    public boolean isOrgAdmin(String username) 
    {   
       return true;
    }
}

Then in a jsp, I have something like this:

<sec:authorize access="orgService.isOrgAdmin(principal.name)">
    USER IS ORG ADMIN
</sec:authorize>

However, when I run my web app with this setup, I get

org.springframework.expression.spel.SpelEvaluationException: EL1008E:(pos 0): Field or property 'orgService' cannot be found on object of type 'org.springframework.security.web.access.expression.WebSecurityExpressionRoot'

I've tried expressions with both "@orgService..." and "orgService..."

Is what I'm trying to do possible, or do I need to implement a PermissionEvaluator?

Community
  • 1
  • 1
Jason
  • 7,356
  • 4
  • 41
  • 48
  • Do you get the same error with and without `@`? Please, post both. The error you posted looks good for case without `@`. I'm curious about the error message for `@orgService..` – Maciej Ziarko Nov 17 '12 at 01:21
  • It turns out I had a different error with the "@" (related to the principal). Using the "@" does in fact let spring security recognize the bean name. – Jason Nov 17 '12 at 13:25

1 Answers1

0

@orgService should work, for Spring Security starting from Version 3.1.0.RC2

[SEC-1723] - Support use of bean names in expressions via @beanName notation

I'm using spring 3.1.2.

I think that you are using an old version of Spring Security, not Spring.

Boris Treukhov
  • 17,493
  • 9
  • 70
  • 91