春天的安全。 授权不适用于jsp

Question

I had following jsp page and that jsp compiles as expected

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@ taglib prefix="sprSec" uri="http://www.springframework.org/security/tags"%>

<c:if test="${sessionScope.userName!=null}">

    ...

</c:if>

In login controller method I have following row:

session.setAttribute("userName", name);

---

I thought that better to rewrite it using spring security tags

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@ taglib prefix="sprSec" uri="http://www.springframework.org/security/tags"%>

<sprSec:authorize access="isAuthenticated()">

  ...

</sprSec:authorize>

And now I have following error when try to acces to page:

  org.apache.jasper.JasperException: org.apache.jasper.JasperException: An exception occurred processing JSP page /WEB-INF/*/*****.jsp at line 5

    2: <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
    3: <%@ taglib prefix="sprSec" uri="http://www.springframework.org/security/tags"%>
    4: 
    5: <sprSec:authorize access="isAuthenticated()">
    6: 
    7: <c:set var="profileUrl" value="#" scope="request" />
    8:  <sprSec:authorize ifAllGranted="ROLE_USER">


....

root cause

javax.servlet.ServletException: javax.servlet.jsp.JspException: java.io.IOException: No visible WebSecurityExpressionHandler instance could be found in the application context. There must be at least one in order to support expressions in JSP 'authorize' tags.
..........

Answer 1

This is probably a duplicate of Spring Security - No visible WebSecurityExpressionHandler instance could be found in the application context .

As pointed out there, make sure to add an use-expressions attribute set to true for your configuration's http element, ie write <http use-expressions="true"> .