Spring security - securing method request with hasPermission

Question

The common usage is:

<intercept-url pattern="/**" access"ROLE_ADMIN" />

Is it possible to do something like:

<intercept-url pattern="/**" access"hasPermission("addSomething1") /> 

I haven't seen hasPermission among security expression listed under allowed:

We have only:

authentication; denyAll; hasAnyRole(list of roles); hasIpAddress; isAnonymous() etc.

I am just guessing if "hasPermission" is allowed for method security then it should be also for web-requests too.

Thanks,

Answer 1

Yap, it is possible. You just need to switch to expression based evaluation

 <security:http use-expressions="true">

and provide PermissionEvaluator to your expression handler:

<security:expression-hanlder ref="webSecurityExpressionHandler" />

<bean id="webSecurityExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler>
    <property name="permissionEvaluator" ref="aclPermissionEvaluator" />
</bean>

Of course you need to have PermissionEvaluator implementation. You can write your own or you can use spring-acl project.

Answer 2

Pavel Horal already described how to enable expressions in the intercept-url tag (BTW. After enabled it, all access attributes must been written as SpEl expression!)

But there is one thing you need to know: the expressions that are available for the intercept-url tag differ from them that are available for method based security SpEl expressions (like @PreAuthorize). It is because the first are implemented in WebSecurityExpressoonRoot but the others are implemented in MethodSecurityExpressionRoot .

See my answer at this question stackoverflow.com/questions/8321696/… it describe how to extend the web security expression root with additional expressions.