Spring Security Use Bean For Access Configuration Attribute

Question

I'd like to use a spring bean with spring security to determine if a page should be shown. Below is a psudocode example of what I would like to do:

<security:http use-expressions="true">
    <security:intercept-url pattern="/devlogin.html" access="someBean.isNotProduction()" />
</security:http>

I'm aware that the above doesn't work, but hopefully it functions as an example of what I'm looking for. I don't want to just tell Spring "allow access for such and such role" but rather "allow access if you're running on a test system". Am I in luck and some such solution exists, or is this not what I should expect from Spring Security? (Maybe I'll even hear from someone that having a page such as this is a big security no-no, which I'm open to criticism on.)

Answer 1

Having development (or test) specific code/pages in production is always a no-go in my book, but that is, as said, my book :).

The access attribute is parsed and may contain a SpEL expressions . The sample code you posted is almost correct, simply prefixing it with a @ should make it work

security:http use-expressions="true">
  <security:intercept-url pattern="/devlogin.html" access="@someBean.isNotProduction()" />
</security:http>

This should work in in Spring Security versions 3.0 and up.

Possible related answer , although that is for method security.