How configure the Spring Security to allow use hasPermission in the JSP page?

Question

I am trying use hasPermission in my jsp pages from my spring project. I already use this with no problem in the methods from my controller / service classes. Reading the article:

http://docs.spring.io/spring-security/site/docs/4.0.0.M1/reference/htmlsingle/#the-accesscontrollist-tag

from official documentation, I understood that for use this in my JSP pages I will need implement a class derived from DefaultPermission which would be loaded from a custom AclService class.

My problem it's i can't find any information of how implement all that classes, and even don't know if this approach it's the only one or if I understood the subject in the right way (the official documentation is very brief about this subject, and in the rest of internet i can't find more information).

Anyone can point me in the right direction here? Maybe indicate some tutorial or sample of code.

Answer 1

This is what I have done. I created my own permission evaulator:

public class MyPermissionEvaluator implements PermissionEvaluator {
...
}

Then I configured spring to use that evaulator via

<beans:bean id="expressionHandler"
    class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
      <beans:property name="permissionEvaluator" ref="permissionEvaluator"/>
</beans:bean>

<beans:bean id="webExpressionHandler" 
    class="com.bulb.learn.webapp.security.CustomWebSecurityExpressionHandler">
    <beans:property name="permissionEvaluator" ref="permissionEvaluator"/>
</beans:bean>

<beans:bean id="permissionEvaluator" class="my.domain.MyPermissionEvaluator" />

That way all expression handlers have access to my evaulator.

Then, in JSP (actually, I am using jspx), I can make tags like this:

<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
...
<sec:authorize access="hasPermission(#childUnit, 'read')">
    ...
</sec:authorize>

Hope that gets you heading in the right direction.