The common usage is:
<intercept-url pattern="/**" access"ROLE_ADMIN" />
Is it possible to do something like:
<intercept-url pattern="/**" access"hasPermission("addSomething1") />
I haven't seen hasPermission among security expression listed under allowed:
We have only:
authentication; denyAll; hasAnyRole(list of roles); hasIpAddress; isAnonymous() etc.
I am just guessing if "hasPermission" is allowed for method security then it should be also for web-requests too.
Thanks,
Yap, it is possible. You just need to switch to expression based evaluation
<security:http use-expressions="true">
and provide PermissionEvaluator to your expression handler:
<security:expression-hanlder ref="webSecurityExpressionHandler" />
<bean id="webSecurityExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler>
<property name="permissionEvaluator" ref="aclPermissionEvaluator" />
</bean>
Of course you need to have PermissionEvaluator implementation. You can write your own or you can use spring-acl project.
Pavel Horal already described how to enable expressions in the intercept-url tag (BTW. After enabled it, all access attributes must been written as SpEl expression!)
But there is one thing you need to know: the expressions that are available for the intercept-url tag differ from them that are available for method based security SpEl expressions (like @PreAuthorize). It is because the first are implemented in WebSecurityExpressoonRoot but the others are implemented in MethodSecurityExpressionRoot.
See my answer at this question stackoverflow.com/questions/8321696/… it describe how to extend the web security expression root with additional expressions.
