0

I'd like to use a spring bean with spring security to determine if a page should be shown. Below is a psudocode example of what I would like to do: 

<security:http use-expressions="true">
    <security:intercept-url pattern="/devlogin.html" access="someBean.isNotProduction()" />
</security:http>

I'm aware that the above doesn't work, but hopefully it functions as an example of what I'm looking for. I don't want to just tell Spring "allow access for such and such role" but rather "allow access if you're running on a test system". Am I in luck and some such solution exists, or is this not what I should expect from Spring Security? (Maybe I'll even hear from someone that having a page such as this is a big security no-no, which I'm open to criticism on.)

butallmj
  • 1,531
  • 4
  • 14
  • 21
  • this can help http://stackoverflow.com/questions/14141834/custom-securityexpressionroot-method-with-spring-security-3-1-3 – coder Aug 23 '13 at 02:50

1 Answers1

0

Having development (or test) specific code/pages in production is always a no-go in my book, but that is, as said, my book :).

The access attribute is parsed and may contain a SpEL expressions. The sample code you posted is almost correct, simply prefixing it with a @ should make it work

security:http use-expressions="true">
  <security:intercept-url pattern="/devlogin.html" access="@someBean.isNotProduction()" />
</security:http>

This should work in in Spring Security versions 3.0 and up.

Possible related answer, although that is for method security.

Community
  • 1
  • 1
M. Deinum
  • 115,695
  • 22
  • 220
  • 224