Does it make sense to use expression-based access control in Spring Security?

Question

I am considering to utilize Expression-Based Access Control from Spring Security 3.0.

The documentation says: You can access any of the method arguments by name as expression variables, provided your code has debug information compiled in.

That means that I have to have debug info left in my production wars and jars to properly use Expression-Based Access Control. For me it seems not very good idea at all.

Please tell me your opinions on this issue, so I can summarize your expirience to deside where I go for it or not.

Thank you in advance! Max

score 2 · Answer 1 · 2016-12-13T01:11:57.603

2

It is a little strange, but this isn't tied to Spring Security. Spring Web MVC uses it too; e.g., to discover @RequestParam and @PathVariable default values.

In my experience people typically leave debug information in their builds (even production builds) to support troubleshooting (debug level logging is a different story), so Spring takes advantage of this. But it's fair to say that Spring is violating the principle of least surprise here, meaning that one wouldn't expect turning debug info off to turn a working app into a broken app.

edited Dec 13 '16 at 01:11

answered Sep 06 '11 at 06:46

is there a good way round this other than the linked answer from axtavt, as of spring secruity 3.1 – NimChimpsky Oct 01 '13 at 12:42

score 1 · Accepted Answer · edited May 23 '17 at 12:30

1

Please see Spring security annotations with EL — requires debug information compiled in?

edited May 23 '17 at 12:30

Community

1
1

answered Feb 28 '11 at 14:14

Ritesh

7,472
2
39
43

Does it make sense to use expression-based access control in Spring Security?

2 Answers2