Home/ Questions/Q 8696783
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T01:21:07+00:00

I am having issues while trying to inject custom permission evaluator in spring security:

  • 0

I am having issues while trying to inject custom permission evaluator in spring security:

My front-end code looks like this:

<sec:accesscontrollist hasPermission="VIEW_HEADER,VIEW_ANYTHING" domainObject="${userWebsiteLocationContext}" >
    <b>This is a TEST</b>
</sec:accesscontrollist>

and I am trying the following within my spring security config :

...
<security:global-method-security>
    <security:expression-handler ref="expressionHandler"/>
</security:global-method-security>

<bean id="permissionEvaluator" class="org.atd.storefront.security.impl.DefaultPermissionsEvaluator" >
</bean>

<bean id="defaultExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" >
    <property name="permissionEvaluator" ref="permissionEvaluator" ></property>
</bean>

my custom permission evaulator simply returns false but the text is always displayed. I’ve also tried the solution at https://jira.springsource.org/browse/SEC-1749 and tried to use the custom defined decision manager bean: access-decision-manager-ref=”webAccessDecisionManager” with no avail.

I don’t get any exceptions, the hasPermission of my custom permissionevaluator just isn’t called.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It should be enough to register an implementation of PermissionEvaluator for the accesscontrollist tag to pick it up and use it.

    My advice would be to set a breakpoint in the doStartTag() method of the org.springframework.security.taglibs.authz.AccessControlListTag method and inspect which PermissionEvaluator it’s really using.

    • 0