Home/ Questions/Q 8284787
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-08T11:14:17+00:00

I had a project that was working ok with Spring 3.0. I’ve now moved

  • 0

I had a project that was working ok with Spring 3.0. I’ve now moved to Maven to control dependencies and moved to Spring 3.1.2 jars and Spring security 3.1.1 jars.

When I attempt to access a JSP that includes use of the security taglib (eg ) I get the error below:

javax.servlet.ServletException: javax.servlet.jsp.JspException: java.io.IOException: No visible WebSecurityExpressionHandler instance could be found in the application context. There must be at least one in order to support expressions in JSP 'authorize' tags.

In my security-context I have:

<http auto-config="true" use-expressions="true" create-session="ifRequired"

From my old project:

<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler" />

I couldn’t find that class in the packages I have for my project, so thinking it may just be a move of classes I tried:

<beans:bean id="expressionHandler" class="org.springframework.security.web.access.expression.WebSecurityExpressionHandler" />

This gives me the same error.

Spring-security dependencies I have configured at the moment:
spring-security-core-3.1.1
spring-security-taglibs-3.1.1
spring-security-acl-3.1.1
spring-security-config-3.1.1
spring-security-web-3.1.1

Am I missing a jar that would contain whatever ‘use-expressions=true’ needs?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I have since made a number of changes to my project and I’m not 100% sure which actually fixed this issue but the most likely contenders listed below:

    • There were some 3.0 jars hidden away in a lib folder of my app. Removed them manually.
    • Removed the expressionHandler definition from security-context altogether

    • changed the URL mapping style thus:

      <!-- Spring Security < 3.1
These were inside the <http... > element
<intercept-url pattern="/public/**" filters="none"/>
<intercept-url pattern="/login" filters="none"/>
<intercept-url pattern="/loggedOut" filters="none"/>
<intercept-url pattern="/include/css/**" filters="none"/>
<intercept-url pattern="/include/img/**" filters="none"/>
-->

      Changed to the follow BEFORE the element in security-context:

      <!-- for Spring-security >= 3.1 -->
<http pattern="/public/**" security="none"/>
<http pattern="/login" security="none"/>
<http pattern="/loggedOut" security="none"/>
<http pattern="/include/css/**" security="none"/>
<http pattern="/include/img/**" security="none"/>

    My element now reads:

            <http use-expressions="true" auto-config="true" create-session="ifRequired" access-denied-page="/accessDenied" >

    I hope this helps someone else with similar issues moving from Spring security 3.0 -> 3.1.

    • 0