1
I’m creating a simple crud with spring-mcv and spring-security.
Everything is running perfectly
spring-security.xml
<b:bean id="handlerWeb1" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<b:property name="permissionEvaluator" ref="permissionEvaluator"/>
</b:bean>
<b:bean id="handlerMethod2" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<b:property name="permissionEvaluator" ref="permissionEvaluator"/>
</b:bean>
<global-method-security pre-post-annotations="enabled">
<expression-handler ref="handlerMethod2"/>
</global-method-security>
<http auto-config="true" use-expressions="true" >
<expression-handler ref="handlerWeb1" />
...
</http>
The logger
INFO: Using bean 'handlerWeb1' as web SecurityExpressionHandler implementation
INFO: Using bean 'handlerMethod2' as method ExpressionHandler implementation
When sawing methodo is executed
@RequestMapping("/page")
@PreAuthorize("hasPermission('page','list')")
public ModelAndView pages() {
return modelAndView( ... ));
}
If hasPermission('page','list')==true no problem.
If hasPermission('page','list')==false the methodo still executes and renders the view but the variablespassed to the view are empty.
I ask you:
When hasPermission('page','list')==false, what should happen?
a) redirect to 403
b) process the view with empty variables.
Have you set up a page for 403? There in the Spring-Security configuration you should do this. That way, when the access is blocked, it directs you there. Anyway, here’s a tutorial on this - http://www.jeejava.com/preauthorize-annotation-haspermission-example-in-spring-security/ -
– romarcio