sec:authorize

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

sec:authorize

NoSuchLuke

I am converting from a JSP, in which I used to have:

    <sec:authorize access="principal.user.isAdmin(#organization.id)">

So, I tried the following, with and without the "#", to no avail:

    <li sec:authorize="principal.user.isAdmin(#organization.id)">

On the other hand, this worked:

    <li sec:authorize="principal.user.isAdmin(42)">

And so did this, which I eventually switched to:

    <li th:if="${#authentication.principal.user.isAdmin(organization.id)}">

So, am I missing something with the syntax, or is there something wrong with evaluating security expressions?

Reply | Threaded
Open this post in threaded view
|

Re: sec:authorize

danielfernandez
Administrator
Hi,

Evaluation of Spring Security Expressions is directly forwarded from the dialect's processors to the Spring Security classes, in the same way it is done at the original JSP taglib. But from your description, it looks as if Spring EL expressions inside SSec ones aren't being evaluated, or maybe some kind of context not being provided to the SSec expression engine...

Could you please create an issue at https://github.com/thymeleaf/thymeleaf-extras-springsecurity3/issues so that this can be checked and fixed --if needed-- for the next version?

Thanks,
Daniel.
Reply | Threaded
Open this post in threaded view
|

Re: sec:authorize

danielfernandez
Administrator
In reply to this post by NoSuchLuke
Hi again,

For your information, access to context variables has been enabled in the current SNAPSHOT version, and will be available in 1.0.0-beta2.

See https://github.com/thymeleaf/thymeleaf-extras-springsecurity3/issues/2 for more details.

Regards,
Daniel.