View RSS Feed

Spring Framework

Using SpEL for Spring Security

Rate this Entry
by , 11-27-2011 at 10:58 PM (2223 Views)
Sometimes you might need to have a more sophisticated method of defining security constraints. Fortunately as of version 3.0, Spring Security also supports SpEL as a means for declaring access requirements. I will give you show you how to use it in this tip.

First thing you will need to do is to enable it. To do this, you must set the use-expressions attribute of <http> to true:

Java Code:
<http auto-config="true" use-expressions="true">
 ... 
</http>
Now you and in a position to use SpEL expressions in the access attribute. Below I will give you a straightforward SpEL expression to require ROLE_ADMIN access for the /admin/** URL pattern:

Java Code:
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
Basically the <intercept-url> is effectively the same as I did in my previous tip, except that it uses SpEL. The hasRole() expression evaluates to true if the current user has been granted the given authority. But hasRole() is only one of several security-specific expressions supported. You could have many more.

Below I provide some of the key SpEL security related expressions:

Name:  SpEL_SecurityExpressions.jpg
Views: 471
Size:  140.7 KB

Using Spring Securityís SpEL expressions, I can do more than just limit access based on a userís granted authorities. I can also lock down the /admin/** URLs to not only require ROLE_ADMIN, but also allow access only from a given IP address, you might declare an <intercept-url> like this:

Java Code:
<intercept-url pattern="/admin/**" 
	access="hasRole('ROLE_ADMIN') and hasIpAddress('192.172.11.2')"/>
With SpEL-based security constraints, you have a virtual endless range of things you can do. If you want more information, go to you Spring Security documentation.

Submit "Using SpEL for Spring Security" to Facebook Submit "Using SpEL for Spring Security" to Digg Submit "Using SpEL for Spring Security" to del.icio.us Submit "Using SpEL for Spring Security" to StumbleUpon Submit "Using SpEL for Spring Security" to Google

Updated 11-30-2011 at 01:34 PM by Spring Framework

Categories
Spring EL , Security

Comments