SEC-1294: Enable access to beans from ApplicationContext in EL expressions.

ExpressionHandlers are now ApplicationContextAware and set the app context on the SecurityExpressionRoot. A custom PropertyAccessor resolves the properties against the root by looking them up in the app context.
This commit is contained in:
Luke Taylor
2010-03-31 22:37:22 +01:00
parent 12a6ae2ffa
commit 0521d10069
12 changed files with 170 additions and 14 deletions

View File

@@ -19,6 +19,7 @@ import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.access.annotation.BusinessService;
import org.springframework.security.access.annotation.ExpressionProtectedBusinessServiceImpl;
import org.springframework.security.access.intercept.AfterInvocationProviderManager;
import org.springframework.security.access.intercept.RunAsManagerImpl;
import org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor;
@@ -242,6 +243,20 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
target.someAdminMethod();
}
@Test
public void beanNameExpressionPropertyIsSupported() {
setContext(
"<global-method-security pre-post-annotations='enabled' proxy-target-class='true'/>" +
"<b:bean id='number' class='java.lang.Integer'>" +
" <b:constructor-arg value='1294'/>" +
"</b:bean>" +
"<b:bean id='target' class='org.springframework.security.access.annotation.ExpressionProtectedBusinessServiceImpl'/>" +
AUTH_PROVIDER_XML);
SecurityContextHolder.getContext().setAuthentication(bob);
ExpressionProtectedBusinessServiceImpl target = (ExpressionProtectedBusinessServiceImpl) appContext.getBean("target");
target.methodWithBeanNamePropertyAccessExpression("x");
}
@Test
public void preAndPostFilterAnnotationsWorkWithLists() {
setContext(