Spring Security 3 hidden feature
Friday, April 2nd, 2010These days I’m working with Spring Security 3
SS3 added the Spring Expression Language, a nice way of script boolean conditions into “access” attributes of your URLs and into @PostFilter annotations
The hidden part is that you could have used them even with the security:authorize tag in your JSPs IF they had added the element <expression-handler> as a child of the element <http>
That’s the only missing part since the code to handle it is already there.
So what? I took the spring-security-3.0.xsd, edit it to add the missing element, modified the schemaLocation of my security xml file and voilĂ : SpEL is alive and kicking even on JSPs
I’ve opened a ticket for that: the answer was that they deliberately turned it off for version 3 but no target version is set.
In the meanwhile I’ve also found a problem on the JMX lib of Jetty, and opened a ticket as well. Hope they could fix it asap.
UPDATE: indeed they fixed it! Thx to Michael Gorovoy