Open spring-projects-issues opened 11 years ago
spring-projects-issues
commented
10 years ago Kazuki Shimizu said:
Hi Rob.
Are there the plan to resolve this issue ? Today, this issue occurred in my application under development (using spring-security 3.2.4).
There is an good alternative method for resolve ?
spring-projects-issues
commented
10 years ago Kazuki Shimizu said:
Hi Rob.
I sent the pull-request. Please review the modification. https://github.com/spring-projects/spring-security/pull/107
spring-projects-issues
commented
10 years ago Kazuki Shimizu said:
I re-sent pull-request. https://github.com/spring-projects/spring-security/pull/108
ghost
commented
8 years ago Wow, I can't believe this bug wasn't fixed yet
+1.
Better yet, +1000
rwinch
commented
8 years ago Unfortunately this isn't that straight forward.
The problem is that the WebInvocationPrivilegeEvaluator is chosen using the entire HttpServletRequest. The HttpServletRequest that is used to determine which WebInvocationPrivilegeEvaluator is NOT the current HttpServletRequest. Instead, we would need access to theHttpServletRequest` that is going to be used if the user clicked on that link.
This means in order to select the proper WebInvocationPrivilegeEvaluator we would need the user to provide all the details to create a mocked instance of HttpServletRequest which are not available. Additionally, this would become comber some quite quickly.
I've been considering some other approaches like using the Spring MVC methods to determine access. However, this has problems since method security can access variables which may be resolved using the "future" request as well.
In short, this is not an easy problem to solve. The way around it is to use the access attribute and check for the role that the user has (i.e. replicating the authorization in your URL mappings).
ghost
commented
8 years ago Well, you can make a fake request to the url, and see it it gets permitted. Otherwise, just disable the url functionality completely, since it's not working as advertised.
rwinch
commented
8 years ago Thanks for the suggestion.
This has the downside of actually performing the number of requests for the number of links you have on the page. I'm not sure this is a good approach.
What's more is how would the JSP tag library implement this? We do not know what JavaScript libraries are included in the page and do not want to mandate any particular JavaScript library (or even JavaScript at all) to use the lib.
If you really wanted to, you could pretty readily perform this logic with the JavaScript library of your choice. However, I'm not sure it is something I would do (because it is unlikely to scale well).
ghost
commented
8 years ago well, you can use resttemplate on server side..
rwinch
commented
8 years ago You cannot do it server side because, as previously mentioned, you don't know all the request information. On May 29, 2016 2:53 AM, "doom777" notifications@github.com wrote:
well, you can use resttemplate on server side..
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/spring-projects/spring-security/issues/2416#issuecomment-222347777, or mute the thread https://github.com/notifications/unsubscribe/AAWIB_dAa4aIijeHS5CWVVzFCUrp8wORks5qGUX0gaJpZM4IjPxa .
q (Migrated from SEC-2189) said:
When using it is possible situation when wrong WebInvocationPrivilegeEvaluator is used for access evaluation
It occurs when in security xml descriptor there're different contexts
and in the jsp in second context we use to access url from second context.
for example:
in security.xml:
in /admin/index.jsp:
on the /admin/index.jsp link will be displayed even if user doesn't have ROLE_ADMIN
It appears that the problem is in