SEC-1798: Remove internal evaluation of EL in JSP tag implementations.

2026-05-22 21:33:16 +00:00 · 2011-08-12 19:42:53 +01:00
parent 45d938566c
commit 503ac9ae7c
6 changed files with 6 additions and 25 deletions
@@ -306,6 +306,7 @@ public abstract class AbstractAuthorizeTag {
        return target;
    }

+    @SuppressWarnings("unchecked")
    private SecurityExpressionHandler<FilterInvocation> getExpressionHandler() throws IOException {
        ApplicationContext appContext = WebApplicationContextUtils
                .getRequiredWebApplicationContext(getServletContext());
@@ -21,7 +21,6 @@ import org.springframework.security.access.PermissionEvaluator;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.taglibs.TagLibConfig;
 import org.springframework.web.context.support.WebApplicationContextUtils;
-import org.springframework.web.util.ExpressionEvaluationUtils;

 import javax.servlet.ServletContext;
 import javax.servlet.jsp.JspException;
@@ -67,19 +66,7 @@ public class AccessControlListTag extends TagSupport {

        initializeIfRequired();

-        final String evaledPermissionsString = ExpressionEvaluationUtils.evaluateString("hasPermission", hasPermission,
-                pageContext);
-
-        Object resolvedDomainObject;
-
-        if (domainObject instanceof String) {
-            resolvedDomainObject = ExpressionEvaluationUtils.evaluate("domainObject", (String) domainObject,
-                    Object.class, pageContext);
-        } else {
-            resolvedDomainObject = domainObject;
-        }
-
-        if (resolvedDomainObject == null) {
+        if (domainObject == null) {
            if (logger.isDebugEnabled()) {
                logger.debug("domainObject resolved to null, so including tag body");
            }
@@ -98,7 +85,7 @@ public class AccessControlListTag extends TagSupport {
        }

        if (permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(),
-                resolvedDomainObject, evaledPermissionsString)) {
+                domainObject, hasPermission)) {
            return evalBody();
        }

@@ -23,7 +23,6 @@ import org.springframework.security.web.util.TextEscapeUtils;

 import org.springframework.beans.BeanWrapperImpl;
 import org.springframework.beans.BeansException;
-import org.springframework.web.util.ExpressionEvaluationUtils;
 import org.springframework.web.util.TagUtils;

 import java.io.IOException;
@@ -144,7 +143,7 @@ public class AuthenticationTag extends TagSupport {
     * Set HTML escaping for this tag, as boolean value.
     */
    public void setHtmlEscape(String htmlEscape) throws JspException {
-        this.htmlEscape = ExpressionEvaluationUtils.evaluateBoolean("htmlEscape", htmlEscape, pageContext);
+        this.htmlEscape = Boolean.valueOf(htmlEscape);
    }

    /**
@@ -23,7 +23,6 @@ import org.springframework.expression.TypedValue;
 import org.springframework.security.access.expression.SecurityExpressionHandler;
 import org.springframework.security.taglibs.TagLibConfig;
 import org.springframework.security.web.FilterInvocation;
-import org.springframework.web.util.ExpressionEvaluationUtils;

 /**
 * A JSP {@link Tag} implementation of {@link AbstractAuthorizeTag}.
@@ -52,10 +51,6 @@ public class JspAuthorizeTag extends AbstractAuthorizeTag implements Tag {
     */
    public int doStartTag() throws JspException {
        try {
-            setIfNotGranted(ExpressionEvaluationUtils.evaluateString("ifNotGranted", getIfNotGranted(), pageContext));
-            setIfAllGranted(ExpressionEvaluationUtils.evaluateString("ifAllGranted", getIfAllGranted(), pageContext));
-            setIfAnyGranted(ExpressionEvaluationUtils.evaluateString("ifAnyGranted", getIfAnyGranted(), pageContext));
-
            authorized = super.authorize();

            if (!authorized && TagLibConfig.isUiSecurityDisabled()) {
@@ -164,8 +164,7 @@ public class AuthorizeTagTests {
    @Test
    public void testOutputsBodyWhenNotGrantedSatisfied() throws JspException {
        authorizeTag.setIfNotGranted("ROLE_BANKER");
-        assertEquals(Tag.EVAL_BODY_INCLUDE,
-            authorizeTag.doStartTag());
+        assertEquals(Tag.EVAL_BODY_INCLUDE, authorizeTag.doStartTag());
    }

    @Test