Does it make sense to use expression-based access control in Spring Security?

Question

Does it make sense to use expression-based access control in Spring Security?

I am considering using Expression-based Access Control from Spring Security 3.0.

The documentation says: you can access any of the method arguments by name as expression variables if your code contains debugging information compiled into.

This means that I have to have debugging information left in my production wars and jars in order to correctly use Expression-based Access Control. For me, this does not seem to be a very good idea.

Please tell us your opinion on this issue, so I can summarize your experience in order to decide where I am going or not.

Thank you in advance! Max

+3

spring spring security

Worker Feb 28 '11 at 14:01

source share

2 answers

This is a little strange, but it is not related to Spring Security. Spring Web MVC also uses it; for example, to detect default values @RequestParam and @PathVariable.

In my experience, people usually leave debugging information in their assemblies (even production assemblies) to support troubleshooting (registering the debug level is a completely different story), so Spring uses this. But it’s fair to say that Spring violates the principle of least surprise here, which means that you cannot expect debugging information to turn off in order to turn a working application into a broken application.

+2

Willie Wheeler 06 . '11 6:46

Ritesh · Accepted Answer · 2011-02-28T14:14:19+0000

See Spring Security Annotations Using EL - Need Debug Information Compiled In?

Does it make sense to use expression-based access control in Spring Security?

More articles: