Does it make sense to use expression-based access control in Spring Security?_问答_开发者

Does it make sense to use expression-based access control in Spring Security?

开发者 https://www.devze.com 2023-02-13 17:36 出处：网络

I am considering to utilize Expression-Based Access Control from Spring Security 3.0. The documentation says: You can access any of the method arguments by name as expression variables, provided your

I am considering to utilize Expression-Based Access Control from Spring Security 3.0.

The documentation says: You can access any of the method arguments by name as expression variables, provided your code h开发者_开发问答as debug information compiled in.

That means that I have to have debug info left in my production wars and jars to properly use Expression-Based Access Control. For me it seems not very good idea at all.

Please tell me your opinions on this issue, so I can summarize your expirience to deside where I go for it or not.

Thank you in advance! Max

It is a little strange, but this isn't tied to Spring Security. Spring Web MVC uses it too; e.g., to discover @RequestParam and @PathVariable default values.

In my experience people typically leave debug information in their builds (even production builds) to support troubleshooting (debug level logging is a different story), so Spring takes advantage of this. But it's fair to say that Spring is violating the principle of least surprise here, meaning that one wouldn't expect turning debug info off to turn a working app into a broken app.

Please see Spring security annotations with EL — requires debug information compiled in?