I am creating a simple crud with spring-mcv and spring-security .
Everything is running perfectly
spring-security.xml
<b:bean id="handlerWeb1" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<b:property name="permissionEvaluator" ref="permissionEvaluator"/>
</b:bean>
<b:bean id="handlerMethod2" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<b:property name="permissionEvaluator" ref="permissionEvaluator"/>
</b:bean>
<global-method-security pre-post-annotations="enabled">
<expression-handler ref="handlerMethod2"/>
</global-method-security>
<http auto-config="true" use-expressions="true" >
<expression-handler ref="handlerWeb1" />
...
</http>
The logger
INFO: Using bean 'handlerWeb1' as web SecurityExpressionHandler implementation
INFO: Using bean 'handlerMethod2' as method ExpressionHandler implementation
When methodo is executed
@RequestMapping("/page")
@PreAuthorize("hasPermission('page','list')")
public ModelAndView pages() {
return modelAndView( ... ));
}
If hasPermission('page','list')==true has no problem.
If hasPermission('page','list')==false methodo still executes and renders view but variables passed to view is empty.
I ask:
When hasPermission('page','list')==false , what should happen?
a) redirect to 403
b) process view with empty variables.