Spring Security SEC-1727: WebExpressionConfigAttribute not public

Wolfgang Winter (Migrated from SEC-1727) said:

Hi again, for the next release of Cibet Control Framework also web security is integrated. Now I have the same problem as for method security. class WebExpressionConfigAttribute is not public and I cannot instantiate it. As workaround I create an inheriting class in the Spring namespace but I don't like it to create classes in your namespace.

Please refer also to issue SEC-1558.

Comment From: spring-projects-issues

Nelson Lau said:

Please change class WebExpressionConfigAttribute to public to ease Spring Security customization.

Comment From: jzheaux

@ttjkst You mentioned in #6738 that you wanted to reuse the code in WebExpressionConfigAttribute for your database-driven FilterInvocationSecurityMetadataSource.

This seems a bit odd to me since ConfigAttribute is a very simple interface to implement, and it's not clear to me what behavior you are trying to get out of it. Can you explain in more detail what kinds of problems you are running into with the class being package-private.

Also, what values are in your database, and would you be better served to instead pull authorities from your database instead via a custom UserDetailsService?

Comment From: ttjkst

I think you are right， the WebExpressionConfigAttribute is appropriate for WebExpressionVoter but not for my idea.I prepare to write a class which implements ConfigAttribute。Would you have some demo for customizeding AccessDecisionVoter with spring boot

Comment From: rwinch

Closing this as invalid. Today, the preferred mechanism is to leverage AuthorizationManager