[Spring] Spring Security - No visible WebSecurityExpressionHandler instance could be found in the application context

Spring Security - No visible WebSecurityExpressionHandler instance could be found in the application context

I am having trouble displaying a logout link in a JSP page only if the user is authenticated. Here is the exception I have at this line of the JSP page: <sec:authorize access="isAuthenticated()"> Exception: Stacktrace: .... root cause javax.servlet.jsp.JspException: No visible WebSecurityExpressionHandler instance could be found in the application context.     There must be at least one in order to support expressions in JSP 'authorize' tags. org.springframework.security.taglibs.authz.AuthorizeTag.getExpressionHandler(AuthorizeTag.java:100) org.springframework.security.taglibs.authz.AuthorizeTag.authorizeUsingAccessExpression(AuthorizeTag.java:58) Here is my application-context-Security.xml: <http auto-config='true' > <intercept-url pattern="/user/**" access="ROLE_User" /> <logout logout-success-url="/hello.htm" /> </http> <beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> <beans:property name="userDetailsService" ref="userDetailsService" /> </beans:bean> <beans:bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager"> <beans:property name="providers"> <beans:list> <beans:ref local="daoAuthenticationProvider" /> </beans:list> </beans:property> </beans:bean> <authentication-manager> <authentication-provider user-service-ref="userDetailsService"> <password-encoder hash="plaintext" /> </authentication-provider> </authentication-manager> I understand that I could use use-expression="true" in the http tag but that means I would have to use expression in the intercept-url tags and in the java code. Is there a workaround? spring spring-security share|improve this question edited Jul 21 '12 at 18:56 Shaun the Sheep 16.9k13970 asked Jul 21 '12 at 16:56 dukable 80872038

An unrelated observation. The daoAuthenticationProvider and authenticationManager in your configuration aren't being used. – Shaun the Sheep Jul 21 '12 at 22:41 add a comment |

1 Answer 1

active oldest votes

up vote40down voteaccepted

You can just add one to your application context <bean id="webexpressionHandler"   class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" /> but the easiest way is just to enable expressions in your <http> configuration, and one will be added for you. This only means that you have to use expressions within that block, not in Java code such as method @Secured annotations. share|improve this answer answered Jul 21 '12 at 18:53 Shaun the Sheep 16.9k13970

1   You are right, I just had to use expression within the <http> block. The problem is solved. – dukable Jul 21 '12 at 21:00 10   and to be absolutely explicit, your <http> tag should include a "use-expressions" attribute set to true, e.g. <http use-expressions="true"> – Brad Parks Nov 21 '12 at 18:01 add a comment |

[출처] https://stackoverflow.com/questions/11594104/spring-security-no-visible-websecurityexpressionhandler-instance-could-be-foun