SEC-482: Load AclService implementations from parent app contexts.

core/src/main/java/org/springframework/security/taglibs/authz/AccessControlListTag.java

@@ -40,6 +40,7 @@ import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 import java.util.StringTokenizer;
+import java.util.HashMap;
 
 import javax.servlet.ServletContext;
 import javax.servlet.jsp.JspException;
@@ -49,15 +50,17 @@ import javax.servlet.jsp.tagext.TagSupport;
 
 
 /**
- * An implementation of {@link javax.servlet.jsp.tagext.Tag} that allows its body through if some authorizations
+ * An implementation of {@link Tag} that allows its body through if some authorizations are granted to the request's
- * are granted to the request's principal.<p>One or more comma separate numeric are specified via the
+ * principal.
- * <code>hasPermission</code> attribute. Those permissions are then converted into {@link Permission} instances. These
+ * <p>
- * instances are then presented as an array to the {@link Acl#isGranted(Permission[],
+ * One or more comma separate numeric are specified via the <tt>hasPermission</tt> attribute.
- * org.springframework.security.acls.sid.Sid[], boolean)} method. The {@link Sid} presented is determined by the {@link
+ * These permissions are then converted into {@link Permission} instances. These instances are then presented as an
- * SidRetrievalStrategy}.</p>
+ * array to the {@link Acl#isGranted(Permission[], org.springframework.security.acls.sid.Sid[], boolean)} method.
- *  <p>For this class to operate it must be able to access the application context via the
+ * The {@link Sid} presented is determined by the {@link SidRetrievalStrategy}.
+ * <p>
+ * For this class to operate it must be able to access the application context via the
  * <code>WebApplicationContextUtils</code> and locate an {@link AclService} and {@link SidRetrievalStrategy}.
- * Application contexts must provide one and only one of these Java types.</p>
+ * Application contexts must provide one and only one of these Java types.
  *
  * @author Ben Alex
  * @version $Id$
@@ -163,10 +166,19 @@ public class AccessControlListTag extends TagSupport {
     }
 
     private void initializeIfRequired() throws JspException {
-        if (applicationContext == null) {
+        if (applicationContext != null) {
+            return;
+        }
+
         this.applicationContext = getContext(pageContext);
 
-            Map map = applicationContext.getBeansOfType(AclService.class);
+        Map map = new HashMap();
+        ApplicationContext context = applicationContext;
+
+        while (context != null) {
+            map.putAll(context.getBeansOfType(AclService.class));
+            context = context.getParent();
+        }
 
         if (map.size() != 1) {
             throw new JspException(
@@ -197,7 +209,6 @@ public class AccessControlListTag extends TagSupport {
                     + "application context - you must have only have one!");
         }
     }
-    }
 
     private Permission[] parsePermissionsString(String integersString)
         throws NumberFormatException {
@@ -210,7 +221,7 @@ public class AccessControlListTag extends TagSupport {
             permissions.add(BasePermission.buildFromMask(new Integer(integer).intValue()));
         }
 
-        return (Permission[]) permissions.toArray(new Permission[] {});
+        return (Permission[]) permissions.toArray(new Permission[permissions.size()]);
     }
 
     public void setDomainObject(Object domainObject) {