mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-05-31 01:02:14 +00:00
55d6d5a86a
In 3.1 the accesscontrollist tag began performing an and on the permissions. This may have been accidental, but I think that it is more intuitive & secure for it to behave this way. When compared to hasAnyRole and hasRoles the hasPermission tag implies it is an and. If users end up needing OR support, then the authorize tag can be used along with the hasPermission expression. For example: <sec:authorize access="hasPermission(#domain, 'read') or hasPermission(#domain, 'write') "> In general, the authorize tag should be preferred as it is the more powerful way of performing authorization checks.