javax.servlet.ServletException: javax.servlet.jsp.JspException: java.io.IOException: No visible WebSecurityExpressionHandler instance could be found in the application context. There must be at least one in order to support expressions in JSP 'authorize' tags. org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageContextImpl.java:907) org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:840) org.apache.jsp.WEB_002dINF.classes.layout.top_jsp._jspService(top_jsp.java:85) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) javax.servlet.http.HttpServlet.service(HttpServlet.java:722) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334) javax.servlet.http.HttpServlet.service(HttpServlet.java:722) org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:954) org.apache.jasper.runtime.PageContextImpl.doInclude(PageContextImpl.java:684) org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:678) org.apache.tiles.jsp.context.JspTilesRequestContext.include(JspTilesRequestContext.java:103) org.apache.tiles.jsp.context.JspTilesRequestContext.dispatch(JspTilesRequestContext.java:96) org.apache.tiles.renderer.impl.TemplateAttributeRenderer.write(TemplateAttributeRenderer.java:44) org.apache.tiles.renderer.impl.AbstractBaseAttributeRenderer.render(AbstractBaseAttributeRenderer.java:106)org.apache.tiles.renderer.impl.ChainedDelegateAttributeRenderer.write(ChainedDelegateAttributeRenderer.java:76)org.apache.tiles.renderer.impl.AbstractBaseAttributeRenderer.render(AbstractBaseAttributeRenderer.java:106) org.apache.tiles.impl.BasicTilesContainer.render(BasicTilesContainer.java:670) org.apache.tiles.impl.BasicTilesContainer.render(BasicTilesContainer.javaThis exception can mean that you haven't turn on expression evaluation. Without it, Spring can't decide the meaning of access attribute from <sec:authorize /> tags (for example the meaning of isAuthenticated() for <sec:authorize access="isAuthenticated()">). The evaluator can be turn on through configuration file by definying a new bean:
<global-method-security pre-post-annotations="enabled"> <expression-handler ref="expressionHandler" /> </global-method-security> <bean id="webexpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" />Another way to activate it, is the use of use-expressions attribute in <http /> tags in Spring Security configuration file, as below:
<http auto-config="true" use-expressions="true" />The absence of evaluator can also cause the interpretation problems for @PreAuthorize or @PostAuthorize annotations.