Prefer dispatcher context for authorize tag beans by wonderfulrosemari · Pull Request #18822 · spring-projects/spring-security
Closes gh-8843
When both root and child web application contexts are present, JSP authorize
tags should resolve security beans from the DispatcherServlet context used for
the current request.
Previously, AbstractAuthorizeTag always resolved beans from
findRequiredWebApplicationContext(servletContext), which prefers the root
context. If security beans were defined only in the child context, this could
cause failures like missing WebSecurityExpressionHandler.
Changes include:
- resolve application context from the current request's DispatcherServlet
context attribute when available - fall back to
SecurityWebApplicationContextUtils.findRequiredWebApplicationContext
when no dispatcher context is present - add regression coverage for root+child context setup to ensure
<sec:authorize>expression evaluation succeeds