如何在Spring security中将JSF Bean值传递给sec：authorize标签？

Question

我在我的应用程序中使用标记安全性：

<sec:authorize access="hasRole('ROLE_ADMIN')">
               <h1>Admin</h1>
</sec:authorize>

工作正常。

现在我尝试这种方式：

<sec:authorize access="hasRole('#{MyBean.permission}')" ><h1>Admin</h1></sec:authorize>

MyBean.permission = ROLE_ADMIN，调试器我可以看到MyBean.permission是正确的值。

但是不行。没有生成错误，但链接不再呈现，就像用户没有更多权限一样。

如何从标记安全性传递变量来访问属性？

我的web.xml：

<welcome-file-list>
    <welcome-file>Principal/index.xhtml</welcome-file>
</welcome-file-list>
<servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.faces</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>   

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring-security.xml                        
    </param-value>
</context-param>    

我的spring-security.xml：

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans" 
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
             http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
             http://www.springframework.org/schema/security
             http://www.springframework.org/schema/security/spring-security-3.2.xsd">

<beans:bean id="webSecurityExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
    <beans:property name="roleHierarchy" ref="roleHierarchy" />
</beans:bean>

<http auto-config="true" use-expressions="true">
    <intercept-url pattern="Principal/index*" access="permitAll"/>
    <intercept-url pattern="/Principal/*" access="permitAll"/>

    <form-login login-page="/Principal/index.xhtml"        
                default-target-url="/"
                authentication-failure-url="/"/>
    <logout logout-success-url="/" />
</http>

<beans:bean id="customUserDetails" class="br.com.ultracar.ultracarweb.spring.security.UserDetailsServiceImpl" />

<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="customUserDetails" />
</authentication-manager>  

<beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
    <beans:property name="hierarchy">
        <beans:value>
            ROLE_ADMIN > ROLE_FIN
            ROLE_FIN > ROLE_EX
            ROLE_EX > ROLE_GUEST
        </beans:value>
    </beans:property>
</beans:bean>

我使用spring security仅用于授权，而不是用于身份验证。