Skip to content

Add AuthorizationManager #8900

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rwinch opened this issue Aug 3, 2020 · 8 comments · Fixed by #8996
Closed

Add AuthorizationManager #8900

rwinch opened this issue Aug 3, 2020 · 8 comments · Fixed by #8996
Assignees
@evgeniycheban
Labels
in: core An issue in spring-security-core type: enhancement A general enhancement

Comments

@rwinch
Copy link
Member

rwinch commented Aug 3, 2020
edited
Loading

We should add an AuthorizationManager which is an imperative version of ReactiveAuthorizationManager. The class should look something like:

public interface AuthorizationManager<T> {
	AuthorizationDecision check(Supplier<Authentication> authentication, T object);

	default void verify(Supplier<Authentication> authentication, T object) {
		AuthorizationDecision decision = check(authentication, object);
		if (!decision.isGranted()) {
			throw new AccessDeniedException("Access Denied");
		}
	}
}

Using something that allows delaying looking up the Authentication like Supplier<Authentication> vs an Authentication directly.

We should also add support for AuthorizationManager in HttpSecurity.authorizeRequests().

Finally, we should change around the existing classes that use AccessDecisionManager should migrate to AuthorizationManager and AccessDecisionManager should be marked as deprecated.
@rwinch rwinch added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Aug 3, 2020
@rwinch rwinch mentioned this issue Aug 3, 2020
Open
@evgeniycheban
Copy link
Contributor

@rwinch I would like to work on this.

@jzheaux jzheaux added in: core An issue in spring-security-core and removed status: waiting-for-triage An issue we've not yet triaged labels Aug 31, 2020
@jzheaux
Copy link
Contributor

jzheaux commented Aug 31, 2020

It's yours, @evgeniycheban

@jzheaux jzheaux changed the title AuthorizationManager Add AuthorizationManager Aug 31, 2020
@evgeniycheban evgeniycheban mentioned this issue Sep 7, 2020
Merged
@evgeniycheban
Copy link
Contributor

@jzheaux I created a very draft PR.

Please take a look when you have a moment. Am I moving in the right direction?

@evgeniycheban
Copy link
Contributor

evgeniycheban commented Sep 14, 2020
edited
Loading

Thanks for the review @jzheaux

@rwinch @jzheaux I have a few questions.

  1. Should we implement an AuthorizationManager for Method Security within this task?
  2. By default, HttpSecurity.authorizeRequests() uses ExpressionUrlAuthorizationConfigurer, should we add an AuthorizationManager that supports SpEL expressions?

I've currently added support for AuthorizationManager to UrlAuthorizationConfigurer in the c006f21

@jzheaux
Copy link
Contributor

jzheaux commented Sep 16, 2020

Good questions, @evgeniycheban.

  1. Should we implement an AuthorizationManager for Method Security within this task?

One of the goals of this ticket is to deprecate AccessDecisionManager. Given that, we should see if we can eliminate any internal use of it and deprecate any public use.

Ideally, then, AbstractSecurityInterceptor would stop referring to the AccessDecisionManager interface in favor of AuthorizationManager.

Since the public API allows an application to configure an AccessDecisionManager, an AuthorizationManager implementation that adapts to an AccessDecisionManager may be helpful.

One of the tricky parts here seems to be how to deal with the SecurityMetadataSource and its associated ConfigAttributes. Since ConfigAttribute isn't part of AuthorizationManager's contract, this adapter might need to have a SecurityMetadataSource. I also wonder what effect this should have on the events that are fired since some of them depend on knowing the list of ConfigAttributes. What do you think, @rwinch?

  1. By default, HttpSecurity.authorizeRequests() uses ExpressionUrlAuthorizationConfigurer, should we add an AuthorizationManager that supports SpEL expressions?

Yes, I think that makes sense, though I think it should be internal to that class.

@evgeniycheban
Copy link
Contributor

evgeniycheban commented Oct 4, 2020
edited
Loading

@jzheaux I've implemented an adapter, but we need to check that an AccessDecisionManager supports a ConfigAttribute in AbstractSecurityInterceptor.validateAttributeDefs. Is this validation still needed?
The adapter code is shown below.

AuthorizationManagerAdapter 
public class AuthorizationManagerAdapter<T> implements AuthorizationManager<T> {

	private final AccessDecisionManager accessDecisionManager;

	private final SecurityMetadataSource metadataSource;

	public AuthorizationManagerAdapter(AccessDecisionManager accessDecisionManager,
			SecurityMetadataSource metadataSource) {
		this.accessDecisionManager = accessDecisionManager;
		this.metadataSource = metadataSource;
	}

	@Override
	public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
		Collection<ConfigAttribute> attributes = this.metadataSource.getAttributes(object);
		try {
			this.accessDecisionManager.decide(authentication.get(), object, attributes);
		}
		catch (AccessDeniedException e) {
			return new AuthorizationDecision(false);
		}
		return new AuthorizationDecision(true);
	}

}

evgeniycheban added a commit to evgeniycheban/spring-security that referenced this issue Dec 15, 2020
@evgeniycheban
Add AuthorizationManager
5a6f74f 
Closes spring-projectsgh-8900
jzheaux pushed a commit that referenced this issue Dec 16, 2020
@evgeniycheban @jzheaux
Add AuthorizationManager
34b4b10 
Closes gh-8900
jzheaux added a commit that referenced this issue Dec 16, 2020
@jzheaux
Add @SInCE attributes
c066e23 
Issue gh-8900
This was referenced Dec 16, 2020
Closed
Open
@rwinch rwinch mentioned this issue May 19, 2021
Closed
This was referenced Jun 8, 2021
Closed
Open
@winer77444
Copy link

I added it at the gateway ,However, you can only enter the check method when adding the authentication header,If it is not added, the null pointer exception will be reported if it is forwarded to the corresponding service through the gateway. What's the matter

This was referenced Nov 10, 2021
Closed
Closed
jzheaux added a commit that referenced this issue Nov 10, 2021
@jzheaux
Use authorizeHttpRequests in Docs
812d6f7 
Issue gh-8900
jzheaux added a commit that referenced this issue Nov 10, 2021
@jzheaux
Use authorizeHttpRequests in Docs
b60020a 
Issue gh-8900
@jzheaux jzheaux mentioned this issue Apr 6, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@evgeniycheban evgeniycheban

Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add AuthorizationManager evgeniycheban/spring-security
4 participants
@rwinch @jzheaux @evgeniycheban @winer77444