Skip to content

AuthorizationManager + Method Security Support #9289

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jzheaux opened this issue Dec 16, 2020 · 5 comments
Closed

AuthorizationManager + Method Security Support #9289

jzheaux opened this issue Dec 16, 2020 · 5 comments
Assignees
@evgeniycheban
Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Milestone
5.6.0-M1

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Dec 16, 2020
edited
Loading

With the introduction of AuthorizationManager, it may be valuable to have an implementation that makes authorization decisions based on method annotations.
@jzheaux jzheaux added in: core An issue in spring-security-core type: enhancement A general enhancement labels Dec 16, 2020
@jzheaux jzheaux mentioned this issue Dec 16, 2020
Open
16 tasks
@evgeniycheban
Copy link
Contributor

@jzheaux I can take this.

@jzheaux
Copy link
Contributor Author

jzheaux commented Jan 11, 2021

Thanks, @evgeniycheban!

It may be equally tricky to remain backward compatible with ConfigAttributes and metadata sources with this ticket as it was with the filter equivalent.

One way to address this could be to introduce a new annotation @EnableMethodSecurity which would eventually replace @EnableGlobalMethodSecurity. The new annotation would import a new MethodSecurityConfiguration class in charge of publishing the appropriate method interceptor. This would allow applications to opt-in in the same way authorizeHttpRequests does.

@jzheaux jzheaux added this to the 5.5.0-M2 milestone Jan 11, 2021
@evgeniycheban evgeniycheban mentioned this issue Jan 18, 2021
Closed
@evgeniycheban
Copy link
Contributor

@jzheaux I've created a draft PR with @Secured annotation method security implementation, could you please take a look?

I’m currently implementing the @PreAuthorize annotation support.

@jzheaux jzheaux mentioned this issue Feb 2, 2021
Closed
1 task
jzheaux pushed a commit to jzheaux/spring-security that referenced this issue May 18, 2021
@evgeniycheban @jzheaux
Consider AuthorizationManager for Method Security
94e049d 
Closes spring-projectsgh-9289
jzheaux added a commit to jzheaux/spring-security that referenced this issue May 18, 2021
@jzheaux
Polish AuthorizationManager Method Security
4d5397f 
- Removed consolidated pointcut advisor in favor of each interceptor
being an advisor. This allows Spring AOP to do more of the heavy
lifting of selecting the set of interceptors that applies
- Created new method context for after interceptors instead of
modifying existing one
- Added documentation
- Added XML support
- Added AuthorizationInterceptorsOrder to simplify interceptor
ordering
- Adjusted annotation lookup to comply with JSR-250 spec
- Adjusted annotation lookup to exhaustively search for duplicate
annotations
- Separated into three @configuration classes, one for each set of
authorization annotations

Issue spring-projectsgh-9289
jzheaux added a commit that referenced this issue May 18, 2021
@jzheaux
Polish AuthorizationManager Method Security
67e5c05 
- Removed consolidated pointcut advisor in favor of each interceptor
being an advisor. This allows Spring AOP to do more of the heavy
lifting of selecting the set of interceptors that applies
- Created new method context for after interceptors instead of
modifying existing one
- Added documentation
- Added XML support
- Added AuthorizationInterceptorsOrder to simplify interceptor
ordering
- Adjusted annotation lookup to comply with JSR-250 spec
- Adjusted annotation lookup to exhaustively search for duplicate
annotations
- Separated into three @configuration classes, one for each set of
authorization annotations

Issue gh-9289
akohli96 pushed a commit to akohli96/spring-security that referenced this issue Aug 25, 2021
@evgeniycheban
Consider AuthorizationManager for Method Security
1dc84a9 
Closes spring-projectsgh-9289
akohli96 pushed a commit to akohli96/spring-security that referenced this issue Aug 25, 2021
@jzheaux
Adjust Packaging
45f32dc 
Issue spring-projectsgh-9289
akohli96 pushed a commit to akohli96/spring-security that referenced this issue Aug 25, 2021
@jzheaux
Add check for custom advice
b567c89 
- Because publishing an advice bean replaces Spring Security
defaults, the code should error if both a custom bean and
either secureEnabled or prePostEnabled are specified

Issue spring-projectsgh-9289
akohli96 pushed a commit to akohli96/spring-security that referenced this issue Aug 25, 2021
@jzheaux
Add GrantedAuthorityDefaults to Expression Handler
ff9c97f 
Issue spring-projectsgh-9289
akohli96 pushed a commit to akohli96/spring-security that referenced this issue Aug 25, 2021
@jzheaux
Polish AOP Structure
74a3365 
- Changed from MethodMatcher to Pointcut since authorization
annotations also can be attached to classes
- Adjusted advice to extend Before or AfterAdvice
- Adjusted advice to extend PointcutAdvisor so
that it can share its Pointcut
- Adjusted advice to extend AopInfrastructureBean to
align with old advice classes

Issue spring-projectsgh-9289
akohli96 pushed a commit to akohli96/spring-security that referenced this issue Aug 25, 2021
@jzheaux
Polish Javadoc
5828b81 
Issue spring-projectsgh-9289
akohli96 pushed a commit to akohli96/spring-security that referenced this issue Aug 25, 2021
@jzheaux
Document AuthorizationManager for Method Security
8e5d8b0 
Issue spring-projectsgh-9289
akohli96 pushed a commit to akohli96/spring-security that referenced this issue Aug 25, 2021
@jzheaux
Use Interceptors instead of Advice
a516734 
- Interceptor is a more descriptive term for what
method security is doing
- This also allows the code to follow a delegate
pattern that unifies both before-method and after-
method authorization

Issue spring-projectsgh-9289
akohli96 pushed a commit to akohli96/spring-security that referenced this issue Aug 25, 2021
@evgeniycheban
Consider AuthorizationManager for Method Security
75d7eaa 
Closes spring-projectsgh-9289
akohli96 pushed a commit to akohli96/spring-security that referenced this issue Aug 25, 2021
@jzheaux
Polish AuthorizationManager Method Security
913c7a3 
- Removed consolidated pointcut advisor in favor of each interceptor
being an advisor. This allows Spring AOP to do more of the heavy
lifting of selecting the set of interceptors that applies
- Created new method context for after interceptors instead of
modifying existing one
- Added documentation
- Added XML support
- Added AuthorizationInterceptorsOrder to simplify interceptor
ordering
- Adjusted annotation lookup to comply with JSR-250 spec
- Adjusted annotation lookup to exhaustively search for duplicate
annotations
- Separated into three @configuration classes, one for each set of
authorization annotations

Issue spring-projectsgh-9289
@rwinch rwinch mentioned this issue Jun 2, 2022
Closed
jzheaux added a commit to jzheaux/spring-security that referenced this issue May 30, 2024
@jzheaux
Correct Tests About Conflicting Annotations
67a6c99 
Issue spring-projectsgh-9289
jzheaux added a commit to jzheaux/spring-security that referenced this issue May 30, 2024
@jzheaux
Correct Authorization Tests
f7657fe 
Issue spring-projectsgh-9289
jzheaux added a commit to jzheaux/spring-security that referenced this issue Jul 13, 2024
@jzheaux
Correct Tests About Conflicting Annotations
5775b20 
Issue spring-projectsgh-9289
jzheaux added a commit to jzheaux/spring-security that referenced this issue Jul 13, 2024
@jzheaux
Correct Authorization Tests
a6b55f1 
Issue spring-projectsgh-9289
jzheaux added a commit that referenced this issue Jul 18, 2024
@jzheaux
Correct Tests About Conflicting Annotations
56c93af 
Issue gh-9289
jzheaux added a commit that referenced this issue Jul 18, 2024
@jzheaux
Correct Authorization Tests
03bcc67 
Issue gh-9289
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@evgeniycheban evgeniycheban

Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Projects
None yet
Milestone
5.6.0-M1
Development

Successfully merging a pull request may close this issue.

AuthorizationManager + Method Security Support evgeniycheban/spring-security
4 participants
@rwinch @jzheaux @eleftherias @evgeniycheban