[Java][Spring][1975] Add OAuth2 Preauthorize annotations based on scope

[ersinciftci]

Fixes #1975

PR checklist

• Read the contribution guidelines.
• If contributing template-only or documentation-only changes which will change sample output, build the project before.
• Run the shell script(s) under ./bin/ (or Windows batch scripts under.\bin\windows) to update Petstore samples related to your fix. This is important, as CI jobs will verify all generator outputs of your HEAD commit, and these must match the expectations made by your contribution. You only need to run ./bin/{LANG}-petstore.sh, ./bin/openapi3/{LANG}-petstore.sh if updating the code or mustache templates for a language ({LANG}) (e.g. php, ruby, python, etc).
• File the PR against the correct branch: master, 4.3.x, 5.0.x. Default: master.
• Copy the technical committee to review the pull request if your PR is targeting a particular programming language.

[ersinciftci]

@wing328 @cbornet I tried to make the PreAuthorize import conditional but failed, any help would be appreciated.

[cbornet]

I think this doesn't work if there's multiple securities defined for an operation (eg. Oauth + basic).

[ersinciftci]

@cbornet I just tested with an OpenAPI spec that has both OAuth2 and Basic, and seems to be working, because it has {{#isOAuth}} so I think the extra Basic security item doesn't affect it. But I can't figure out for what use case the tests are failing.

[cbornet]

What I mean is that an endpoint that has both basic and oauth should be accessible by basic OR oauth. Here I think if you try to access by basic auth, the pre-authorization will fail and you will be rejected.

[ersinciftci]

Ah, got it. So it should generate @PreAuthorize only if OAuth2 is the only authentication method. I couldn't find a way to get the length of an array variable such as {{#authMethods}} in the mustache template, hence the reason I couldn't make the import statement conditional either. (tried .length and .size to no avail)

[wing328]

I think this doesn't work if there's multiple securities defined for an operation (eg. Oauth + basic).

@cbornet good catch. I think such a case rarely occurs (based on my experience dealing with issues reported to this repo). We can document it as a known issue for the time being and work on it when there's a demand to fix it.

[Walliee]

I just stumbled here trying to find @PreAuthorize support in OpenAPI Generator.
I am looking to avoid custom templates in our project and I think this feature would get us there.

Anything I can do to help?

[ersinciftci]

Hi @Walliee , sorry I didn't have much time lately, your help would be greatly appreciated.

Firstly, not sure if the tests are failing because of the use case @cbornet mentioned, so that's pending some investigation (though @wing328 mentioned that we can ignore that use case for now, but we still need to fix the tests).

One other thing is this change would fail for people that don't use Spring Security because it imports a class from there, so maybe this should be a configuration that people can turn on (like addPreAuthorize = true).

Thanks

[Walliee]

Yes; of course. The pointers you gave make sense. Thanks!

@nhomble and I looked at this briefly today and looks like we can handle bearer auth too. We’ll hopefully have a PR out tomorrow.

[nhomble]

Awesome stuff @ersinciftci, we are still polishing a little bit (and I need to regen the samples), but here is a sneak peak

[ersinciftci]

@nhomble looks great! useSpringSecurity sounds much better than addPreAuthorize :)

[nhomble]

I would love opinions on this thanks!

[ersinciftci]

@nhomble looks much better than this one, thanks! (I'm closing this one)