Skip to content

Reintroduce expressions for http security #13184

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
puskaiz opened this issue May 16, 2023 · 6 comments
Open

Reintroduce expressions for http security #13184

puskaiz opened this issue May 16, 2023 · 6 comments
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement

Comments

@puskaiz
Copy link

puskaiz commented May 16, 2023
edited
Loading

When trying to migrate our codebase to Spring 3, I realized, that our security configuration cannot be migrated easily.

Code, that cannot be migrated (not real code, just an example):

http
  .authorizeRequests()
  .mvcMatchers("/admin/{id}")
  .access("hasRole('ADMIN') && @webSecurity.check(#id)"))

According to the documentation, we should write an AuthorizationManager for this use-case.
We have used the same expressions on method security - and that was awesome.

It would be nice if expressions on http security would work again.
@puskaiz puskaiz added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels May 16, 2023
@jzheaux
Copy link
Contributor

jzheaux commented May 18, 2023

You can use WebExpressionAuthorizationManager.

That said, I agree that the use case for extracting path parameters could use some work. Would you mind if we repurposed this ticket to take a look at that?

@jzheaux jzheaux added status: waiting-for-feedback We need additional information before we can continue and removed status: waiting-for-triage An issue we've not yet triaged labels May 18, 2023
@puskaiz
Copy link
Author

puskaiz commented May 25, 2023
edited
Loading

Having the same expressions on url security and method security is a great value (as I mentioned, I have provided an example, in our applications we have complicated expressions).
I did understand the migration, played with the WebExpressionAuthorizationManager ... and we can do the migration for URL security. But the end result is not as clean as in Spring Boot 2.

Please, use this ticket as you wish.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels May 25, 2023
@jzheaux
Copy link
Contributor

jzheaux commented May 31, 2023

Thanks, @puskaiz. Given your response, I think it would be better to leave this ticket open and watch for votes. While I am hesitant to reintroduce expressions -- since as you mentioned, they have a tendency to encourage complicated expressions -- I don't mind leaving this ticket for others to find and explain their point of view. I've added #13256 to address path extraction.

@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) and removed status: feedback-provided Feedback has been provided labels May 31, 2023
@s3curitybug
Copy link

s3curitybug commented Jun 28, 2023
edited
Loading

In Spring Security 5.7 (currently 5.7.9), WebExpressionAuthorizationManager is not defined and the method access already does not accept a string as argument unless the deprecated authorizeRequests method is used, instead of authorizeHttpRequests. How should we use expressions?

Actually, the code in the documentation does not work: https://docs.spring.io/spring-security/reference/5.7/servlet/authorization/expression-based.html#_tabs_2

@puskaiz
Copy link
Author

puskaiz commented Jul 5, 2023

Would it be hard to reintroduce expressions?
A long time ago, we started by extending WebSecurityExpressionRoot, DefaultWebSecurityExpressionHandler for Url security and SecurityExpressionRoot, DefaultMethodSecurityExpressionHandler for method security in order to introduce new elements to security expressions. We were happy to migrate our security expressions on using beans, so no custom code was needed to add some additional conditions to Url/method security expressions.
Now I feel, that we should make a step back, as we cannot use the same expressions on the Url/method security, at least not without writing custom code.

@puskaiz
Copy link
Author

puskaiz commented Jul 27, 2023

any chances to re-introduce expressions?

@puskaiz puskaiz mentioned this issue Aug 8, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jzheaux @spring-projects-issues @s3curitybug @puskaiz