PreAuthorize using a custom AuthorizationManager (Documentation) #13967
Description
Been looking into the documentation trying to figure out how to use a custom AuthorizationManager with PreAuthorize and I think I've found a few issues in the documentation. https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html#custom-authorization-managers
- Firstly it says it will show
@PreAuthorizeand@PostAuthorizeexample and then the example is labeled as Only@PostAthorizeConfiguration
Confusing/wrong part:
Then, publish the method interceptor with a pointcut that corresponds to when you want that AuthorizationManager to run. For example, you could replace how @PreAuthorize and @PostAuthorize work like so:
Only @PostAuthorize Configuration
...CODE example...
Then the example given has 2 methods named the same way (postAuthorize) that have the same number of parameters. Then inside, what I'm assuming, is that this configures both the preAuthorize and postAuthorize.
@Configuration
@EnableMethodSecurity(prePostEnabled = false)
class MethodSecurityConfig {
@Bean
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
Advisor postAuthorize(MyAuthorizationManager manager) {
return AuthorizationManagerBeforeMethodInterceptor.preAuthorize(manager);
}
@Bean
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
Advisor postAuthorize(MyAuthorizationManager manager) {
return AuthorizationManagerAfterMethodInterceptor.postAuthorize(manager);
}
}
- The example as a whole won't compile (even after the issues above are fixed). This is the code I'm trying to run.
@Component
public class MyAuthorizationManager implements AuthorizationManager<MethodInvocation> {
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation invocation) {
return new AuthorizationDecision(false);
}
}
@Configuration
@EnableMethodSecurity(prePostEnabled = false)
class MethodSecurityConfig {
@Bean
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
Advisor preAuthorize(MyAuthorizationManager manager) {
return AuthorizationManagerBeforeMethodInterceptor.preAuthorize(manager);
}
@Bean
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
Advisor postAuthorize(MyAuthorizationManager manager) {
return AuthorizationManagerAfterMethodInterceptor.postAuthorize(manager); //Exception here
}
}
This is the exception. From what I can undestand the postAuthorize() method is expecting AuthorizationManager<MethodInvocationResult> and can't compile since the example one is using ...<MethodInvocation>.
java: no suitable method found for postAuthorize(com.company.projectManager.common.security.config.MyAuthorizationManager) method org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor.postAuthorize(org.springframework.security.authorization.method.PostAuthorizeAuthorizationManager) is not applicable (argument mismatch; com.company.projectManager.common.security.config.MyAuthorizationManager cannot be converted to org.springframework.security.authorization.method.PostAuthorizeAuthorizationManager) method org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor.postAuthorize(org.springframework.security.authorization.AuthorizationManager<org.springframework.security.authorization.method.MethodInvocationResult>) is not applicable (argument mismatch; com.company.projectManager.common.security.config.MyAuthorizationManager cannot be converted to org.springframework.security.authorization.AuthorizationManager<org.springframework.security.authorization.method.MethodInvocationResult>)
Sorry if this looks like a nitpick to you. I just found it really confusing trying to read through this as a newbie.