Skip to content

Provide Runtime Hints for objects authorized by @AuthorizeReturnObject #15709

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
3 tasks
jzheaux opened this issue Aug 29, 2024 · 0 comments
Closed
3 tasks

Provide Runtime Hints for objects authorized by @AuthorizeReturnObject #15709

jzheaux opened this issue Aug 29, 2024 · 0 comments
Assignees
@jzheaux
Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Milestone
6.4.x

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Aug 29, 2024

Related to #14652

Native applications currently need to manually register their authorization proxy classes using a BeanFactoryInitializationAotProcessor like so:

public class AuthorizationProxyFactoryAotProcessor implements BeanFactoryInitializationAotProcessor {

	@Override
	public BeanFactoryInitializationAotContribution processAheadOfTime(ConfigurableListableBeanFactory beanFactory) {
		return new AuthorizationProxyFactoryAotContribution(beanFactory);
	}

	private static final class AuthorizationProxyFactoryAotContribution implements BeanFactoryInitializationAotContribution {

		private final ConfigurableListableBeanFactory beanFactory;

		private AuthorizationProxyFactoryAotContribution(ConfigurableListableBeanFactory beanFactory) {
			this.beanFactory = beanFactory;
		}

		@Override
		public void applyTo(GenerationContext generationContext,
				BeanFactoryInitializationCode beanFactoryInitializationCode) {
			registerProxyClass(generationContext.getRuntimeHints().reflection(), Message.class);
			registerProxyClass(generationContext.getRuntimeHints().reflection(), User.class);
			// ...
		}

		private void registerProxyClass(ReflectionHints reflection, Class<?> clazz) {
			AuthorizationProxyFactory proxyFactory = this.beanFactory.getBean(AuthorizationProxyFactory.class);
			Class<?> proxied = (Class<?>) proxyFactory.proxy(clazz);			
			reflection.registerType(proxied, MemberCategory.INVOKE_PUBLIC_METHODS, MemberCategory.PUBLIC_FIELDS);
		}

	}
	
}

It would be nice to remove this need, either by scanning the classpath for @AuthorizeReturnObject usage and/or by introducing an API where security-specific proxy hints can be specified.

Some things that should be considered:

  • Adding a Data-specific AotProcessor that inspects the generic types for beans of type RepositoryFactoryBeanSupport that use @AuthorizeReturnObject
  • Adding an AotProcessor that inspects the return values of bean methods that use @AuthorizeReturnObject, traversing the return type's object graph for any nested authorized return objects
  • Adding a way to directly indicate non-bean types that Security should proxy
@jzheaux jzheaux added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Aug 29, 2024
@jzheaux jzheaux self-assigned this Sep 3, 2024
@jzheaux jzheaux added the in: core An issue in spring-security-core label Sep 3, 2024
@jzheaux jzheaux added this to the 6.4.x milestone Sep 3, 2024
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 9, 2024
@jzheaux
Add AuthorizeReturnObject Hints
033d09b 
Closes spring-projectsgh-15709
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 9, 2024
@jzheaux
Add AuthorizeReturnObject Spring Data Hints
5339eb4 
Issue spring-projectsgh-15709
jzheaux added a commit that referenced this issue Sep 10, 2024
@jzheaux
Add AuthorizeReturnObject Spring Data Hints
e29058c 
Issue gh-15709
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 16, 2024
@jzheaux
Add Reactive Authorization Proxy Data Hints
36bae4f 
Issue spring-projectsgh-15709
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 16, 2024
@jzheaux
Skip Proxying If Already Proxied
10a0cf7 
Issue spring-projectsgh-15709
jzheaux added a commit that referenced this issue Sep 16, 2024
@jzheaux
Add Reactive Authorization Proxy Data Hints
86f64e7 
Issue gh-15709
jzheaux added a commit that referenced this issue Sep 16, 2024
@jzheaux
Skip Proxying If Already Proxied
d194724 
Issue gh-15709
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Projects
Spring Security Team
Archived in project
Milestone
6.4.x
Development

No branches or pull requests
1 participant
@jzheaux