Skip to content

Allow multiple security annotations on a method (combining result of evaluations with AND operator) #4003

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sambiomatters opened this issue Aug 4, 2016 · 9 comments
Closed

Allow multiple security annotations on a method (combining result of evaluations with AND operator) #4003

sambiomatters opened this issue Aug 4, 2016 · 9 comments
Assignees
@parikshitdutta
Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Milestone
5.6.0-M1

Comments

@sambiomatters
Copy link

sambiomatters commented Aug 4, 2016
edited
Loading

Summary

Allow multiple security annotations on a single method

Actual Behavior

Currently if there are multiple annotations (PreAuthorize or Secured) on a single method only one is actually used.

Proposed Behavior

Each annotation is evaluated with an AND condition connecting them all.

Rationale

This will work very well with meta annotations. Currently, complex security restrictions require code duplication. Instead, I could define a few common security constraints in their own meta annotations and compose my security requirements by placing the appropriate annotations on the method.

Version

Sample Proposed Behaviour



@SameOrganization
@Admin
@LoggedIn
public void updateUser(User user){
  //update a user belonging to same organization as me where I am logged in and am an admin
}
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 7, 2019
@drenda
Copy link

drenda commented May 25, 2020

I think it's a good feature request. Has anyone considered this request?

@christian1607
Copy link

It would be great, there would be no need to create role combined annotations like @IsAdminAndUSer

@rwinch
Copy link
Member

rwinch commented May 28, 2020

Anyone interested in putting together a pull request?

@rwinch rwinch added in: core An issue in spring-security-core status: ideal-for-contribution An issue that we actively are looking for someone to help us with and removed status: waiting-for-triage An issue we've not yet triaged labels May 28, 2020
@parikshitdutta
Copy link
Contributor

Hi @rwinch, may I?

@rwinch rwinch added the type: enhancement A general enhancement label May 28, 2020
@rwinch
Copy link
Member

rwinch commented May 28, 2020

@parikshitdutta Thank you for volunteering. The issue is yours

@jzheaux
Copy link
Contributor

jzheaux commented May 18, 2021

Closing in favor of #9630

@jzheaux jzheaux closed this as completed May 18, 2021
@jzheaux jzheaux removed the status: ideal-for-contribution An issue that we actively are looking for someone to help us with label May 18, 2021
@jzheaux jzheaux added this to the 5.6.0-M1 milestone May 18, 2021
@voronin-de
Copy link

Would someone mind sharing how this issue and #9630 (the issue this particular issue has been closed in favour of) are related? I don't see this use case being solved by #9630 ...

@jzheaux
Copy link
Contributor

jzheaux commented Jul 26, 2021

When using @EnableMethodSecurity, you can have multiple annotations on the same method, which is what #9630 adds.

Spring Security's annotations are not repeatable, so you can't have two instances of @PreAuthorize, but you can combine @PreAuthorize, @Secured, and JSR-250 annotations.

@kubav182
Copy link

@jzheaux but this is not what we request, we want to repeat PreAuthorize annotation and not combine multiple annotation types

use case - you have multiple rules and some endpoints are related to some of them so instead of creating 5 annotations for 5 rules and repeat them we have to create many custom annotations with any possible combination we need, there could be some new annotation to group PreAuthorize something like PreAuthorizeAll(PreAuthorize[]) and PreAuthorizeAny(PreAuthorize[]) or just allow repeat them with AND operator

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@parikshitdutta parikshitdutta

Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Projects
None yet
Milestone
5.6.0-M1
Development

No branches or pull requests
9 participants
@rwinch @parikshitdutta @drenda @jzheaux @sambiomatters @spring-projects-issues @christian1607 @kubav182 @voronin-de