Closed
Description
Summary
Hey,
The current implementation of the Pre- & PostFilter can not be used for the return type of Flux.
By trying to Filter the objects of X, the DefaultMethodSecurityExpressionHandler.class only checks, if the returned object X is an instance of Collection or an Array. But since the PrePostAdviceReactiveMethodInterceptor.class (line 103) already maps the single entries of the Flux to the postAdvice filter, this check fails if not something like Flux<List> is returned from the Controller.
Actual Behavior
java.lang.IllegalArgumentException: Filter target must be a collection or array type, but was a.b.c.X
at org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler.filter(DefaultMethodSecurityExpressionHandler.java:175) ~[spring-security-core-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
at org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice.after(ExpressionBasedPostInvocationAdvice.java:61) ~[spring-security-core-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
at org.springframework.security.access.prepost.PrePostAdviceReactiveMethodInterceptor.lambda$null$4(PrePostAdviceReactiveMethodInterceptor.java:103) ~[spring-security-core-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
Expected Behavior
A filtered Flux, that removed the objects that do not match the filter.
Example
public class XController {
@GetMapping()
@PostFilter("@someCustomFilter.method(returnObject)")
public <Flux<X> findAll() {
Flux<X> result = someService.findAllX()
return result;
}
}
Version
spring-boot-starter-parent: 2.0.1.RELEASE
spring-boot-starter-webflux: 2.0.1.RELEASE
spring-security-config: 5.0.4.RELEASE
spring-security-core: 5.0.4.RELEASE