-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AuthorizationManager should return AuthorizationResult #14846
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @CrazyParanoid.
With check
deprecated, we should no longer call it in from other non-deprecated production code in Spring Security. Can you also make those corresponding changes? Please leave tests as-is, though.
Also, please add tests to ensure that the new method works.
Finally, please take a look at AuthorizaitonManagerBeforeMethodInterceptor
and other method interceptors to ensure that they are no longer casting expression values to AuthorizationDecision
. Instead, they should implement the authorize
method, have their check
method call it, and then perform the cast there.
a368cd1
to
8ee5742
Compare
Hi @jzheaux ! I added the
With this implementation, it will not be possible to leave the tests as is, because in some tests, a mock of the
And it needs to be changed to
In addition, there are several delegating components that make call |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the updates and for your patience as I got back to this PR, @CrazyParanoid. I've left my feedback inilne.
core/src/main/java/org/springframework/security/authorization/AuthorizationManager.java
Outdated
Show resolved
Hide resolved
...rc/main/java/org/springframework/security/authorization/AuthorizationObservationContext.java
Outdated
Show resolved
Hide resolved
...rc/main/java/org/springframework/security/authorization/AuthorizationObservationContext.java
Outdated
Show resolved
Hide resolved
...rc/main/java/org/springframework/security/authorization/ObservationAuthorizationManager.java
Show resolved
Hide resolved
...ringframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java
Outdated
Show resolved
Hide resolved
@CrazyParanoid, also if you have time, once we are aligned on the servlet changes, it would be great if the PR could have the reactive bits as well. I'm happy to add a polish for that if needed. |
Hi @jzheaux. Thanks for your feedback! I will complete this issue in the next few days. |
8ee5742
to
e014a6a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good, @CrazyParanoid, we're nearly there. I've left some additional feedback inline.
core/src/main/java/org/springframework/security/authorization/AuthorizationEventPublisher.java
Outdated
Show resolved
Hide resolved
...rc/main/java/org/springframework/security/authorization/AuthorizationObservationContext.java
Show resolved
Hide resolved
...rc/main/java/org/springframework/security/authorization/AuthorizationObservationContext.java
Show resolved
Hide resolved
...rc/main/java/org/springframework/security/authorization/AuthorizationObservationContext.java
Outdated
Show resolved
Hide resolved
...rc/main/java/org/springframework/security/authorization/NoopAuthorizationEventPublisher.java
Outdated
Show resolved
Hide resolved
...ramework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptorTests.java
Outdated
Show resolved
Hide resolved
Additionally, the build appears to be failing due to formatting concerns. Please try running from the command line the following:
This will correct what it can and then give you a report of the things that you need to change manually from a code convention standpoint. |
Hi @jzheaux , thanks for your feedback! I'll get back to working on this issue soon. But I'm still a little worried about the correctness of the chosen solution - if the |
Good point, @CrazyParanoid, though I think this is something we'll have to take in stride. We don't want to break folks when they upgrade, which is what is driving the decision to mark I believe the main consequence is that they will not be able to use a lambda and a custom implementation of Either way, it should not be an issue for very long, given that Spring Security 7 will be released next fall where we can remove the How well does that address your concern? |
I'm not sure if this is type safe. For example, we started using |
This concerns the publisher, I think that, as you said, it would be better to open another ticket for |
I agree that the no-publish lambda may not be able to stay. A concrete implementation will likely improve readability as well. It just needs to remain package-private or private (inline) for now. |
1a5f29c
to
b88977c
Compare
Closes spring-projectsgh-15915 Co-authored-by: Max Batischev <mblancer@mail.ru>
Nice, @CrazyParanoid! This for all this work. I ended up polishing the event support a bit more than expected, so I opened a separate ticket and adjusted the commits accordingly. I also added some polish, largely to remove deprecated usages and references to things like This is now merged into |
Added a new authorization method to AuthorizationManager that returns AuthorizationResult.
Closes gh-14843