-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make RequestMatcherDelegatingAuthorizationManager post-processable #15978
Make RequestMatcherDelegatingAuthorizationManager post-processable #15978
Conversation
7342218
to
6803412
Compare
Thanks, @codeconsole! Will you please also add a unit test in And when you push your update, it will help if you can change your commit to something more like this:
It improves readability in the git history to have a short title. The |
6803412
to
641a480
Compare
@jzheaux Thanks for the feedback. I have changed the commit message and added the test. I also published a snapshot locally and confirmed it works as expected with my application and that I am able to perform the behavior that I needed it to do. This 1 little change allows me to delete 462 lines of code so I will be excited to see it merged. 😄 |
8611d44
to
2fdf6a8
Compare
2fdf6a8
to
bf6b163
Compare
@jzheaux The version of |
bf6b163
to
b3d0726
Compare
It didn't cause any issues, @codeconsole, thanks for checking. I moved the PR to be based off of |
Thanks, @codeconsole! This is now merged into |
Fix extensibility issue since RequestMatcherDelegatingAuthorizationManager is
final
and does not expose any public methods other than what is available through AuthorizationManager. Fixes #15948Allows the following:
which opens up the possibility to provide additional security checks such as Controller annotations by wrapping the current manager and using the outcome of is authorization check to be compared against other checks.
This works similar to what is already possible with the ObjectPostProcessor for AuthorizationFilter except unlike RequestMatcherDelegatingAuthorizationManager, AuthorizationFilter is not
final
and can be extended.There is no benefit in post processing a
final
class that doesn't not expose any additional information that is not already provided by it's interface AuthorizationManagerAlternatively, you could just remove
final
fromspring-security/web/src/main/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManager.java
Line 49 in 8a97291
but either solution works.