Authorization Manager Method Security #9630
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jzheaux
force-pushed
the
authorization-manager-method-security
branch
3 times, most recently
from
2adbf47 to
396ab87
Compare
rwinch
requested changes
Apr 20, 2021
...in/java/org/springframework/security/authorization/method/AuthorizationMethodInvocation.java
Outdated
Show resolved
Hide resolved
...in/java/org/springframework/security/authorization/method/AuthorizationMethodInvocation.java
Outdated
Show resolved
Hide resolved
...work/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.java
Outdated
Show resolved
Hide resolved
...work/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.java
Outdated
Show resolved
Hide resolved
...main/java/org/springframework/security/authorization/method/MethodInvocationReturnValue.java
Outdated
Show resolved
Hide resolved
.../java/org/springframework/security/authorization/method/AuthorizationMethodInterceptors.java
Outdated
Show resolved
Hide resolved
.../springframework/security/config/annotation/method/configuration/MethodSecuritySelector.java
Outdated
Show resolved
Hide resolved
.../springframework/security/config/annotation/method/configuration/MethodSecuritySelector.java
Outdated
Show resolved
Hide resolved
...n/java/org/springframework/security/authorization/method/AuthorizationMethodInterceptor.java
Outdated
Show resolved
Hide resolved
rwinch
requested changes
Apr 21, 2021
There was a problem hiding this comment.
I've provided some additional feedback inline. I also think we need to ensure we address #9630 (review)
|
|
||
| /** | ||
| * Returns an {@link AuthorizationManager} for the | ||
| * {@link AuthorizationMethodInvocation}. |
There was a problem hiding this comment.
AuthorizationMethodInvocation does not exist, so please remove references to it
| * @see SecuredAuthorizationManager | ||
| * @see Jsr250AuthorizationManager | ||
| */ | ||
| public final class AuthorizationAdvisors { |
There was a problem hiding this comment.
I think this could be removed in favor of constructors on the *Interceptors that match the static methods. We could put the DEFAULT_ORDER constant on the *Interceptor instances and default the value to it. Doing this would mean the users who customize the *Interceptors wouldn't need to remember to set the value to the default.
It would also make things a bit more consistent. The use of these constants seems inconsistent. PRE_FILTER_ADVISOR_ORDER is used by PreFilterAuthorizationMethodInterceptor directly. However, PRE_AUTHORIZE_ADVISOR_ORDER is only used in AuthorizationAdvisors.
...ava/org/springframework/security/authorization/method/PostAuthorizeAuthorizationManager.java
Show resolved
Hide resolved
jzheaux
force-pushed
the
authorization-manager-method-security
branch
from
74e1e47 to
04d8184
Compare
rwinch
requested changes
Apr 28, 2021
| @PreAuthorize("hasRole('USER')") | ||
| Account[] findAccounts(); | ||
|
|
||
| @PreAuthorize("hasRole('TELLER')") |
| [source,java] | ||
| ---- | ||
| @Bean | ||
| MethodSecurityExpressionHandler methodSecurityExpressionHandler() { |
There was a problem hiding this comment.
make this method static as it will be initialized very early on for AOP and static methods ensure that only this method is invoked vs initializing the entire configuration class
...ain/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtils.java
Show resolved
Hide resolved
| @@ -6,6 +6,213 @@ It provides support for JSR-250 annotation security as well as the framework's o | |||
| From 3.0 you can also make use of new <<el-access,expression-based annotations>>. | |||
| You can apply security to a single bean, using the `intercept-methods` element to decorate the bean declaration, or you can secure multiple beans across the entire service layer using the AspectJ style pointcuts. | |||
|
|
|||
| === EnableMethodSecurity | |||
|
|
|||
| In 5.6, we can enable annotation-based security using the `@EnableMethodSecurity` annotation on any `@Configuration` instance. | |||
There was a problem hiding this comment.
I think it is worth describing how this differs from @EnableGlobalMethodSecurity and that users should prefer this new support.
|
|
||
| In 5.6, we can enable annotation-based security using the `@EnableMethodSecurity` annotation on any `@Configuration` instance. | ||
|
|
||
| [NOTE] |
There was a problem hiding this comment.
Similar to how how we use { for if blocks, we use ==== for admonitions
| @@ -6,6 +6,213 @@ It provides support for JSR-250 annotation security as well as the framework's o | |||
| From 3.0 you can also make use of new <<el-access,expression-based annotations>>. | |||
| You can apply security to a single bean, using the `intercept-methods` element to decorate the bean declaration, or you can secure multiple beans across the entire service layer using the AspectJ style pointcuts. | |||
|
|
|||
| === EnableMethodSecurity | |||
There was a problem hiding this comment.
Please add a reference to this in What's New
| @@ -6,6 +6,213 @@ It provides support for JSR-250 annotation security as well as the framework's o | |||
| From 3.0 you can also make use of new <<el-access,expression-based annotations>>. | |||
| You can apply security to a single bean, using the `intercept-methods` element to decorate the bean declaration, or you can secure multiple beans across the entire service layer using the AspectJ style pointcuts. | |||
|
|
|||
| === EnableMethodSecurity | |||
|
|
|||
| In 5.6, we can enable annotation-based security using the `@EnableMethodSecurity` annotation on any `@Configuration` instance. | |||
There was a problem hiding this comment.
Perhaps change to "In Spring Security 5.6"
jzheaux
force-pushed
the
authorization-manager-method-security
branch
from
04d8184 to
75fd108
Compare
This was referenced May 3, 2021
jzheaux
force-pushed
the
authorization-manager-method-security
branch
from
75fd108 to
c5515b9
Compare
rwinch
added
in: core
jzheaux
force-pushed
the
authorization-manager-method-security
branch
from
c5515b9 to
041fce8
Compare
- Removed consolidated pointcut advisor in favor of each interceptor being an advisor. This allows Spring AOP to do more of the heavy lifting of selecting the set of interceptors that applies - Created new method context for after interceptors instead of modifying existing one - Added documentation - Added XML support - Added AuthorizationInterceptorsOrder to simplify interceptor ordering - Adjusted annotation lookup to comply with JSR-250 spec - Adjusted annotation lookup to exhaustively search for duplicate annotations - Separated into three @configuration classes, one for each set of authorization annotations Issue spring-projectsgh-9289
jzheaux
force-pushed
the
authorization-manager-method-security
branch
from
041fce8 to
4d5397f
Compare
This was referenced May 18, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.