Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spring Method Security using Authorization Manager #22

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Spring Method Security using Authorization Manager #22

wants to merge 4 commits into from

Conversation

vladaspasic
Copy link
Contributor

With Spring Security 6 the @EnableGlobalSecurity has been deprecated, here is the transition path:
https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html#migration-enableglobalmethodsecurity

The new approach does not require us to use the AccessDecisionVoter nor we need to enable method security via annotations for this library. It is now sufficient to register the AOP method interceptor bean using the AuthorizationManagerBeforeMethodInterceptor implementation. The interceptor uses our custom implementation of the AuthorizationManager interface to check if the method can be invoked or not.

It is now possible to use this library in conjunction with the @EnableGlobalSecurity, which was not possible before. You can now mix and match the @Permission and @PreAuthorize or @PostAuthorize permissions if it is required.

Note
Keep in mind when using both approaches that Spring would reject the method invocation when one of them fails. You can not say if pre-authorize check is ok, that the permission check can fail. They both need to pass.

The deprecated classes have been removed from this library as they are no longer needed. The usage of this library does not change one bit.

@github-actions
Copy link

github-actions bot commented Oct 2, 2023

File Coverage [92.26%] 🍏
PermissionMethodSecurityConfiguration.java 100% 🍏
PermissionAuthorizationManager.java 94.59% 🍏
PermissionSecurityAttributeRegistry.java 93.49% 🍏
PermissionScanSelector.java 82.11% 🍏
Total Project Coverage 89.65% 🍏

@vladaspasic
Copy link
Contributor Author

@mikailcolak do you need this update for MIDA?

@github-actions GitHub Actions
Copy link

Overall Project 89.65% -0.52% 🍏
Files changed 97.58% 🍏

File Coverage
PermissionMethodSecurityConfiguration.java 100% 🍏
PermissionAuthorizationManager.java 94.59% -5.41% 🍏
PermissionSecurityAttributeRegistry.java 93.49% 🍏
PermissionScanSelector.java 82.11% 🍏

@github-actions GitHub Actions
Copy link

Overall Project 89.39% -0.52% 🍏
Files changed 97.58% 🍏

File Coverage
PermissionMethodSecurityConfiguration.java 100% 🍏
PermissionAuthorizationManager.java 94.59% -5.41% 🍏
PermissionSecurityAttributeRegistry.java 93.49% 🍏
PermissionScanSelector.java 82.11% 🍏

@mikailcolak
Copy link

mikailcolak commented Feb 20, 2024
edited
Loading

@mikailcolak do you need this update for MIDA?

Not urgently, but I think I would like to have this for the next MIDA release (not the one we are currently working on that we are going to release soon).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@acoppola acoppola acoppola approved these changes

@mikailcolak mikailcolak mikailcolak approved these changes

@iznenad iznenad Awaiting requested review from iznenad

@jeramadon jeramadon Awaiting requested review from jeramadon

@McFcologne McFcologne Awaiting requested review from McFcologne

@michaelprimez michaelprimez Awaiting requested review from michaelprimez

@zarkovicmila zarkovicmila Awaiting requested review from zarkovicmila

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vladaspasic @mikailcolak @acoppola