Spring security SPEL expressions support (@PreAuthorize and @PostAuthorize)

[jvmlet]

@PreAuthorize and nice to have @PostAuthorize

[jvmlet]

@markbanierink, can you please show how you configure the authentication manager with working @PreAuthorize annotation?
When I @EnableGlobalMethodSecurity(prePostEnabled = true) and add @PreAuthorize("myExpression") on some method, it fails with user not found exception because auth SPEL voter uses another instance of authentication manager, not the one that grpc security uses...

[jvmlet]

You probably have @Secured({}) on grpc service, right ? In this case @PreAuthorize doesn't try to re-authenticate, because user is already authenticated with right auth manager, it only evaluates the expression, Can you please confirm it ?
If yes, would you please try to reproduce by removing @Secured({}) annotation from service ?
Thanks

[markbanierink]

No, we do not use @Secured({}). Our complete grpc configuration looks like this:

@Configuration
public class BaseGrpcServerSecurityConfiguration extends GrpcSecurityConfigurerAdapter {

    @Override
    public void configure(GrpcSecurity builder) throws Exception {
        builder.authenticationProvider(authenticationProvider(jwtDecoder()));
        builder.authorizeRequests().anyMethod().authenticated();
    }

    private AuthenticationProvider authenticationProvider(JwtDecoder jwtDecoder) {
        JwtAuthenticationConverter jwtAuthenticationConverter = new CustomAuthenticationConverter();
        JwtAuthenticationProvider jwtAuthenticationProvider = new JwtAuthenticationProvider(jwtDecoder);
        jwtAuthenticationProvider.setJwtAuthenticationConverter(jwtAuthenticationConverter);
        return jwtAuthenticationProvider;
    }

    private JwtDecoder jwtDecoder() {
        return new CustomJwtDecoder();
    }
}

Web service configuration:

public abstract class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

    @Value("${ourPath}")
    private String ourPath;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        http.authorizeRequests()
                .antMatchers(getOurPath()).authenticated()
                .anyRequest().denyAll()
                .and()
                .oauth2ResourceServer().jwt().decoder(jwtDecoder()).jwtAuthenticationConverter(jwtAuthenticationConverter());
    }

    private String getOurPath() {
        return ourPath;
    }

    private JwtDecoder jwtDecoder() {
        return new CustomJwtDecoder();
    }

    private JwtAuthenticationConverter jwtAuthenticationConverter() {
        return new CustomAuthenticationConverter();
    }
}

And the security configuration:

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration {
    // some beans
}

[jvmlet]

I see, so you have same configuration for both authentication providers - grpc and web authentication managers..

[markbanierink]

Yes, we have a configuration for each, since it is very well possible that any of the api's in the future is going to use another type of authentication. Both are separate modules. Our domain model also is a separate module and that one contains the SecurityConfiguration. So no matter how a user is authenticated, he is added to the spring security context and then @PreAuthorize, @PostFilter, etc. can be used in the domain to do the authorization part.

[jvmlet]

Great, now I'll need to figure out how to tell spring security NOT to proxy GrpcService beans when @EnableGlobalMethodSecurity(prePostEnabled = true) is defined, because GrpcSecurityInterceptor now executes the full authentication flow, including finallyInvocationy and afterInvocation (which evaluates @PostAuthorize constraint).
MethodSecurityInterceptor cant get a hold on returned value anyway ...
Stay tuned, @(Pre/Post)Authorize on grpc service/method will be supported soon.