Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot add custom methods to secure method invocations in spring-security 6 #12370

Closed
marcusportmann opened this issue Dec 12, 2022 · 1 comment
Closed

Cannot add custom methods to secure method invocations in spring-security 6 #12370

marcusportmann opened this issue Dec 12, 2022 · 1 comment
Labels
status: duplicate A duplicate of another issue type: bug A general bug

Comments

@marcusportmann
Copy link

marcusportmann commented Dec 12, 2022
edited
Loading

Hello,

I am attempting to migrate my Inception Framework, based on Spring Boot 2, to Spring Boot 3.

I have created a ApiMethodSecurityExpressionHandler class that extends the DefaultMethodSecurityExpressionHandler class.

I have overridden the createSecurityExpressionRoot method, as shown below.

  @Override
  protected MethodSecurityExpressionOperations createSecurityExpressionRoot(
      Authentication authentication, MethodInvocation invocation) {
    ApiSecurityExpressionRoot apiSecurityExpressionRoot =
        new ApiSecurityExpressionRoot(authentication, applicationContext);

    apiSecurityExpressionRoot.setPermissionEvaluator(getPermissionEvaluator());
    apiSecurityExpressionRoot.setTrustResolver(this.getTrustResolver());
    apiSecurityExpressionRoot.setRoleHierarchy(getRoleHierarchy());

    return apiSecurityExpressionRoot;
  }

This approach used to work in Spring Boot 2.

With Spring Boot 3, there appears to be an issue with the DefaultMethodSecurityExpressionHandler class.

The createEvaluationContext cannot be overridden because it uses a MethodSecurityEvaluationContext class, which is not accessible. It also invokes a private createSecurityExpressionRoot method, which means my overridden createSecurityExpressionRoot is no longer invoked.

I believe the createEvaluationContext should be modified to unwrap the Supplier object as shown below to restore the original behaviour.

	@Override
	public EvaluationContext createEvaluationContext(Supplier<Authentication> authentication, MethodInvocation mi) {
		MethodSecurityExpressionOperations root = createSecurityExpressionRoot(authentication.get(), mi);
		MethodSecurityEvaluationContext ctx = new MethodSecurityEvaluationContext(root, mi,
				getParameterNameDiscoverer());
		ctx.setBeanResolver(getBeanResolver());
		return ctx;
	}
@marcusportmann marcusportmann added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Dec 12, 2022
@marcusdacoregio
Copy link
Contributor

marcusdacoregio commented Dec 13, 2022
edited
Loading

Hi @marcusportmann,

I think this is related to #12331, therefore I'll close this as a duplicate.

Feel free to ask to reopen if they are not the same.

@marcusdacoregio marcusdacoregio added status: duplicate A duplicate of another issue and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: duplicate A duplicate of another issue type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marcusportmann @marcusdacoregio