Allow to extend method security expressions when working with EnableMethodSecurity annotation #12564
Assignees
Labels
status: waiting-for-feedback
We need additional information before we can continue
status: waiting-for-triage
An issue we've not yet triaged
type: enhancement
A general enhancement
Comments
anschnapp
added
status: waiting-for-triage
anschnapp
changed the title
|
Hi @anschnapp, I believe that this is a duplicate of #12331 (comment). Can you check the proposed workarounds in that issue and confirm if they work for you? |
marcusdacoregio
added
the
status: waiting-for-feedback
|
Hi @marcusdacoregio thank you very much to point me on this! This ticket is definitive a duplicate, sorry for that. (i searched for similar open tickets and not similar close tickets. next time i search for both) My migrated solution was very close but i was stuck of creating of how to create the context without using package private classes. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behavior
With the deprecated annotation for method security support:
@EnableGlobalMethodSecurity(prePostEnabled = true)there was a way to "give in" a customMethodSecurityExpressionRootby also defining a customMethodSecurityExpressionHandlerextended from the default oneDefaultMethodSecurityExpressionHandler.The purpose is to have an own custom security expression on methods by
@PreAuthorize("hasCustomAttribute('attr')")I have used it almost exactly like in this description from baeldung:
https://www.baeldung.com/spring-security-create-new-custom-security-expression#customExpression
I like to remove the deprecated annotation and replace it with
@EnableMethodSecurityand still be able to support myCustomMethodSecurityExpressionHandler(which extends fromDefaultMethodSecurityExpressionHandler) but have some additional expression methods defined (by an also overwritten variant ofMethodSecurityExpressionRoot.Current Behavior
It turned out that the configuration based on the new method security annotation
@EnableMethodSecurityworks slightly different then the old one.And my old solution (see above) does not work any longer.
I tried quite some time to adjust it to the new configuration, but IIMO it is unnecessary hard if not impossible (without really dirty hacks and coupling to spring internals to do so.
I don't want to write a complete new
DefaultMethodSecurityExpressionHandler, which also would imply to write an ownMethodSecurityEvaluationContext.I could extend from it and set an custom expression root (extended from
MethodSecurityExpressionRoot) with new expression functions. (which is also not that easy to configure)But in the end also the method
createEvaluationContextmust be overwritten, because it's directly create a newMethodSecurityExpressionRootfrom the super class. But i cannot easily overwrite this method with my own because the original also created (a required)MethodSecurityEvaluationContextwhich is not known from my code base (package private). And i don't want to use hacks to couple my code to this internal class.Potential Solutions
For me a perfect convenient solution could be to make the
MethodSecurityExpressionRootsomehow configurable for theDefaultMethodSecurityExpressionHandler. Maybe as asetterfor the generation code of aDefaultMethodSecurityExpressionHandlerso basically something like:Or same as a
DefaultMethodSecurityExpressionHandlerCustomizer(or builder customizer).Or something similar on upper level (so not limited to
DefaultMethodSecurityExpressionHandler.If there is already a way how to do it (don't find it in the documentation), this would of course also solve my issue.
Context
This issue prevents me from upgrading to the not deprecated annotation.
Therefore i might stick on older code and behaviour. And i might get in real trouble on next major release where this annotation could be deleted.
The text was updated successfully, but these errors were encountered: