Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DefaultMethodSecurityExpressionHandler can't be extended anymore ? #12578

Closed
mfrechePgest opened this issue Jan 24, 2023 · 1 comment
Closed

DefaultMethodSecurityExpressionHandler can't be extended anymore ? #12578

mfrechePgest opened this issue Jan 24, 2023 · 1 comment
Assignees
@jzheaux
Labels
in: core An issue in spring-security-core status: duplicate A duplicate of another issue

Comments

@mfrechePgest
Copy link

mfrechePgest commented Jan 24, 2023
edited
Loading

Upgrading to Spring Security 6, it seems I can't use my own SecurityExpressionRoot like i previously did.

Describe the bug

I used to extend DefaultMethodSecurityExpressionHandler, overwriting createSecurityExpressionRoot to specify my own SecurityExpressionRoot.

But method isn't invoked anymore.
DefaultMethodSecurityExpressionHandler and its callers migrated to functional-style, and there is a second createSecurityExpressionRoot taking Supplier as parameter.

New method is private so I can't overwrite it anymore.

To Reproduce

My 5.x code used to do exactly what Baeldung told me to do :) :
In his sample code, he created a CustomMethodSecurityExpressionHandler kinda like me and overwrite createSecurityExpressionRoot.
Can't setup the same kind of configuration with the new version, because overwritten method isn't invoked anymore.

Expected behavior

I guess the second createSecurityExpressionRoot should be protected as well, so we still could setup our own SecurityExpressionRoot and overwrite the method taking Supplier<Authentication> as param.

Documentation doesn't provides any other way to do the same thing https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html
There may be a new way to inject our own SecurityExpressionRoot, but I didn't find it... And in this case my issue shouldn't be set as a "Bug".
@mfrechePgest mfrechePgest added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jan 24, 2023
@jzheaux
Copy link
Contributor

jzheaux commented Jan 25, 2023

Thanks, @mfrechePgest, for reaching out and for updating to Spring Security 6. We introduced some breaking changes in this major release, and this is one of them. Please see #12331 for details.

@jzheaux jzheaux closed this as completed Jan 25, 2023
@jzheaux jzheaux added status: duplicate A duplicate of another issue in: core An issue in spring-security-core and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jan 25, 2023
@jzheaux jzheaux self-assigned this Jan 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: core An issue in spring-security-core status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jzheaux @mfrechePgest