Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

authorizeHttpRequests should consider GrantedAuthorityDefaults #13215

Closed
dmngb opened this issue May 24, 2023 · 3 comments
Closed

authorizeHttpRequests should consider GrantedAuthorityDefaults #13215

dmngb opened this issue May 24, 2023 · 3 comments
Assignees
@marcusdacoregio @kandaguru17
Labels
in: config An issue in spring-security-config status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: enhancement A general enhancement
Milestone
6.2.0-M1

Comments

@dmngb
Copy link

dmngb commented May 24, 2023
edited
Loading

We use a custom prefix for our roles (e.g. we want roles to be something like MYPREFIX_USER instead of ROLE_USER):

    @Bean
    public GrantedAuthorityDefaults grantedAuthorityDefaults() {
        return new GrantedAuthorityDefaults("MYPREFIX_"));
    }

If we define our security filter like below (with deprecated authorizeRequests), everything works as expected and the custom prefix is taken into account:

    @Bean
    public SecurityFilterChain myFilterChain(HttpSecurity http) throws Exception {
        return http.authorizeRequests(c -> c.anyRequest().hasRole("USER")).formLogin(withDefaults());
    }

If we change our code to use the recommended authorizeHttpRequests, then the custom prefix is ignored and ROLE_ is used instead:

    @Bean
    public SecurityFilterChain myFilterChain(HttpSecurity http) throws Exception {
        return http.authorizeHttpRequests(c -> c.anyRequest().hasRole("USER")).formLogin(withDefaults());
    }

Our workaround is to use something like :

    @Bean
    public SecurityFilterChain myFilterChain(HttpSecurity http) throws Exception {
        return http.authorizeHttpRequests(c -> c.anyRequest().hasAuthority("MYPREFIX_USER")).formLogin(withDefaults());
    }

Found in Spring Boot 3.1.0 / Spring Security 6.1.0
@dmngb dmngb added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels May 24, 2023
@marcusdacoregio marcusdacoregio self-assigned this May 24, 2023
@marcusdacoregio marcusdacoregio added in: config An issue in spring-security-config and removed status: waiting-for-triage An issue we've not yet triaged labels May 24, 2023
@marcusdacoregio marcusdacoregio mentioned this issue May 25, 2023
Closed
@marcusdacoregio
Copy link
Contributor

Hi @dmngb, thanks for the report.

We will consider adding this to the next minor version since this is a new, optional feature. As you mentioned, you can still get the old behavior by using hasAuthority. This is consistent with #12473.

However, there is nothing in the migration guide that mentions what users should do if they are changing the prefix and migrating to authorizeHttpRequests, for that I created #13227. I'll update the title of this issue to add the support for GrantedAuthorityDefaults in authorizeHttpRequests if you are okay with it.

@marcusdacoregio marcusdacoregio changed the title HttpSecurity: GrantedAuthorityDefaults prefix ignored in hasRole when using http.authorizeHttpRequests instead of deprecated authorizeRequests authorizeHttpRequests should consider GrantedAuthorityDefaults May 25, 2023
@marcusdacoregio marcusdacoregio added type: enhancement A general enhancement and removed type: bug A general bug labels May 25, 2023
@marcusdacoregio marcusdacoregio added the status: ideal-for-contribution An issue that we actively are looking for someone to help us with label May 26, 2023
@kandaguru17
Copy link
Contributor

@marcusdacoregio, Can I work on this one?

kandaguru17 added a commit to kandaguru17/spring-security that referenced this issue May 30, 2023
@kandaguru17
Implemented AuthorizeHttpRequestsConfigurer to consider GrantedAuthor…
770ae5a 
…ityDefaults for custom rolePrefix

Closes spring-projectsgh-13215
@kandaguru17 kandaguru17 mentioned this issue May 30, 2023
Closed
@marcusdacoregio
Copy link
Contributor

Absolutely @kandaguru17, it's yours.

@marcusdacoregio marcusdacoregio moved this from Planning to Prioritized in Spring Security Team May 31, 2023
marcusdacoregio added a commit that referenced this issue Jun 22, 2023
@marcusdacoregio
Polish Contribution
8efdc5c 
Issue gh-13215
@github-project-automation github-project-automation bot moved this from Prioritized to Done in Spring Security Team Jun 22, 2023
@marcusdacoregio marcusdacoregio added this to the 6.2.0-M1 milestone Jun 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

@kandaguru17 kandaguru17

Labels
in: config An issue in spring-security-config status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: enhancement A general enhancement
Projects
Spring Security Team
Status: Done
Milestone
6.2.0-M1
Development

Successfully merging a pull request may close this issue.

Implemented AuthorizeHttpRequestsConfigurer to consider GrantedAuthor… kandaguru17/spring-security
3 participants
@marcusdacoregio @dmngb @kandaguru17