Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Simplify Request Authorization Path Extraction #13256

Closed
jzheaux opened this issue May 31, 2023 · 0 comments · Fixed by #13574
Closed

Simplify Request Authorization Path Extraction #13256

jzheaux opened this issue May 31, 2023 · 0 comments · Fixed by #13574
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement

Comments

@jzheaux
Copy link
Contributor

jzheaux commented May 31, 2023

authorizeHttpRequests does not have direct expression support, this can create a slight issue when migrating expressions like the following:

.mvcMatchers("/resource/{id}").access("#id == authentication.name")

While it can be migrated using WebExpressionAuthorizationManager like so:

.mvcMatchers("/resource/{id}").access(new WebExpressionAuthorizationManager("#id == authentication.name"))

it would be nice to have something programmatic that does not require SpEL.

One way to do this already is a custom AuthorizationManager like this one:

.mvcMatchers("/resource/{id}").access((authentication, object) -> {
    String value = object.getVariables().get("id");
    return new AuthorizationDecision(authentication.get().getName().equals(value));
})

But this isn't as idiomatic as other Spring Security expressions like hasAuthority.

A possible improvement is:

.mvcMatchers("/resource/{id}").access(variable("id").isEqualTo(Authentication::getName))

Or another would be:

.mvcMatchers("/resource/{id}").hasVariable("id").equalTo(Authentication::getName)
@jzheaux jzheaux added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels May 31, 2023
This was referenced May 31, 2023
Open
Open
@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 7, 2023
@kth496 kth496 mentioned this issue Jul 22, 2023
Merged
jzheaux pushed a commit to kth496/spring-security that referenced this issue Dec 20, 2023
@kth496 @jzheaux
Add Request Path Extraction Support
7858085 
Closes spring-projectsgh-13256
jzheaux pushed a commit that referenced this issue Dec 20, 2023
@kth496 @jzheaux
Add Request Path Extraction Support
ec02c22 
Closes gh-13256
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Simplify Request Authorization Path Extraction kth496/spring-security
1 participant
@jzheaux