-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Meta-annotation Parameter Support #14480
Comments
@jzheaux Can I do it? |
Hi, @kse-music, thanks for the offer. I'm going to take care of this one for the moment since it is in a bit of flux (notice the recent changes in the description). Please feel free to try out this branch to suggest improvements: https://github.com/jzheaux/spring-security/tree/gh-14480 |
Oh, according to the previous description, I thought that the meta-annotation parameter was used as an SPEL expression variable, but I didn't expect it used as a placeholder parsed property sources. @jzheaux |
That's right, @kse-music. As I was doing some of my own research, I found that approach to be easier. The reason is that SpEL does not support nested variables, which would be needed in some setups. Sorry for the confusion. If you are still interested, I'd love to have your help on this PR: #14494 once I have it out of draft. |
Very interesting idea! 👍
Would you mind providing a concrete example just for the sake of clarity? |
Sure, @sbrannen. In the following arrangement: @PreAuthorize("hasAuthority(#authority)")
public @interface HasAuthority {
String authority();
}
// ...
@HasAuthority("#parameter")
public String method(String parameter) { // an existing Spring Security annotation feature
// ...
} what happens is if
I couldn't quite unravel how to get SpEL to resolve |
Will this enhancement let me do something like this? @PreAuthorize(
"""
hasAuthority('PERM_FOO') and
(#checkTenantId == false or #tenantId == authentication.principal.tenantId)
"""
)
annotation class HasFooPermission(val checkTenantId: Boolean = true) @RestController
@SecurityRequirement(name = "Bearer Authentication")
@RequestMapping(value = "/foo", produces = [MediaType.APPLICATION_JSON_VALUE])
class FooController(private val service: FooService) {
@HasFooPermission(checkTenantId = false)
@GetMapping
fun findAll(): ResponseEntity<List<Foo>> = service.findAll().ok()
@HasFooPermission
@GetMapping("{tenantId}")
fun findAllByTenantId(tenantId: UUID): ResponseEntity<List<Foo>> = service.findAllByTenantId(tenantId).ok()
} |
@efenderbosch-atg According to the current implementation, attribute method variables in custom annotations need to be quoted through curly braces like so:
|
It would be nice if Spring Security's method security meta-annotation support allowed for parameters.
For example, it would be nice to be able to do:
Then, an application could do:
The annotation expression should be able to handle method parameters, like
@PreAuthorize
already does:allowing an application to do:
Also, it should support passing method parameters through the custom annotation where:
supports:
The text was updated successfully, but these errors were encountered: