Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add API for Looking Up Security Annotations #15700

Closed
mauromol opened this issue Aug 27, 2024 · 4 comments
Closed

Add API for Looking Up Security Annotations #15700

mauromol opened this issue Aug 27, 2024 · 4 comments
Assignees
@jzheaux
Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Milestone
6.4.0-RC1

Comments

@mauromol
Copy link

Expected Behavior

AuthorizationAnnotationUtils may be very useful if you plan to implement your own security annotation and corresponding authorization manager, because it adds additional security behaviour to the classic AnnotationUtils in Spring Framework.

Hence, it would be useful if custom extensions could use it.

Current Behavior

AuthorizationAnnotationUtils is package-private, so can't be used by custom implementations. You either need to copy its code (running the risk to lose fixes in newer versions of Spring Security) or to just use AnnotationUtils (running the risk to process duplicate contradictory annotations in an unsafe way).

Context

I needed to create a custom annotation very similar to Secured, which however works with our role enumeration instead of with plain strings. So I created an Advisor for it as described at https://docs.spring.io/spring-security/reference/5.8/servlet/authorization/method-security.html#jc-method-security-custom-authorization-manager, but I also needed to write a proper AuthorizationManager to extract my annotation value from the target method/class and use it to compute AuthorizationDecisions.

Working with Spring Security 5.8.13.
@mauromol mauromol added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Aug 27, 2024
@mauromol mauromol changed the title Make AuthorizationAnnotationUtils public? Make AuthorizationAnnotationUtils public Aug 27, 2024
@jzheaux
Copy link
Contributor

jzheaux commented Sep 3, 2024
edited
Loading

Hi, @mauromol, thanks for the suggestion. Spring Security 6.4 adds SecurityAnnotationScanner, which does exactly this, though it hasn't received much documentation just yet. If you are able to try it out (say, in a sample application) your feedback would be very helpful in determining if the API can be improved.

The basic usage is:

SecurityAnnotationScanner<AnAnnotation> scanner = SecurityAnnotationScanners.requireUnique(AnAnnotation.class);

// ...

AnAnnotation annotation = scanner.scan(method, targetClass);

Are you able to try out 6.4-SNAPSHOT and provide feedback?

@jzheaux jzheaux self-assigned this Sep 3, 2024
@jzheaux jzheaux added status: waiting-for-feedback We need additional information before we can continue in: core An issue in spring-security-core and removed status: waiting-for-triage An issue we've not yet triaged status: waiting-for-feedback We need additional information before we can continue labels Sep 3, 2024
@spring-projects-issues
Copy link

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

@spring-projects-issues spring-projects-issues added the status: feedback-reminder We've sent a reminder that we need additional information before we can continue label Sep 11, 2024
@mauromol
Copy link
Author

Are you able to try out 6.4-SNAPSHOT and provide feedback?

I backported the SecurityAnnotationScanner class and all the related support classes in our project and it works perfectly fine for us. So I really look forward to see it in 6.4 final.

Thanks a lot!

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue status: feedback-reminder We've sent a reminder that we need additional information before we can continue labels Sep 13, 2024
@jzheaux jzheaux changed the title Make AuthorizationAnnotationUtils public Add API for Looking Up Security Annotations Sep 18, 2024
@jzheaux
Copy link
Contributor

jzheaux commented Sep 18, 2024

Closed in 626610a

@jzheaux jzheaux closed this as completed Sep 18, 2024
@jzheaux jzheaux added this to the 6.4.0-RC1 milestone Sep 18, 2024
@jzheaux jzheaux removed the status: feedback-provided Feedback has been provided label Sep 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Projects
None yet
Milestone
6.4.0-RC1
Development

No branches or pull requests
3 participants
@mauromol @jzheaux @spring-projects-issues