Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RequestMatcherDelegatingAuthorizationManager should be post-processable #15948

Closed
codeconsole opened this issue Oct 18, 2024 · 2 comments · Fixed by #15978
Closed

RequestMatcherDelegatingAuthorizationManager should be post-processable #15948

codeconsole opened this issue Oct 18, 2024 · 2 comments · Fixed by #15978
Assignees
@jzheaux
Labels
in: config An issue in spring-security-config type: bug A general bug
Milestone
6.2.8

Comments

@codeconsole
Copy link
Contributor

codeconsole commented Oct 18, 2024
edited
Loading

Currently there is not way enforce the Principle of least privilege with respect to Handler Mappings and method security, e.g. PreAuthorize.

Some frameworks built on top of Spring Security accomplish this by providing a AnnotationFilterInvocationDefinition to the FilterSecurityInterceptor that checks both the request mappings and method level annotations.

This approach, however, will no longer be possible in Spring Security 7 due to the fact that the FilterSecurityInterceptor is set for removal in favor of the AuthorizationFilter.

While it is possible to create an instance of the AuthorizationFilter with its own AuthorizationManager, it is impossible to utilize the convenient creation of a RequestMatcherDelegatingAuthorizationManager.

A very simple solution for achieving the Principle of least privilege while honoring method level overrides, would be to instantiate a AuthorizationFilter with a wrapped RequestMatcherDelegatingAuthorizationManager that first checks the authorization level of request mapping and then does the method level check annotation check as an override. This is not currently possible because RequestMatcherDelegatingAuthorizationManager can not be built independently to the AuthorizationFilter, nor can it be customized to perform further checks.

Making it extensible or allowing it to be built outside of the AuthorizationFilter would enable the new approach to be accomplished and promote code reuse. The goal here is to utilize the RequestMatcherDelegatingAuthorizationManager when creating a custom approach to securing requests that involves method level security.
@codeconsole codeconsole added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Oct 18, 2024
@codeconsole
Copy link
Contributor Author

#14371

@jzheaux
Copy link
Contributor

jzheaux commented Oct 22, 2024

Related to #13057

codeconsole added a commit to codeconsole/spring-security that referenced this issue Oct 23, 2024
@codeconsole
Fix extensibility issue since RequestMatcherDelegatingAuthorizationMa…
7342218 
…nager is final and does not expose any public methods other than what is available through AuthorizationManager. Fixes spring-projects#15948
@codeconsole codeconsole mentioned this issue Oct 23, 2024
Merged
codeconsole added a commit to codeconsole/spring-security that referenced this issue Oct 23, 2024
@codeconsole
Fix extensibility issue since RequestMatcherDelegatingAuthorizationMa…
6803412 
…nager is final and does not expose any public methods other than what is available through AuthorizationManager. Fixes spring-projects#15948
@jzheaux jzheaux self-assigned this Oct 23, 2024
jzheaux pushed a commit to codeconsole/spring-security that referenced this issue Oct 23, 2024
@codeconsole @jzheaux
Make RequestMatcherDelegatingAuthorizationManager Post-Processable
b3d0726 
Closes spring-projectsgh-15948
@jzheaux jzheaux added in: config An issue in spring-security-config type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Oct 23, 2024
@jzheaux jzheaux added this to the 6.2.8 milestone Oct 23, 2024
@jzheaux jzheaux changed the title Provide a Mechanism for RequestMatcherDelegatingAuthorizationManager to be created outside of http.authorizeHttpRequests() RequestMatcherDelegatingAuthorizationManager should be post-processable Oct 23, 2024
@jzheaux jzheaux mentioned this issue Oct 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: config An issue in spring-security-config type: bug A general bug
Projects
None yet
Milestone
6.2.8
Development

Successfully merging a pull request may close this issue.

Make RequestMatcherDelegatingAuthorizationManager post-processable codeconsole/spring-security
2 participants
@codeconsole @jzheaux