-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SEC-2083: Create a MethodSecurityExpressionHandler that can handle fixed-sized collections #2316
Comments
Mattias Severson said: Are you considering filtering of immutable collections? I have just submitted a pull reqiest to give you some idea to what I have in mind. |
Rob Winch said: Thanks for the submission. I think I would prefer a strategy style pattern rather than inheritance. This would allow handling of custom types. One issue I see w/ the pull request is it does not seem to consider that some users may use specific types of collections. For example, if the method signature were a LinkedList this solution does not look like it would work since LinkedList is a List and the solution would use an ArrayList. A PR that would be merged would certainly need some tests to demonstrate these use cases working. |
I was better looking to this issue and I think it's misleading. it should be considered as a bug, not enhancement. As showed in my ticket #8427 the issue regards also mutable lists. This means that currently it's not possible to use the postfilter on any collection. Changing the scope could give different prioritization to this ticket I think. |
It works fine with collections that allow for changing the size. For example, |
In 2023, this issue is still problematic, here some code, I hope it could help people who fall in the trap like me the controller using @PostFilter or @PostAuthorize with an immutable collection
configuration of the MethodSecurityExpressionHandler using a Custom DefaultMethodSecurityExpressionHandler
configuration of a Custom DefaultMethodSecurityExpressionHandler
PermissionEvaluator implementation ...
|
Mattias Severson (Migrated from SEC-2083) said:
When using annotations to filter collections based, e.g.
@PostFilter("hasPermission(filterObject, 'SOME_PERMISSION')")
, the DefaultMethodSecurityExpressionHandler.filter() gets called. The problem with this method is that if thefilterTarget
is an immutable list or an immutable set, an exception will thrown (becausecollection.clear()
is called before the elements in theretainList
are added back to the collection).One solution to overcome this problem is to implement an "ImmutableMethodSecurityExpressionHandler" by subclassing the
DefaultMethodSecurityExpressionHandler
, override thefilter()
method if thefilterTarget
is of typeList
,Set
, orSortedSet
, do the filtering as before, but instead of clearing the existing collection, returning theretainList
wrapped in Collections.unmodifiableList(), Collections.unmodifiableSet() or Collections.unmodifiableSortedSet() respectively.UPDATE: We should also support
Arrays.asList
which is a fixed size collectionThe text was updated successfully, but these errors were encountered: