Support the usage of bean references in Java Configuration reactive web expressions

[codependent]

Summary

The usual Spring MVC Security allows us to reference beans in the web security expressions:

http
        .authorizeRequests()
                .antMatchers("/user/**").access("@webSecurity.check(authentication,request)")
                ...

Currently the reactive version doesn't offer an access method with a String for web expressions, only with a ReaciveAuthorizationManager.

Actual Behavior

This is the API offered by pathMatchers

.authorizeExchange()
                    .pathMatchers("").access( ReaciveAuthorizationManager ... )

Expected Behavior

Possibility of configuring a security web expression:

http
        .authorizeExchange()
                .antMatchers("/user/**").access("@webSecurity.check(authentication,request)")
                ...

Configuration

...

Version

5.2.0.RC1

[jzheaux]

Thanks for the suggestion, @codependent. How is the webSecurity bean in your sample materially different from publishing a ReactiveAuthorizationManager implementation and using that? It seems like the logic in webSecurity#check would be nearly identical to a concrete ReactiveAuthorizationManager implementation.

Generally speaking, I don't see the appeal to using SpEL when it's simple to provide a concrete, unit-testable authorization implementation instead. Additionally, applications have tended over the years to embed an unhealthy amount of logic in their security SpEL expressions, so I'm hesitant to add a feature that encourages that practice.

[codependent]

@jzheaux as you say implementing ReactiveAuthorizationManager is nearly equivalent to what the SpEL expression would do. I was used to the Spring MVC approach and thought it would be nice to have in Webflux as well. In any case I see your point regarding the risk of arbitrary SpEL so feel free to discard the issue if you think it's better not to have this.

Thanks for considering it anyway.

[jzheaux]

Let's see where #11105 goes -- it may be value to add the same to the reactive side.