Skip to content

GlobalMethodSecurity and multiple annotation ordering #4103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
vguna opened this issue Oct 20, 2016 · 4 comments
Closed

GlobalMethodSecurity and multiple annotation ordering #4103

vguna opened this issue Oct 20, 2016 · 4 comments
Assignees
@jzheaux
Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Milestone
5.6.0-M1

Comments

@vguna
Copy link

vguna commented Oct 20, 2016

Summary

Adding multiple security annotations to a method like this:

@RolesAllowed("ROLE_ADMIN")
@PostAuthorize("hasPermission(...)")
public SomeObject doSomething() {
}

leads to the effect, that @RolesAllowed doesn't seem to be checked anymore if @PostAuthorize returned true.

Actual Behavior

Since @PostAuthorize returns true, @RolesAllowed seems not evaluated anymore.
If I remove the @PostAuthorize access is denied as expected.

Is there something to change the actual behavior?

Expected Behavior

All annotations are processed and if at least one denies access, the complete access should be denied.

Configuration

See code snippet above.

Version

3.2.5-RELEASE
@KyleMoser
Copy link

KyleMoser commented Dec 26, 2016
edited
Loading

Just a suggestions: you may be able to accomplish this by implementing your own AccessDecisionManager and/or AccessDecisionVoter(s). The AccessDecisionManager passes GrantedAuthority information to the Voter(s). It would be pretty simple to change the logic from the default "or" to "and" to make authorization decisions.

@vguna
Copy link
Author

vguna commented Dec 28, 2016

Yeah probably :). Just wanted to check, if this is the expected behavior and if so, if there's a builtin option to change that behavior.

@KyleMoser
Copy link

I am not a spring security developer but I have used this part of the framework extensively. I can tell you that yes, that is definitely the expected behavior. Also, implementing your own AccessDecisionManager and/or AccessDecisionVoter (whichever is easier) is the supported (builtin) way to modify the framework's behavior. If you look through the source code for the AccessDecisionManager class, in the decide method, the behavior is pretty easy to understand. Also, typically the chat at https://gitter.im/spring-projects/spring-security would be a much better place for the discussion (hope that doesn't come off as rude, just trying to help). See the sections on customizing the accessdecisionmanager at e.g. https://docs.spring.io/spring-security/site/docs/3.0.x/reference/ns-config.html

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 7, 2019
@jzheaux
Copy link
Contributor

jzheaux commented May 18, 2021

Closing in favor of #9630

@jzheaux jzheaux closed this as completed May 18, 2021
@jzheaux jzheaux self-assigned this May 18, 2021
@jzheaux jzheaux added in: core An issue in spring-security-core type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels May 18, 2021
@jzheaux jzheaux added this to the 5.6.0-M1 milestone May 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Projects
None yet
Milestone
5.6.0-M1
Development

No branches or pull requests
4 participants
@vguna @jzheaux @KyleMoser @spring-projects-issues