Skip to content

Make @PreFilter & @PostFilter suitable for reactive methods #5249

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
MarvGilb opened this issue Apr 20, 2018 · 4 comments
Closed

Make @PreFilter & @PostFilter suitable for reactive methods #5249

MarvGilb opened this issue Apr 20, 2018 · 4 comments
Assignees
@rwinch
Labels
in: core An issue in spring-security-core status: duplicate A duplicate of another issue type: enhancement A general enhancement

Comments

@MarvGilb
Copy link

Summary

Hey,
The current implementation of the Pre- & PostFilter can not be used for the return type of Flux.
By trying to Filter the objects of X, the DefaultMethodSecurityExpressionHandler.class only checks, if the returned object X is an instance of Collection or an Array. But since the PrePostAdviceReactiveMethodInterceptor.class (line 103) already maps the single entries of the Flux to the postAdvice filter, this check fails if not something like Flux<List> is returned from the Controller.

Actual Behavior

java.lang.IllegalArgumentException: Filter target must be a collection or array type, but was a.b.c.X
	at org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler.filter(DefaultMethodSecurityExpressionHandler.java:175) ~[spring-security-core-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
	at org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice.after(ExpressionBasedPostInvocationAdvice.java:61) ~[spring-security-core-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
	at org.springframework.security.access.prepost.PrePostAdviceReactiveMethodInterceptor.lambda$null$4(PrePostAdviceReactiveMethodInterceptor.java:103) ~[spring-security-core-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]

Expected Behavior

A filtered Flux, that removed the objects that do not match the filter.

Example

public class XController {

    @GetMapping()
    @PostFilter("@someCustomFilter.method(returnObject)")
    public <Flux<X> findAll() {
        Flux<X> result = someService.findAllX()
        return result;
    }
}

Version

spring-boot-starter-parent: 2.0.1.RELEASE
spring-boot-starter-webflux: 2.0.1.RELEASE
spring-security-config: 5.0.4.RELEASE
spring-security-core: 5.0.4.RELEASE
@rwinch rwinch added this to the 5.1.0.M2 milestone Apr 22, 2018
@MarvGilb
Copy link
Author

Please also consider, that return values as such as:

public Mono<ResponseEntity<Flux<X>>> findAll() {
  Flux<X> result = someService.findAllX()
  return Mono.just(ResponseEntity.ok(result));
}

should be supported as well, where the inner class is taken.

regards
Marvin

@rwinch rwinch modified the milestones: 5.1.0.M2, 5.1.0.RC1 Jul 26, 2018
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 7, 2019
@frankruegamer
Copy link

Is there any update on this?

@jzheaux jzheaux mentioned this issue Feb 2, 2021
Closed
1 task
@barrida
Copy link

barrida commented Apr 14, 2022

How can we contribute for the solution of this feature?

@rwinch
Copy link
Member

rwinch commented Jun 7, 2022

Closing this in favor of gh-9401

@rwinch rwinch closed this as completed Jun 7, 2022
@rwinch rwinch added status: duplicate A duplicate of another issue in: core An issue in spring-security-core type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 7, 2022
@rwinch rwinch self-assigned this Jun 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: core An issue in spring-security-core status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rwinch @barrida @frankruegamer @MarvGilb @spring-projects-issues