Skip to content

Support the usage of bean references in Java Configuration reactive web expressions #7464

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
codependent opened this issue Sep 20, 2019 · 3 comments
Open

Support the usage of bean references in Java Configuration reactive web expressions #7464

codependent opened this issue Sep 20, 2019 · 3 comments
Assignees
@jzheaux
Labels
in: web An issue in web modules (web, webmvc) status: blocked An issue that's blocked on an external project change type: enhancement A general enhancement

Comments

@codependent
Copy link

codependent commented Sep 20, 2019
edited
Loading

Summary

The usual Spring MVC Security allows us to reference beans in the web security expressions:

http
        .authorizeRequests()
                .antMatchers("/user/**").access("@webSecurity.check(authentication,request)")
                ...

Currently the reactive version doesn't offer an access method with a String for web expressions, only with a ReaciveAuthorizationManager.

Actual Behavior

This is the API offered by pathMatchers

.authorizeExchange()
                    .pathMatchers("").access( ReaciveAuthorizationManager ... )

Expected Behavior

Possibility of configuring a security web expression:

http
        .authorizeExchange()
                .antMatchers("/user/**").access("@webSecurity.check(authentication,request)")
                ...

Configuration

...

Version

5.2.0.RC1
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Sep 20, 2019
@codependent codependent changed the title Support the usage of bean references in reactive web expressions in Java Configuration Support the usage of bean references in Java Configuration reactive web expressions Sep 20, 2019
@jzheaux
Copy link
Contributor

jzheaux commented Mar 31, 2022

Thanks for the suggestion, @codependent. How is the webSecurity bean in your sample materially different from publishing a ReactiveAuthorizationManager implementation and using that? It seems like the logic in webSecurity#check would be nearly identical to a concrete ReactiveAuthorizationManager implementation.

Generally speaking, I don't see the appeal to using SpEL when it's simple to provide a concrete, unit-testable authorization implementation instead. Additionally, applications have tended over the years to embed an unhealthy amount of logic in their security SpEL expressions, so I'm hesitant to add a feature that encourages that practice.

@jzheaux jzheaux self-assigned this Mar 31, 2022
@jzheaux jzheaux added status: waiting-for-feedback We need additional information before we can continue in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Mar 31, 2022
@codependent
Copy link
Author

@jzheaux as you say implementing ReactiveAuthorizationManager is nearly equivalent to what the SpEL expression would do. I was used to the Spring MVC approach and thought it would be nice to have in Webflux as well. In any case I see your point regarding the risk of arbitrary SpEL so feel free to discard the issue if you think it's better not to have this.

Thanks for considering it anyway.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Mar 31, 2022
@jzheaux
Copy link
Contributor

jzheaux commented May 6, 2022

Let's see where #11105 goes -- it may be value to add the same to the reactive side.

@jzheaux jzheaux added status: blocked An issue that's blocked on an external project change and removed status: feedback-provided Feedback has been provided labels May 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: web An issue in web modules (web, webmvc) status: blocked An issue that's blocked on an external project change type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jzheaux @codependent @spring-projects-issues