Skip to content

Configure WebInvocationPrivilegeEvaluator for multiple SecurityFilterChains #10575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Dec 13, 2021
Merged

Configure WebInvocationPrivilegeEvaluator for multiple SecurityFilterChains #10575

merged 3 commits into from
Dec 13, 2021

Conversation

marcusdacoregio
Copy link
Contributor

@marcusdacoregio marcusdacoregio commented Dec 1, 2021
edited
Loading

Closes gh-10554, gh-10590

@marcusdacoregio marcusdacoregio added status: duplicate A duplicate of another issue in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Dec 1, 2021
@marcusdacoregio marcusdacoregio added this to the 6.0.0-M1 milestone Dec 1, 2021
@marcusdacoregio marcusdacoregio self-assigned this Dec 1, 2021
@marcusdacoregio marcusdacoregio force-pushed the privilege-evaluator-multi-chain branch from c5a9ba8 to 4e80f70 Compare December 1, 2021 17:23
@marcusdacoregio marcusdacoregio modified the milestones: 6.0.0-M1, 5.7.0-M1 Dec 1, 2021
@marcusdacoregio marcusdacoregio marked this pull request as draft December 1, 2021 19:58
@marcusdacoregio marcusdacoregio force-pushed the privilege-evaluator-multi-chain branch from 4e80f70 to a9d98e0 Compare December 2, 2021 15:26
rwinch
rwinch requested changes Dec 2, 2021
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the PR. I've provided feedback.

...ngframework/security/web/access/RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.java Outdated

public RequestMatcherPrivilegeEvaluator(Function<HttpServletRequest, Boolean> requestMatcher,
WebInvocationPrivilegeEvaluator privilegeEvaluator) {
Assert.notNull(requestMatcher, "requestMatcher cannot be null");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we check if privilegeEvaluators is null/empty?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like there is still the need for an empty check on privilegeEvalutators

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There will be some scenarios where it makes sense to have an empty list. When using web.ignoring(...) we have a SecurityFilterChain with no filters, therefore no WebInvocationPrivilegeEvaluators. So, in this scenario we can accept an empty list

...ngframework/security/web/access/RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.java Outdated
return null;
}

public static class DelegatePrivilegeEvaluator {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The class name does not make it clear that this is a mapping of the RequestMatcher to WebInvocationPrivilegeEvaluators. Perhaps something like, RequestMatcherPrivilegeEvaluatorsEntry would work better?

...ngframework/security/web/access/RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.java Outdated
*/
@Override
public boolean isAllowed(String uri, Authentication authentication) {
return isAllowed(null, uri, null, authentication);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should not presume that calling isAllowed(null, uri, null, authentication) is the same as calling this method. Instead, the code should invoke delegate.isAllowed(uri, authentication).

...ngframework/security/web/access/RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.java Outdated

}

public static final class Builder {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps remove this Builder for now since all of the operations are happening on the DelegatePrivilegeEvaluator anyway (i.e. an invalid DelegatePrivilegeEvaluator can be created).

...g/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java Outdated
}
delegates.add(builder.build());
}
this.privilegeEvaluator = new RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(delegates);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of initializing privilegeEvaluator it should create an instance and be assigned in getPrivilegeEvaluator. See https://github.com/spring-projects/spring-security/pull/10575/files#diff-2a3768a3ea186b6702859073cc35bc02aa6c8ebf6b20f19a67323f7c20d3bd38R295

...ngframework/security/web/access/RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.java Outdated
return delegate;
}
}
return null;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of null, change the return type to List<WebInvocationPrivilegeEvaluator>. If nothing is found return an empty List.

@marcusdacoregio marcusdacoregio force-pushed the privilege-evaluator-multi-chain branch 2 times, most recently from 8ed0f42 to d8c2076 Compare December 6, 2021 18:13
@marcusdacoregio marcusdacoregio marked this pull request as ready for review December 6, 2021 18:14
@marcusdacoregio
Copy link
Contributor Author

Thanks for the review @rwinch. I've updated the PR based on your suggestions.

rwinch
rwinch requested changes Dec 7, 2021
View reviewed changes
...ngframework/security/web/access/RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.java Outdated

public RequestMatcherPrivilegeEvaluator(Function<HttpServletRequest, Boolean> requestMatcher,
WebInvocationPrivilegeEvaluator privilegeEvaluator) {
Assert.notNull(requestMatcher, "requestMatcher cannot be null");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like there is still the need for an empty check on privilegeEvalutators

@marcusdacoregio marcusdacoregio force-pushed the privilege-evaluator-multi-chain branch from d8c2076 to a61811b Compare December 7, 2021 17:33
@marcusdacoregio marcusdacoregio changed the base branch from main to 5.7.x December 7, 2021 17:33
@marcusdacoregio marcusdacoregio force-pushed the privilege-evaluator-multi-chain branch from a61811b to fd7b58c Compare December 8, 2021 11:51
@marcusdacoregio marcusdacoregio force-pushed the privilege-evaluator-multi-chain branch from fd7b58c to 0c167a1 Compare December 10, 2021 11:34
rwinch
rwinch approved these changes Dec 10, 2021
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR! LGTM

@marcusdacoregio marcusdacoregio merged commit 18427b6 into spring-projects:5.7.x Dec 13, 2021
@marcusdacoregio marcusdacoregio deleted the privilege-evaluator-multi-chain branch December 13, 2021 11:57
@marcusdacoregio marcusdacoregio mentioned this pull request Dec 13, 2021
Closed
This was referenced Dec 13, 2021
Closed
Closed
@marcusdacoregio marcusdacoregio added for: backport-to-5.6.x status: backported An issue that has been backported to maintenance branches type: bug A general bug and removed status: backported An issue that has been backported to maintenance branches for: backport-to-5.6.x type: enhancement A general enhancement labels Jan 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rwinch rwinch rwinch approved these changes

Assignees

@marcusdacoregio marcusdacoregio

Labels
in: web An issue in web modules (web, webmvc) status: duplicate A duplicate of another issue type: bug A general bug
Projects
None yet
Milestone
5.7.0-M1
Development

Successfully merging this pull request may close these issues.

WebInvocationPrivilegeEvaluator Bean should support multiple SecurityFilterChains
2 participants
@marcusdacoregio @rwinch