Add AuthorizationManager #8996
Add AuthorizationManager #8996
Conversation
spring-projects-issues
added
the
status: waiting-for-triage
evgeniycheban
force-pushed
the
gh-8900
branch
3 times, most recently
from
0030029 to
3011ece
Compare
There was a problem hiding this comment.
Thanks, @evgeniycheban, this is going in the right direction. I've left a couple of comments inline.
...va/org/springframework/security/web/access/RequestMatcherDelegatingAuthorizationManager.java
Outdated
Show resolved
Hide resolved
web/src/main/java/org/springframework/security/web/access/IpAddressAuthorizationManager.java
Outdated
Show resolved
Hide resolved
evgeniycheban
force-pushed
the
gh-8900
branch
4 times, most recently
from
2275b04 to
c006f21
Compare
evgeniycheban
force-pushed
the
gh-8900
branch
11 times, most recently
from
036bff5 to
5ae5b68
Compare
evgeniycheban
force-pushed
the
gh-8900
branch
5 times, most recently
from
3528c21 to
b4ad09b
Compare
There was a problem hiding this comment.
Great progress, @evgeniycheban, it's nice to see this starting to take shape. I've left some additional feedback inline.
...ringframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java
Outdated
Show resolved
Hide resolved
| @@ -115,6 +118,8 @@ | |||
|
|
|||
| private AccessDecisionManager accessDecisionManager; | |||
There was a problem hiding this comment.
Let's remove this reference once it's not used anymore.
There was a problem hiding this comment.
It might make sense to consider introducing a new filter that will use an AuthorizationManager similar to AuthorizationWebFilter.
There was a problem hiding this comment.
Agreed that it's worth considering. It doesn't change the fact that AbstractSecurityInterceptor needs to stop using AccessDecisionManager, but it would probably be worth it to file a ticket and start that conversation.
...src/main/java/org/springframework/security/access/intercept/AbstractSecurityInterceptor.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/springframework/security/access/intercept/AbstractSecurityInterceptor.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/springframework/security/access/intercept/AbstractSecurityInterceptor.java
Outdated
Show resolved
Hide resolved
| */ | ||
| public final class AffirmativeBasedAuthorizationManager<T> implements AuthorizationManager<T> { | ||
|
|
||
| private final List<AccessDecisionVoter<?>> decisionVoters; |
There was a problem hiding this comment.
I think the ideal would be to initialize instances of AuthorizationManager with the correct security metadata instead of retrieving the security metadata each time an authentication is being checked.
Instead of routing the rules configured in the DSL through the ConfigAttribute API, have you already considered having the DSL construct a delegating AuthorizationManager that is composed of delegates that already have the security metadata?
There was a problem hiding this comment.
I think this implementation requires less changes and we can reuse voters.
I'm not sure how this can be implemented for Method Security, the AffirmativeBasedAuthorizationManager is also used in GlobalMethodSecurityConfiguration.
There was a problem hiding this comment.
While I agree that this might be less change, we don't want to introduce a public API that continues to have the same level of complexity as the existing API. The primary goal of this PR is to simplify the authorization API. Generally speaking, we ought to, going forward, avoid using the ConfigAttribute approach.
As you mentioned, this is more deeply embedded in method security. I wonder if this class could be package-private to method security configuration, and we can introduce another ticket to continue to rework method security.
There was a problem hiding this comment.
I forget that AffirmativeBasedAuthorizationManager is also used for Web Socket configuration in AbstractSecurityWebSocketMessageBrokerConfigurer, maybe for now we can use an adapter for AccessDecisionManager and rework Method Security and Web Socket configurations in another ticket?
core/src/main/java/org/springframework/security/authorization/AuthorizationManager.java
Outdated
Show resolved
Hide resolved
...ringframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java
Outdated
Show resolved
Hide resolved
evgeniycheban
force-pushed
the
gh-8900
branch
4 times, most recently
from
04925c1 to
8b929ee
Compare
evgeniycheban
force-pushed
the
gh-8900
branch
from
8b929ee to
5e6d080
Compare
|
Thanks, @evgeniycheban! Let's now have @rwinch take a look as I anticipate that he will also have some feedback. |
evgeniycheban
force-pushed
the
gh-8900
branch
from
5e6d080 to
62283fa
Compare
There was a problem hiding this comment.
Thanks for the PR @evgeniycheban! I'm really happy how this turned out.
I think we should revisit #8996 (comment)
If it is a bug, then I think we should create a separate ticket and commit with tests for it. This makes it easier for users to track changes (that it changed and why it changed). It also makes it easier for us to backport bug fixes.
| /** | ||
| * Determines if access should be granted for a specific authentication and object. | ||
| * @param authentication the {@link Supplier} of the {@link Authentication} to check | ||
| * @param object the {@link T} object to check | ||
| * @return true if access is granted, false if denied | ||
| */ | ||
| default boolean isGranted(Supplier<Authentication> authentication, T object) { | ||
| AuthorizationDecision decision = check(authentication, object); | ||
| return decision == null || decision.isGranted(); | ||
| } | ||
|
|
There was a problem hiding this comment.
| /** | |
| * Determines if access should be granted for a specific authentication and object. | |
| * @param authentication the {@link Supplier} of the {@link Authentication} to check | |
| * @param object the {@link T} object to check | |
| * @return true if access is granted, false if denied | |
| */ | |
| default boolean isGranted(Supplier<Authentication> authentication, T object) { | |
| AuthorizationDecision decision = check(authentication, object); | |
| return decision == null || decision.isGranted(); | |
| } |
I'd prefer to leave this out to keep the interface as simple as possible and provide better symmetry to ReactiveAuthorizationManager. We can always add it later if necessary since it would be passive.
There was a problem hiding this comment.
This is an old diff, please see the last (62283faa) commit.
core/src/main/java/org/springframework/security/authorization/AuthorizationDecision.java
Outdated
Show resolved
Hide resolved
|
|
||
| private final Collection<String> authorities; | ||
|
|
||
| public AuthorityAuthorizationManager(Collection<String> authorities) { |
There was a problem hiding this comment.
I think it might be better to make the constructor package scope and add some static factory methods like AuthorityReactiveAuthorizationManager does.
There was a problem hiding this comment.
This is an old diff, please see the last (62283fa) commit.
evgeniycheban
force-pushed
the
gh-8900
branch
from
62283fa to
14c01a4
Compare
|
@rwinch I reverted changes for |
evgeniycheban
force-pushed
the
gh-8900
branch
from
14c01a4 to
5a6f74f
Compare
|
@rwinch Currently, |
|
@evgeniycheban If the changes aren't required for this PR, then it's best to file a separate ticket, especially since the changes aren't related to the ticket that this PR is resolving. The reason for that is it simplifies backporting bug fixes to other branches. Also, it makes release notes clearer for users that are affected by the bugs as they'll see a separate line item in the notes. |
|
@evgeniycheban, I added #9284 and #9285 to address |
|
Thanks for all your work on this PR, @evgeniycheban! It's very exciting. In addition to the above two tasks, I've created #9286, #9287, and #9288 for other improvements that we identified during the PR. |
jzheaux
added
in: core
Closes gh-8900