Skip to content

When using @EnableReactiveMethodSecurity there doesn't seem to be a way to mechanism to override or replace the PermissionEvaluator #15715

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
grantlittle opened this issue Aug 31, 2024 · 2 comments · Fixed by #15719
Closed

When using @EnableReactiveMethodSecurity there doesn't seem to be a way to mechanism to override or replace the PermissionEvaluator #15715

grantlittle opened this issue Aug 31, 2024 · 2 comments · Fixed by #15719
Assignees
@jzheaux
Labels
in: config An issue in spring-security-config status: duplicate A duplicate of another issue type: enhancement A general enhancement

Comments

@grantlittle
Copy link

grantlittle commented Aug 31, 2024
edited
Loading

Description

When using @EnableReactiveMethodSecurity the "ReactiveAuthorizationManagerMethodSecurityConfiguration" is loaded. This contains a @bean which defines a DefaultMethodSecurityExpressionHandler. This class defines a default DenyAllPermissionEvaluator.

This appears to be result in all methods which use the permission evaluator to be denied.

To Reproduce

@EnableReactiveMethodSecurity
@Configuration
class WebFluxAclConfiguration {

    @Bean
    fun aclPermissionEvaluator(aclService: AclService): AclPermissionEvaluator {
        return AclPermissionEvaluator(aclService)
    }
}

@Service
class TestService {

    @PostAuthorize("hasPermission(returnObject, 'read')")
    fun getDocument(id: Int): Mono<Document> {
        return Mono.just(Document(id))
    }
}

Expected behavior
The DefaultMethodSecurityExpressionHandler should find the AclPermissionEvaluator as an available bean and use it

Sample

https://github.com/grantlittle/security-demo
@grantlittle grantlittle added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Aug 31, 2024
@grantlittle
Copy link
Author

grantlittle commented Aug 31, 2024
edited
Loading

As a workaround, I've had to add the following configuration

@Configuration
class WebFluxPermissionEvaluatorConfiguration(
    @Autowired(required = false)
    private val methodSecurityExpressionHandler: DefaultMethodSecurityExpressionHandler?, // Injecting existing handler
    private val aclService: MutableAclService
) {
    @PostConstruct
    fun configureExistingMethodSecurityExpressionHandler() {
        if (methodSecurityExpressionHandler != null) {
            val permissionEvaluator = AclPermissionEvaluator(aclService)
            methodSecurityExpressionHandler.setPermissionEvaluator(permissionEvaluator)
            methodSecurityExpressionHandler.setPermissionCacheOptimizer(AclPermissionCacheOptimizer(aclService))
        }
    }
}

kse-music added a commit to kse-music/spring-security that referenced this issue Sep 1, 2024
@kse-music
Use PermissionEvaluator
8469ddf 
Closes spring-projectsgh-15715
@kse-music kse-music mentioned this issue Sep 1, 2024
Merged
kse-music added a commit to kse-music/spring-security that referenced this issue Sep 1, 2024
@kse-music
Use PermissionEvaluator
ae8d9cb 
Closes spring-projectsgh-15715
@jzheaux
Copy link
Contributor

jzheaux commented Sep 3, 2024

This is similar enough to #11598 that I'll close this and let's continue the conversation over there.

@jzheaux jzheaux closed this as completed Sep 3, 2024
@jzheaux jzheaux self-assigned this Sep 3, 2024
@jzheaux jzheaux added status: duplicate A duplicate of another issue in: config An issue in spring-security-config type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Sep 3, 2024
kse-music added a commit to kse-music/spring-security that referenced this issue Sep 4, 2024
@kse-music
Support custom MethodSecurityExpressionHandler
8363261 
Closes spring-projectsgh-15715
kse-music added a commit to kse-music/spring-security that referenced this issue Sep 5, 2024
@kse-music
Support custom MethodSecurityExpressionHandler
bcba086 
Closes spring-projectsgh-15715
jzheaux pushed a commit to kse-music/spring-security that referenced this issue Sep 10, 2024
@kse-music @jzheaux
Support custom MethodSecurityExpressionHandler
60cd8fd 
Closes spring-projectsgh-15715
jzheaux pushed a commit that referenced this issue Sep 10, 2024
@kse-music @jzheaux
Support custom MethodSecurityExpressionHandler
ef8b0ad 
Closes gh-15715
jzheaux added a commit that referenced this issue Sep 10, 2024
@jzheaux
Polish MethodSecurityExpressionHandler Test
be6dc1d 
- Rename to follow convention
- Use a mock object to verify usage

Issue gh-15715
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: config An issue in spring-security-config status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
3 participants
@grantlittle @jzheaux and others