Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use RoleHierarchy bean in Method Security Configuration #12783

Closed
jzheaux opened this issue Feb 24, 2023 · 3 comments · Fixed by #14260
Closed

Use RoleHierarchy bean in Method Security Configuration #12783

jzheaux opened this issue Feb 24, 2023 · 3 comments · Fixed by #14260
Assignees
@jzheaux
Labels
in: config An issue in spring-security-config type: enhancement A general enhancement
Milestone
6.3.0-M1

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Feb 24, 2023

authorityHttpRequests picks up a RoleHierarchy bean. If method security does the same thing, then it will simplify security configuration overall.

Currently, method security role hierarchy must be configured for each authorization manager individually via DefaultMethodSecurityExpressionHandler for pre-post annotations, AuthoritiesAuthorizationManager for secured annotations, and via a custom authorization manager for JSR-250 annotations.
@jzheaux jzheaux added in: config An issue in spring-security-config type: enhancement A general enhancement status: ideal-for-contribution An issue that we actively are looking for someone to help us with labels Feb 24, 2023
This was referenced Feb 24, 2023
Closed
Closed
@pawl1n pawl1n mentioned this issue Apr 12, 2023
Merged
@kandaguru17
Copy link
Contributor

kandaguru17 commented May 31, 2023
edited
Loading

Happy to work on this :) @jzheaux

Have Some Queries here :

  1. In the issue description authorityHttpRequests picks up a RoleHierarchy bean., does this means AuthorizeHttpRequestsConfigurer uses the injected ApplicationContext to retrieve the RoleHierarchy bean?
  2. Enabling a similar behavior in DefaultMethodSecurityExpressionHandler and AuthoritiesAuthorizationManager would need us to inject the ApplicationContext in the constructor of both the classes, and is there any suggestion you have to handle the side effects of this as the default constructor is used in some places?
  3. would it make sense to create an inner static class that implements ApplicationContextAware to get a handle on ApplicationContext and retrieve the RoleHierarchy bean to tackle 2?

Please correct me if my understanding is not correct

@marcusdacoregio
Copy link
Contributor

Hi, @kandaguru17.

  1. Yes, at the time of configuration, AuthorizeHttpRequestsConfigurer retrieves the bean available in the ApplicationContext and set it into the classes that uses it.
  2. Take a look at @EnableMethodSecurity, the annotation imports MethodSecuritySelector which in turn apply some configuration classes, like PrePostMethodSecurityConfiguration, in order to configure the required beans for method security.
  3. I don't think so. Your changes will probably need to go into the configuration classes (PrePostMethodSecurityConfiguration, SecuredMethodSecurityConfiguration, Jsr250MethodSecurityConfiguration), using method injection to get the available RoleHierarchy

@kandaguru17 kandaguru17 mentioned this issue Oct 28, 2023
Closed
kandaguru17 added a commit to kandaguru17/spring-security that referenced this issue Oct 31, 2023
@kandaguru17
Use available RoleHierachy Bean for MethodSecurity Config
8da8457 
Closes spring-projectsgh-12783
@DerChris173 DerChris173 mentioned this issue Dec 7, 2023
Merged
DerChris173 added a commit to DerChris173/spring-security that referenced this issue Dec 7, 2023
@DerChris173
Polish RoleHierarchy Bean Usage
680ff8a 
Issue spring-projectsgh-12783
@jzheaux jzheaux mentioned this issue Dec 7, 2023
Closed
jzheaux pushed a commit that referenced this issue Dec 7, 2023
@kandaguru17 @jzheaux
Use available RoleHierachy Bean for MethodSecurity Config
b76f7c0 
Closes gh-12783
jzheaux pushed a commit that referenced this issue Dec 7, 2023
@DerChris173 @jzheaux
Polish RoleHierarchy Bean Usage
e6bea1c 
Issue gh-12783
@jzheaux jzheaux assigned jzheaux and kandaguru17 and unassigned jzheaux and kandaguru17 Dec 12, 2023
@jzheaux jzheaux removed the status: ideal-for-contribution An issue that we actively are looking for someone to help us with label Dec 12, 2023
@wilx
Copy link

wilx commented Jan 12, 2024

This issue is linked from the docs at https://docs.spring.io/spring-security/reference/servlet/authorization/architecture.html#authz-hierarchical-roles with a note:

RoleHierarchy bean configuration is not yet ported over to @EnableMethodSecurity. As such this example is using AccessDecisionVoter. If you need RoleHierarchy support for method security, please continue using @EnableGlobalMethodSecurity until github.com/spring-projects/spring-security/issues/12783 is complete.

Is the note still valid?

@wilx wilx mentioned this issue Jun 6, 2024
Closed
@jzheaux jzheaux added this to the 6.3.0-M1 milestone Jun 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: config An issue in spring-security-config type: enhancement A general enhancement
Projects
None yet
Milestone
6.3.0-M1
4 participants
@wilx @jzheaux @marcusdacoregio @kandaguru17