Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AuthorizeRequestsDsl doesn't allow HTTP Method to be specified #8307

Closed
adamu opened this issue Apr 2, 2020 · 3 comments
Closed

AuthorizeRequestsDsl doesn't allow HTTP Method to be specified #8307

adamu opened this issue Apr 2, 2020 · 3 comments
Assignees
@eleftherias
Labels
in: config An issue in spring-security-config type: enhancement A general enhancement
Milestone
5.4.0-M1

Comments

@adamu
Copy link
Contributor

adamu commented Apr 2, 2020

Summary

AbstractRequestMatcherRegistry provides the mvcMatchers(HttpMethod method, String... mvcPatterns) function to allow creation of an MvcMatcher for a specific HTTP verb, but there is no corresponding authorize() function in AuthorizeRequestsDsl.

Actual Behavior

If we want to create an MvcMatcher that matches an HTTP Verb for use with the DSL, we have to construct the matcher manually using a similar method to AbstractRequestMatcherRegistry's protected createMvcMatchers() method, or otherwise use the non-DSL authorizeRequests()

Expected Behavior

Should be able to specify the HTTP method using the authorize() function:

authorizeRequests {
    authorize(POST, "/admin/**", hasRole("ADMIN"))
}

Version

5.3.0.RELEASE
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 2, 2020
@eleftherias eleftherias self-assigned this Apr 2, 2020
@eleftherias eleftherias added in: config An issue in spring-security-config type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 2, 2020
@eleftherias
Copy link
Contributor

Thanks for the report @adamu.
I agree that with your suggestion of being able to specify the HTTP method in authorize.
We would need to add 2 additional functions authorize(method: HttpMethod, pattern: String, access: String) and authorize(method: HttpMethod, pattern: String, servletPath: String, access: String).
Would you be interested in submitting a PR?

@adamu
Copy link
Contributor Author

adamu commented Apr 3, 2020

Hi @eleftherias. To be honest I'm not sure how a good implementation would look. It looks like re-using createMvcMatchers() would be a good idea, but that method is protected, so it may be necessary to duplicate it?

@eleftherias
Copy link
Contributor

@adamu I can see us reusing ExpressionUrlAuthorizationConfigurer.mvcMatchers.

With the current setup we have

val mvcMatchersAuthorizeUrl = requests.mvcMatchers(rule.pattern)

We could update this so that if a user has specified the HTTP method, then we include it in the MVC matcher

requests.mvcMatchers(rule.httpMethod, rule.pattern)

This would also involve updating PatternAuthorizationRule to include an HttpMethod field.

@adamu adamu mentioned this issue Apr 8, 2020
Merged
@eleftherias eleftherias added this to the 5.4.0.M1 milestone Apr 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eleftherias eleftherias

Labels
in: config An issue in spring-security-config type: enhancement A general enhancement
Projects
None yet
Milestone
5.4.0-M1
Development

No branches or pull requests
3 participants
@adamu @eleftherias @spring-projects-issues