Add AuthorizationManagerFactory #17673
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sjohnr
force-pushed
the
gh-17585-authorization-manager-factory
branch
3 times, most recently
from
5f55ad2 to
4ef91a4
Compare
Signed-off-by: Steve Riesenberg <[email protected]>
sjohnr
force-pushed
the
gh-17585-authorization-manager-factory
branch
from
4ef91a4 to
1de115e
Compare
rwinch
requested changes
Aug 14, 2025
| @@ -47,7 +49,9 @@ public abstract class AbstractSecurityExpressionHandler<T> | |||
|
|
|||
| private @Nullable BeanResolver beanResolver; | |||
|
|
|||
| private @Nullable RoleHierarchy roleHierarchy; | |||
| private final DefaultAuthorizationManagerFactory<T> defaultAuthorizationManagerFactory = new DefaultAuthorizationManagerFactory<>(); | |||
There was a problem hiding this comment.
remove the defaultAuthorizationManagerFactory in favor of a method named getDefaultAuthorizationManagerFactory() that:
- is deprecated for removal in 8.0 in favor of
getAuthorizationManagerFactory(). Any methods that need to access it to perform setters should be deprecated in favor of setting an already initialized (properties already set)AuthorizationManagerFactorydirectly vs accessing the properties on the current member. - Throws an
IllegalStateExceptionifauthorizationManagerFactoryis not an instance ofDefaultAuthorizationManagerFactory, but otherwise performs a cast. This ensures that theAuthorizationManagerFactorybeing used aligns with what is being configured or gotten.
|
|
||
| private @Nullable Set<String> roles; | ||
| private @Nullable DefaultAuthorizationManagerFactory<T> defaultAuthorizationManagerFactory; |
There was a problem hiding this comment.
Same feedback as the comment on AbstractSecurityExpressionHandler.defaultAuthorizationManagerFactory.
|
|
||
| private final Supplier<Authentication> authentication; | ||
| private static final AuthorizationManagerFactory<?> DEFAULT_AUTHORIZATION_MANAGER_FACTORY = new DefaultAuthorizationManagerFactory<>(); |
There was a problem hiding this comment.
DEFAULT_AUTHORIZATION_MANAGER_FACTORY should also be removed in favor of just using authorizationManagerFactory. as described below.
| * @since 3.0 | ||
| */ | ||
| public abstract class SecurityExpressionRoot implements SecurityExpressionOperations { | ||
| public abstract class SecurityExpressionRoot<T> implements SecurityExpressionOperations { |
There was a problem hiding this comment.
Suggested change
| public abstract class SecurityExpressionRoot<T> implements SecurityExpressionOperations { | |
| public abstract class SecurityExpressionRoot<T extends @Nullable Object> implements SecurityExpressionOperations { |
I think this is necessary for the generic to allow for a Nullable generic (e.g. MyExpressionRoot <@Nullable SomeType>)
| * @author Steve Riesenberg | ||
| * @since 7.0 | ||
| */ | ||
| public final class DefaultAuthorizationManagerFactory<T> implements AuthorizationManagerFactory<T> { |
There was a problem hiding this comment.
Suggested change
| public final class DefaultAuthorizationManagerFactory<T> implements AuthorizationManagerFactory<T> { | |
| public final class DefaultAuthorizationManagerFactory<T extends @Nullable Object> implements AuthorizationManagerFactory<T> { |
| @@ -45,7 +45,7 @@ public MessageSecurityExpressionRoot(Authentication authentication, Message<?> m | |||
| * @since 5.8 | |||
| */ | |||
| public MessageSecurityExpressionRoot(Supplier<Authentication> authentication, Message<?> message) { | |||
There was a problem hiding this comment.
Suggested change
| public MessageSecurityExpressionRoot(Supplier<Authentication> authentication, Message<?> message) { | |
| public MessageSecurityExpressionRoot(Supplier<Authentication> authentication, Message<T> message) { |
| @@ -29,7 +29,7 @@ | |||
| * @author Evgeniy Cheban | |||
| * @since 4.0 | |||
| */ | |||
| public class MessageSecurityExpressionRoot extends SecurityExpressionRoot { | |||
| public class MessageSecurityExpressionRoot extends SecurityExpressionRoot<Message<?>> { | |||
|
|
|||
| public final Message<?> message; | |||
There was a problem hiding this comment.
Suggested change
| public final Message<?> message; | |
| public final Message<T> message; |
Comment on lines
+59
to
+62
| // Since MessageSecurityExpressionRoot is of a different type, use the default | ||
| // factory instead of the one configured with this class. | ||
| root.setTrustResolver(getDefaultAuthorizationManagerFactory().getTrustResolver()); | ||
| root.setRoleHierarchy(getDefaultAuthorizationManagerFactory().getRoleHierarchy()); |
There was a problem hiding this comment.
Suggested change
| // Since MessageSecurityExpressionRoot is of a different type, use the default | |
| // factory instead of the one configured with this class. | |
| root.setTrustResolver(getDefaultAuthorizationManagerFactory().getTrustResolver()); | |
| root.setRoleHierarchy(getDefaultAuthorizationManagerFactory().getRoleHierarchy()); | |
| root.setAuthorizationManagerFactory(getAuthorizationManagerFactory()); |
If a custom authorizationManagerFactory is used, this does not use it. I've fixed the generic types so that they align
Comment on lines
+40
to
47
| // Since WebSecurityExpressionRoot is of a different type, use the default factory | ||
| // instead of the one configured with this class. | ||
| root.setTrustResolver(getDefaultAuthorizationManagerFactory().getTrustResolver()); | ||
| root.setRoleHierarchy(getDefaultAuthorizationManagerFactory().getRoleHierarchy()); | ||
| root.setDefaultRolePrefix(getDefaultAuthorizationManagerFactory().getRolePrefix()); | ||
| return root; | ||
| } | ||
|
|
There was a problem hiding this comment.
Suggested change
| // Since WebSecurityExpressionRoot is of a different type, use the default factory | |
| // instead of the one configured with this class. | |
| root.setTrustResolver(getDefaultAuthorizationManagerFactory().getTrustResolver()); | |
| root.setRoleHierarchy(getDefaultAuthorizationManagerFactory().getRoleHierarchy()); | |
| root.setDefaultRolePrefix(getDefaultAuthorizationManagerFactory().getRolePrefix()); | |
| return root; | |
| } | |
| root.setAuthorizationManagerFactory(getAuthorizationManagerFactory()); | |
| return root; | |
| } | |
| @Deprecated(forRemoval = true, since = "7.0") | |
| protected SecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, | |
| FilterInvocation fi) { | |
| RequestAuthorizationContext authorizationContext = new RequestAuthorizationContext( | |
| fi.getRequest()); | |
| return createSecurityExpressionRoot(authentication, authorizationContext); | |
| } | |
Comment on lines
+40
to
+44
| // Since WebSecurityExpressionRoot is of a different type, use the default factory | ||
| // instead of the one configured with this class. | ||
| root.setTrustResolver(getDefaultAuthorizationManagerFactory().getTrustResolver()); | ||
| root.setRoleHierarchy(getDefaultAuthorizationManagerFactory().getRoleHierarchy()); | ||
| root.setDefaultRolePrefix(getDefaultAuthorizationManagerFactory().getRolePrefix()); |
There was a problem hiding this comment.
This is a similar problem to the comment for DefaultMessageSecurityExpressionHandler.
To solve it, we should create a package scoped FilterInvocationContextRoot that has a public final HttpServletRequest request member and extends SecurityExpressionRoot<FilterInvocation>. This method would then use FilterInvocationContextRoot instead of WebSecurityExpressionRoot.
Then, we should create a ticket to consider deprecating the authorization logic that depends on FilterInvocation (e.g. the SecurityExressionHandler and FilterInvocationContextRoot)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is a work in progress. cc: @rwinch