Consider Making Attribute Based Authorization Simpler to implement

[asaikali]

In modern applications authorization decisions for different end points can take a look at many attributes of a request, who's logged in, the url being requested, the location the request is coming from, the type of authentication used to make the request (password, 2 factor, passkey, fido credentials ... etc, the type of device the user is using. Expressing complex authorization rules based on multiple request attributes is currently hard. The spring configuration DSL does not have enough expressiveness to capture complex authorization logic, it is common to see snippets of code such as authorizeRequests.requestMatchers("/myendpoint").permitAll(); This code has two problems.

• The matching is too coarse grained. Only the url is considered when a more complex set of attributes might need to be considered.
• The result is yes / no binary choice permitted or denied. For some end points the decision might be yes, no, or request to re-verify the identity of the user.

Ideally the configuration DSL for spring should have an easy way for developers to express more complex authorization rules based on multiple attribute of a request, and more nuanced authorization decision beyond yes/no.

related to #13266

[rwinch]

@asaikali Thanks for your feedback.

I believe what you are looking for is possible by leveraging the AuthorizationManager APIs and the RequestMatcher API. For example, this demonstrates that you can match on if a header is non-null and then authorize if the header value equals the authenticated username.

.authorizeHttpRequests(request -> request
	.requestMatchers((r) -> r.getHeader("CUSTOM") != null).access((authn,r) -> new AuthorizationDecision(authn.get().getName().equals(r.getRequest().getHeader("CUSTOM"))))
);

Given that the HttpServletRequest is accessible from the RequestMatcher and AuthorizationManager APIS (visible as the variable r) it should be apparent that you can perform both matching logic and authorization logic based upon any attribute or combination of attributes in the request.

You might notice that it is possible to easily plug in an AuthorizationManager the delegates to external APIs for authorization by mapping all of the requests to a single AuthorizationManager that extracts what it needs from the HttpServletRequest and then passes that to the external API to decide if authorization should be granted.

The AuthorizationDecision object that is returned can be extended to express decisions beyond yes/now as well.

Does this help? If not, can you provide an example that you are having trouble expressing?