Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Method Security for Filtering non-collections #14601

Closed
Tracked by #14595
rwinch opened this issue Feb 13, 2024 · 0 comments
Closed
Tracked by #14595

Method Security for Filtering non-collections #14601

rwinch opened this issue Feb 13, 2024 · 0 comments
Assignees
@marcusdacoregio
Labels
in: core An issue in spring-security-core status: duplicate A duplicate of another issue type: enhancement A general enhancement
Milestone
6.3.0-RC1

Comments

@rwinch
Copy link
Member

rwinch commented Feb 13, 2024
edited
Loading

We support filtering the results of collections, but it would be nice to filter non-collection types. I haven't decided on the syntax for this but here is a rough idea:

// needs work because won't work with primitives
class DefaultValueDeniedHandler implements MethodAccessDeniedHandler {
   // FIXME: should we even allow access to the deniedObject?
  // for PreAuthorize deniedObject is a reference to the method and arguments, for PostAuthorize it is the return value
   public Object handle(Object deniedObject, AccessDeniedException e) {
      return null;
  }
}
class Foo {
  @DenyAll
  @DeniedHandler(DefaultValueDeniedHandler.class)
  String bar() {
    return "bar";
  }
}
foo.bar(); // returns null

We could also customize to do non-default types. For example if we wanted to mask the value:

// needs work because won't work with primitives
class MaskDeniedHandler implements MethodAccessDeniedHandler {
   public String handle(String deniedObject, AccessDeniedException e) {
      return "***";
  }
}
class Foo {
  @DenyAll
  @DeniedHandler(MaskDeniedHandler.class)
  String bar() {
    return "bar";
  }
}
foo.bar(); // returns "***"

We can also create composed annotations to simplify.

class Foo {
  @DenyAll
  @MaskDenied
  String bar() {
    return "bar";
  }
}
foo.bar(); // returns "***"

We can also allow the handler to be specified on the class level

@MaskDenied
class Foo {
  @DenyAll
  String bar() {
    return "bar";
  }

  @DenyAll
  String zip() {
    return "zip";
  }
}
foo.bar(); // returns "***"
foo.zip(); // returns "***"
@rwinch rwinch mentioned this issue Feb 13, 2024
Open
16 tasks
marcusdacoregio added a commit to marcusdacoregio/spring-security that referenced this issue Apr 3, 2024
@marcusdacoregio
Add Authorization Denied Handlers for Method Security
96e3f80 
Closes spring-projectsgh-14601
@marcusdacoregio marcusdacoregio added status: duplicate A duplicate of another issue in: core An issue in spring-security-core type: enhancement A general enhancement labels Apr 3, 2024
@marcusdacoregio marcusdacoregio added this to the 6.3.0-RC1 milestone Apr 3, 2024
jzheaux added a commit that referenced this issue Apr 4, 2024
@jzheaux
Synthesize all annotation attributes
3f7355a 
Issue gh-14601
@marcusdacoregio marcusdacoregio mentioned this issue Apr 5, 2024
Open
marcusdacoregio added a commit that referenced this issue Apr 8, 2024
@marcusdacoregio
Add @AuthorizationDeniedHandler for Method Authorization Denied Handling
8d914ef 
Issue gh-14601
marcusdacoregio added a commit to marcusdacoregio/spring-security that referenced this issue Apr 12, 2024
@marcusdacoregio
Polish Method Authorization Denied Handling
5e4935d 
Issue spring-projectsgh-14601
marcusdacoregio added a commit to marcusdacoregio/spring-security that referenced this issue Apr 12, 2024
@marcusdacoregio
Polish Method Authorization Denied Handling
885d958 
Issue spring-projectsgh-14601
marcusdacoregio added a commit that referenced this issue Apr 12, 2024
@marcusdacoregio
Polish Method Authorization Denied Handling
2fbbcc4 
- Renamed @AuthorizationDeniedHandler to @HandleAuthorizationDenied
- Merged the post processor interface into MethodAuthorizationDeniedHandler , it now has two methods handleDeniedInvocation and handleDeniedInvocationResult
- @HandleAuthorizationDenied now handles AuthorizationDeniedException thrown from the method

Issue gh-14601
@marcusdacoregio marcusdacoregio mentioned this issue Aug 30, 2024
Closed
jzheaux added a commit that referenced this issue Aug 30, 2024
@jzheaux
Update AuthorizeReturnObject Jackson Docs
add5c56 
Now instructs to use MethodAuthorizationDeniedHandler

Issue gh-14601
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: core An issue in spring-security-core status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
Spring Security Team
Status: No status
Milestone
6.3.0-RC1
Development

No branches or pull requests
2 participants
@rwinch @marcusdacoregio