Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Propagate security context via channel interceptor #12532

Merged
merged 1 commit into from
Oct 16, 2023
Merged

Propagate security context via channel interceptor #12532

merged 1 commit into from
Oct 16, 2023

Conversation

artembilan
Copy link
Member

The SecurityContextChannelInterceptor currently has an ability to populate a security context with an Authentication from message header. But doesn't look like there is a way in the framework to populate such a header and therefore propagate context downstream the messaging flow

  • Extend a SecurityContextChannelInterceptor to support postReceive() contract for context population and afterReceiveCompletion() to clean it up, respectively
  • Optimize setup() function logic to not re-populate context if it already has the same Authentication
  • Add a logic to the preSend() to populate header with the value from current security context if it is missed in a message

The change is driven by this Spring Integration feature: https://docs.spring.io/spring-integration/reference/html/security.html#security-context-propagation.
There is now only a single class in the Spring Integration Security modules and it is that SecurityContextPropagationChannelInterceptor.
When we will have such a propagation feature in Spring Security for Messaging by itself, there won't be a reason in that module in Spring Integration at all.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 12, 2023
@sjohnr sjohnr added in: messaging An issue in spring-security-messaging type: enhancement A general enhancement labels Jan 13, 2023
@jzheaux jzheaux self-assigned this Jan 17, 2023
@jzheaux jzheaux removed the status: waiting-for-triage An issue we've not yet triaged label Jan 17, 2023
jzheaux
jzheaux requested changes Apr 14, 2023
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@artembilan, thanks for the PR! I've left some questions inline.

...a/org/springframework/security/messaging/context/SecurityContextChannelInterceptorTests.java Outdated Show resolved Hide resolved
...a/org/springframework/security/messaging/context/SecurityContextChannelInterceptorTests.java Outdated Show resolved Hide resolved
@artembilan artembilan requested a review from jzheaux April 20, 2023 14:42
jzheaux
jzheaux requested changes May 17, 2023
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @artembilan! I've left some additional feedback inline.

...n/java/org/springframework/security/messaging/context/SecurityContextChannelInterceptor.java Outdated Show resolved Hide resolved
...a/org/springframework/security/messaging/context/SecurityContextChannelInterceptorTests.java Outdated Show resolved Hide resolved
...n/java/org/springframework/security/messaging/context/SecurityContextChannelInterceptor.java Outdated Show resolved Hide resolved
@artembilan artembilan force-pushed the propagate_context_via_channel_interceptor branch from f26515f to 0130a47 Compare May 18, 2023 17:09
@artembilan artembilan requested a review from jzheaux May 18, 2023 17:10
@artembilan
Copy link
Member Author

@jzheaux ,

any feedback, please?

@artembilan artembilan mentioned this pull request Sep 15, 2023
Merged
@artembilan
Copy link
Member Author

Here is some simple Spring Boot sample to demonstrate how a new SecurityContextPropagationChannelInterceptor helps to propagate security context from one thread to another via MessageChannel in between: https://github.com/artembilan/sandbox/blob/master/spring-integration-security-context-propagation/HELP.md.
Thanks

@artembilan artembilan force-pushed the propagate_context_via_channel_interceptor branch from bdd0914 to 4f2989d Compare September 15, 2023 19:12
jzheaux
jzheaux requested changes Oct 13, 2023
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for moving this out into another class, and also for the sample! Please see my next round of questions/comments inline.

...springframework/security/messaging/context/SecurityContextPropagationChannelInterceptor.java Outdated Show resolved Hide resolved
...a/org/springframework/security/messaging/context/SecurityContextChannelInterceptorTests.java Outdated Show resolved Hide resolved
...n/java/org/springframework/security/messaging/context/SecurityContextChannelInterceptor.java Outdated Show resolved Hide resolved
...springframework/security/messaging/context/SecurityContextPropagationChannelInterceptor.java Outdated Show resolved Hide resolved
...springframework/security/messaging/context/SecurityContextPropagationChannelInterceptor.java Outdated Show resolved Hide resolved
@artembilan artembilan force-pushed the propagate_context_via_channel_interceptor branch from 4f2989d to e8c9869 Compare October 13, 2023 17:31
@artembilan
Copy link
Member Author

Just pushed the rest of requested changes.

Thanks

@artembilan artembilan requested a review from jzheaux October 13, 2023 17:32
@artembilan
Copy link
Member Author

Pushed an anonymous propagation as was requested.

@jzheaux jzheaux added this to the 6.2.0-RC2 milestone Oct 16, 2023
@artembilan @jzheaux
Propagate SecurityContext in ChannelInterceptor
60a00bb 
Add `SecurityContextPropagationChannelInterceptor` that
propagates the current security context through the
Spring Messaging API.

Namely, it adds the current security context into any
message before it is sent and then populates the security
context when that message is received, typically in a
separate thread.
@jzheaux jzheaux force-pushed the propagate_context_via_channel_interceptor branch from 9847108 to 60a00bb Compare October 16, 2023 18:59
@jzheaux jzheaux merged commit df5b729 into spring-projects:main Oct 16, 2023
1 check passed
jzheaux added a commit that referenced this pull request Oct 31, 2023
@jzheaux
Update What's New in 6.2
9d5194a 
Issue gh-7845
Issue gh-12532
Issue gh-12817
Issue gh-13988
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux approved these changes

Assignees

@jzheaux jzheaux

Labels
in: messaging An issue in spring-security-messaging type: enhancement A general enhancement
Projects
Spring Security Team
Status: Done
Milestone
6.2.0-RC2
Development

Successfully merging this pull request may close these issues.
4 participants
@artembilan @jzheaux @sjohnr @spring-projects-issues