ReactiveAuthorizationManager + Reactive Method Security

[evgeniycheban]

Closes gh-9401

[jzheaux]

Thanks, @evgeniycheban, for your efforts here!

I've left some initial feedback inline.

[jzheaux]

This is likely a bug for other branches. Would you please put this addition of the @Role annotation into a separate commit? That way, we can backport that commit to earlier branches.

[jzheaux]

Hi, @evgeniycheban, are you able to apply the requested changes?

[evgeniycheban]

Hi, @evgeniycheban, are you able to apply the requested changes?

Hi, sorry for the long time of inactivity on this PR. I've been busy at work these few months. I plan to continue working on this next week.

[evgeniycheban]

@jzheaux I updated the PR according to your comments.

[evgeniycheban]

@rwinch @jzheaux I updated the PR, please take a look.

[code-uri]

@evgeniycheban I am seeing error " EL1001E: Type conversion problem, cannot convert from reactor.core.publisher.MonoJust<java.lang.Boolean> to java.lang.Boolean" when mixing a non reactive and reactive expression in @PreAuthorize.

Any clue why is this happening?

Example:-
@PreAuthorize("@authz.checkReactive() || hasRole('ADMIN')")

[evgeniycheban]

@evgeniycheban I am seeing error " EL1001E: Type conversion problem, cannot convert from reactor.core.publisher.MonoJust<java.lang.Boolean> to java.lang.Boolean" when mixing a non reactive and reactive expression in @PreAuthorize.

Any clue why is this happening?

Example:- @PreAuthorize("@authz.checkReactive() || hasRole('ADMIN')")

@code-uri Interesting note.
Mixing reactive and non-reactive expressions is not currently supported.
I think we should address this to the Spring Framework team so they can decide if this should be supported in Spring expressions.

@jzheaux @rwinch What do you think? Should the user be able to mix reactive and non-reactive expressions in @PreAuthorize?

[jzheaux]

Should the user be able to mix reactive and non-reactive expressions in @PreAuthorize?

I wonder if the user could simply do @authz.checkReactive(#root, 'ADMIN') and then invoke hasRole('ADMIN') from within the authz bean.

Personally, I'm not a huge fan of embedding logic inside the annotations as it's a bit harder to test; I'd prefer to use a bean or a custom ReactiveAuthorizationManager. I'd probably want to wait for a clearer use case where mixing the two types in a SpEL expression is better than one of these two alternatives. Just my 2c, though.

[evgeniycheban]

@jzheaux @rwinch Any updates on this?

[evgeniycheban]

@rwinch @jzheaux I've rebased it on top of 5.8.x and updated @since to 5.8.

[rwinch]

I've responded inline. The biggest ask is to update to remove co-routines support as discussed #9867 (review)

Please also ensure you rebase off 5.8.x as there are currently conflicts

[koenpunt]

Any update on this?

[jens-meiss]

i tried to rebase 5.8.x, but the 5.8.x branch was broken/couldn't be build because of mission classes ... @evgeniycheban are you going to fix the stuff mentionend in the review?

[evgeniycheban]

Hello @koenpunt @jens-meiss, I'm going to fix it this week.

[jzheaux]

Thanks, @evgeniycheban, just saw your update. Thank you for such a valuable and time-consuming contribution. I'll add any minor polish that remains and hopefully merge this week.

[jzheaux]

Nice, @evgeniycheban! This is now merged into 5.8.x and main. I also added a polish commit at e990174 and a documentation commit at 070dce1.

Thanks again for all your consistent effort to this PR!