I've successfully implemented security based on roles to my GRPC methods by following the "Server security" tutorial.
Everything works as expected given the following code:
@Configuration
public class GrpcSecurity {
@Bean
AuthenticationManager authenticationManager() {
return authentication -> authentication;
}
@Bean
GrpcAuthenticationReader authenticationReader(ApplicationAuthenticationService awsCognitoApplicationAuthenticationService) {
//proprietary reader...
}
@Bean
GrpcSecurityMetadataSource grpcSecurityMetadataSource() {
final ManualGrpcSecurityMetadataSource source = new ManualGrpcSecurityMetadataSource();
source.set(HelloWorldServiceGrpc.getSayHelloMethod(), AccessPredicate.hasRole("ROLE_ADMIN"));
source.setDefault(AccessPredicate.denyAll());
return source;
}
@Bean
AccessDecisionManager accessDecisionManager() {
final List<AccessDecisionVoter<?>> voters = new ArrayList<>();
voters.add(new AccessPredicateVoter());
return new UnanimousBased(voters);
}
}
However, Intellij points out that AccessDecisionManager, AccessDecisionVoter and UnanimousBased are all deprecated. Spring advises to use AuthorizationManager. In a normal web application, that's easy to do, but how can we make AuthenticationManager work in conjunction GrpcSecurityMetadataSource? If I remove the AccessDecisionManager, authentication/authorisation stops working (as described in GrpcSecurityMetadataSource javadoc).
I've successfully implemented security based on roles to my GRPC methods by following the "Server security" tutorial.
Everything works as expected given the following code:
However, Intellij points out that
AccessDecisionManager
,AccessDecisionVoter
andUnanimousBased
are all deprecated. Spring advises to useAuthorizationManager
. In a normal web application, that's easy to do, but how can we makeAuthenticationManager
work in conjunctionGrpcSecurityMetadataSource
? If I remove theAccessDecisionManager
, authentication/authorisation stops working (as described inGrpcSecurityMetadataSource
javadoc).