search

grpc-ecosystem / grpc-spring

Spring Boot starter module for gRPC framework.
https://grpc-ecosystem.github.io/grpc-spring/
Apache License 2.0
3.43k stars 809 forks source link

Spring Security AccessDecisionManager is deprecated. What's the alternative? #1068

Open TheMorganHub opened 4 months ago

TheMorganHub commented 4 months ago

I've successfully implemented security based on roles to my GRPC methods by following the "Server security" tutorial.

Everything works as expected given the following code:

@Configuration
public class GrpcSecurity {

    @Bean
    AuthenticationManager authenticationManager() {
        return authentication -> authentication;
    }

    @Bean
    GrpcAuthenticationReader authenticationReader(ApplicationAuthenticationService awsCognitoApplicationAuthenticationService) {
        //proprietary reader...
    }

    @Bean
    GrpcSecurityMetadataSource grpcSecurityMetadataSource() {
        final ManualGrpcSecurityMetadataSource source = new ManualGrpcSecurityMetadataSource();
        source.set(HelloWorldServiceGrpc.getSayHelloMethod(), AccessPredicate.hasRole("ROLE_ADMIN"));
        source.setDefault(AccessPredicate.denyAll());
        return source;
    }

    @Bean
    AccessDecisionManager accessDecisionManager() {
        final List<AccessDecisionVoter<?>> voters = new ArrayList<>();
        voters.add(new AccessPredicateVoter());
        return new UnanimousBased(voters);
    }
}

However, Intellij points out that AccessDecisionManager, AccessDecisionVoter and UnanimousBased are all deprecated. Spring advises to use AuthorizationManager. In a normal web application, that's easy to do, but how can we make AuthenticationManager work in conjunction GrpcSecurityMetadataSource? If I remove the AccessDecisionManager, authentication/authorisation stops working (as described in GrpcSecurityMetadataSource javadoc).

Saycka commented 2 months ago

I join the question

dcastrobianca commented 2 weeks ago

I'm facing the same issue