search

spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.45k stars 5.76k forks source link

AuthorizationManagerAfterMethodInterceptor custom annotations and aspecj support #14970

Open mira-silhavy opened 3 weeks ago

mira-silhavy commented 3 weeks ago

HI, in our application based on spring security 5 we used PostInvocationAdviceProvider with AfterInvocationProviderManager and also defined few custom annotations to limit access to methods based on our internal roles. We are also using aspectj weaving and we want to make sure some security checks happen inside transaction. For that we use AspectJMethodSecurityInterceptor and aspectj transactional support.

After updating to spring security 6 it's not really understandable how we should migrate all that code to AuthorizationManagerAfterMethodInterceptor as a replacement for AspectJMethodSecurityInterceptor. Furthermore there is no mention on how to use this new interceptor with aspectj (it seems like only Spring AOP is supported). Are we missing something or are you planning to add more support for aspectj into spring security 6? Are there any guides how we could define custom annotations in spring security 6 and potentially use the new interceptor code also as an aspect?

jzheaux commented 3 weeks ago

Thanks for reaching out. You are correct that the new MethodInterceptors make no special accommodation for AspectJ. But, I'm thinking that shouldn't stop you from using AspectJ to describe your pointcuts and invoke it, similarly to how it's done with AbstractMethodInterceptorAspect in spring-security-aspects.

If not, then I may be missing something. Could you provide a sample of what did work in Spring Security 5 where the migration is now unclear?

mira-silhavy commented 2 weeks ago

Hi @jzheaux, it's that the deprecated AspectJMethodSecurityInterceptor that we used internally used an instance of Spring's package private MethodInvocationAdapter. After migrating this to new aspect based on the code in AbstractMethodInterceptorAspect I'm required to provide instance of MethodInvocation, but spring-security doesn't give access to any implementation e.g. JoinPointMethodInvocation used in AbstractMethodInterceptorAspect is package private.

If you're not planning to create an AspectJ compatible version of the interceptor similar to what was in version 5 it would be great to if you make the JoinPointMethodInvocation public.

mira-silhavy commented 4 days ago

@jzheaux can you point me to Spring's MethodInvocation implementation class I should use when calling instance of AuthorizationManagerAfterMethodInterceptor and its invoke method?