codeconsole
commented
1 month ago Closed codeconsole closed 1 month ago
codeconsole
commented
1 month ago 
jzheaux
commented
1 month ago Related to #13057
Currently there is not way enforce the Principle of least privilege with respect to Handler Mappings and method security, e.g. PreAuthorize.
Some frameworks built on top of Spring Security accomplish this by providing a AnnotationFilterInvocationDefinition to the FilterSecurityInterceptor that checks both the request mappings and method level annotations.
This approach, however, will no longer be possible in Spring Security 7 due to the fact that the FilterSecurityInterceptor is set for removal in favor of the AuthorizationFilter.
While it is possible to create an instance of the AuthorizationFilter with its own AuthorizationManager, it is impossible to utilize the convenient creation of a RequestMatcherDelegatingAuthorizationManager.
A very simple solution for achieving the Principle of least privilege while honoring method level overrides, would be to instantiate a AuthorizationFilter with a wrapped RequestMatcherDelegatingAuthorizationManager that first checks the authorization level of request mapping and then does the method level check annotation check as an override. This is not currently possible because RequestMatcherDelegatingAuthorizationManager can not be built independently to the AuthorizationFilter, nor can it be customized to perform further checks.
Making it extensible or allowing it to be built outside of the AuthorizationFilter would enable the new approach to be accomplished and promote code reuse. The goal here is to utilize the RequestMatcherDelegatingAuthorizationManager when creating a custom approach to securing requests that involves method level security.