Open bdeneuter opened 6 years ago
You must use @EnableReactiveMethodSecurity
for reactive applications. You also need to ensure that your methods all return either Mono
or Flux
(this is the way Reactor Context propagates the SecurityContext
. Currently @EnableReactiveMethodSecurity
will work for @PreAuthorize
and @PostAuthorize
annotations which support a super set of the JSR
annotations. You can find a sample in Spring Security's samples.
However, JSR annotations are not yet supported. I have scheduled adding JSR based annotations for Spring Security 5.1.
I am currently running Spring Security version 5.1.4, and this does not seem to be fully resolved. I see a Jsr250MethodSecurityMetadataSource
bean, but the issue is effectively unchanged. Adding @EnableGlobalMethodSecurity(jsr250Enabled = true)
to a configuration class that already has @EnableReactiveMethodSecurity
now results in three beans being found:
| Parameter 0 of method securityMethodInterceptor in org.springframework.security.config.annotation.method.configuration.ReactiveMethodSecurityConfiguration required a single bean, but 3 were found:
| - methodMetadataSource: defined by method 'methodMetadataSource' in class path resource [org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityConfiguration.class]
| - methodSecurityMetadataSource: defined by method 'methodSecurityMetadataSource' in class path resource [org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.class]
| - jsr250MethodSecurityMetadataSource: defined by method 'jsr250MethodSecurityMetadataSource' in class path resource [org/springframework/security/config/annotation/method/configuration/Jsr250MetadataSourceConfiguration.class]
Was this fixed in 5.1?
@Ernir no, there isn't Reactive support for JSR annotations yet - this ticket will remain open until that support is added.
Thank you for your reply, @jzheaux. Can you tell me if reactive support for the annotations is scheduled for a particular version?
I am also interested in the original @Secured
annotation.
I believe this ticket is tracking the Reactive JSR250 (@Secured) support, so once it's scheduled, you'll see a milestone selected in the right-hand column of the ticket.
If you would like, I'd be happy to help you get a PR going to add the support. Would you be interested in doing that?
Hi. May I work on this issue? @jzheaux
I would appreciate any pointers I can get. I took a look at the implementation of Jsr250AuthorizationManager
.
I assume I would need to implement a reactive variant? Thanks for any pointers!
Summary
I'm migrating an MVC application to web-flux. Spring security supports the annotations of JSR250 (RolesAllowed, ...) for Spring MVC applications but not for web-flux applications.
https://docs.spring.io/spring-security/site/docs/5.0.3.RELEASE/reference/htmlsingle/#jc-method
Actual Behavior
When the annotation
@EnableGlobalMethodSecurity
is used the application crashes with following error message:Expected Behavior
Configuration
Version
Sample