Open codependent opened 4 years ago
The reactive version is bean-based. Is this as simple as adding a conditional?
I had a similar problem. I tried this approach and it worked.
Create the following configuration class that initializes the required security beans along with my custom expression handler bean.
class AuthorizationConfig {
@Bean
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
DelegatingMethodSecurityMetadataSource methodMetadataSource(
MethodSecurityExpressionHandler methodSecurityExpressionHandler) {
var attributeFactory = new ExpressionBasedAnnotationAttributeFactory(methodSecurityExpressionHandler);
var prePostSource = new PrePostAnnotationSecurityMetadataSource(attributeFactory);
return new DelegatingMethodSecurityMetadataSource(List.of(prePostSource));
}
@Bean
PrePostAdviceReactiveMethodInterceptor securityMethodInterceptor(AbstractMethodSecurityMetadataSource source,
MethodSecurityExpressionHandler handler) {
var postAdvice = new ExpressionBasedPostInvocationAdvice(handler);
var preAdvice = new ExpressionBasedPreInvocationAdvice();
preAdvice.setExpressionHandler(handler);
return new PrePostAdviceReactiveMethodInterceptor(source, preAdvice, postAdvice);
}
@Bean
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
MethodSecurityMetadataSourceAdvisor methodSecurityInterceptor(AbstractMethodSecurityMetadataSource source) {
return new MethodSecurityMetadataSourceAdvisor("securityMethodInterceptor", source,
"methodMetadataSource");
}
@Bean
MethodSecurityExpressionHandler methodSecurityExpressionHandler() {
return new CustomMethodSecurityExpressionHandler(); // my custom expression handler
}
}
DO NOT use @EnableReactiveMethodSecurity
as the above code does what it does but not completely as the above implementation does not take into consideration the import order and default role prefixes which were not required in my case. If you want to use them too, you can clone the code from ReactiveMethodSecurityConfiguration
Hope this helps
@Bean @Primary public DefaultMethodSecurityExpressionHandler getCustomMethodSecurityExpressionHandler() { return new CustomMethodSecurityExpressionHandler(); }
Seems to work as well
How about avoiding this problem by calling setRoleHierarchy inside ReactiveMethodSecurityConfiguration.methodSecurityExpressionHandler method or adding @ConditionalOnMissingBean annotation?
Let's take a look at this after #9401 is merged.
@bean @primary public DefaultMethodSecurityExpressionHandler getCustomMethodSecurityExpressionHandler() { return new CustomMethodSecurityExpressionHandler(); }
Seems to work as well
This worked for me but my CustomMethodSecurityExpressionHandler
class has to be annotated with @Component
and @Primary
Summary
I need to customize the behavior of the reactive method security expression handler. In the non reactive version this could be done extending
GlobalMethodSecurityConfiguration
as stated in the documentation:However, the reactive equivalent
ReactiveMethodSecurityConfiguration
is a package-private class and can't be extended to modify the framework.Actual Behavior
We can't modify the expression handler.
Expected Behavior
Allow the definition of a custom
MethodSecurityExpressionHandler
Configuration
...
Version
5.2.0.RC1