Open codependent opened 4 years ago
Thanks for the suggestion, @codependent. How is the webSecurity
bean in your sample materially different from publishing a ReactiveAuthorizationManager
implementation and using that? It seems like the logic in webSecurity#check
would be nearly identical to a concrete ReactiveAuthorizationManager
implementation.
Generally speaking, I don't see the appeal to using SpEL when it's simple to provide a concrete, unit-testable authorization implementation instead. Additionally, applications have tended over the years to embed an unhealthy amount of logic in their security SpEL expressions, so I'm hesitant to add a feature that encourages that practice.
@jzheaux as you say implementing ReactiveAuthorizationManager
is nearly equivalent to what the SpEL expression would do. I was used to the Spring MVC approach and thought it would be nice to have in Webflux as well. In any case I see your point regarding the risk of arbitrary SpEL so feel free to discard the issue if you think it's better not to have this.
Thanks for considering it anyway.
Let's see where #11105 goes -- it may be value to add the same to the reactive side.
Summary
The usual Spring MVC Security allows us to reference beans in the web security expressions:
Currently the reactive version doesn't offer an access method with a String for web expressions, only with a
ReaciveAuthorizationManager
.Actual Behavior
This is the API offered by
pathMatchers
Expected Behavior
Possibility of configuring a security web expression:
Configuration
...
Version
5.2.0.RC1