grpc-spring
grpc-spring copied to clipboard
Question: AccessDecisionManager alternative?
The context
Modern way to enable GrpcSecurityMetadataSource
.
The question
This question is not directly related to this module, but related with the official document. I was following the document to implement authentication and authorization. It worked very well but AccessDecisionManager
and UnanimousBased
are depreacated and they told me to use AuthorizationManager
instead. But it's hard to find out how to implement the new way. It would be great if you update the document with new way.
@Bean
fun accessDecisionManager(): AccessDecisionManager {
return UnanimousBased(listOf(AccessPredicateVoter()))
}
Which versions do you use?
- Spring boot: 3.0.2
- java: 17
I googled a bit and found this document:
https://github.com/spring-projects/spring-security/blob/177baba8c913e465d2a3cd3add5b5bc462226f4b/docs/modules/ROOT/pages/servlet/authorization/architecture.adoc#adapting-accessdecisionmanager-and-accessdecisionvoters
You also need to write a custom https://github.com/yidongnan/grpc-spring-boot-starter/blob/master/grpc-server-spring-boot-autoconfigure/src/main/java/net/devh/boot/grpc/server/security/interceptors/AuthorizationCheckingServerInterceptor.java
That basically does: If accessdecisonvoter.hasAccess Then return next Else throw
Does that help you?
I currently dont have much time to write this in more detail. If you have a working example, please post it here for others to see.
Sorry for late response. I'm learning kotlin with spring in spare time. To solve this issue, I have to learn how spring-security works. I'll post complete working example when I can afford it.
It looks to me like the least disruptive solution to this issue would be to add a new interceptor that uses AuthorizationManager
instead of AccessDecisionManager
. Neither Spring Security nor Spring Boot will create beans of either type so the user can choose which is better. Once that is released we could deprecate the existing interceptor (following the pattern in Spring Security).