grpc-spring icon indicating copy to clipboard operation
grpc-spring copied to clipboard

Published 20 hours ago verified publisher icon grpc-ecosystem

Question: AccessDecisionManager alternative?

Open wirekang opened this issue 1 year ago • 3 comments

The context

Modern way to enable GrpcSecurityMetadataSource.

The question This question is not directly related to this module, but related with the official document. I was following the document to implement authentication and authorization. It worked very well but AccessDecisionManager and UnanimousBased are depreacated and they told me to use AuthorizationManager instead. But it's hard to find out how to implement the new way. It would be great if you update the document with new way.

    @Bean
    fun accessDecisionManager(): AccessDecisionManager {
        return UnanimousBased(listOf(AccessPredicateVoter()))
    }

Which versions do you use?

  • Spring boot: 3.0.2
  • java: 17

wirekang avatar Feb 04 '23 02:02 wirekang

I googled a bit and found this document:

https://github.com/spring-projects/spring-security/blob/177baba8c913e465d2a3cd3add5b5bc462226f4b/docs/modules/ROOT/pages/servlet/authorization/architecture.adoc#adapting-accessdecisionmanager-and-accessdecisionvoters

You also need to write a custom https://github.com/yidongnan/grpc-spring-boot-starter/blob/master/grpc-server-spring-boot-autoconfigure/src/main/java/net/devh/boot/grpc/server/security/interceptors/AuthorizationCheckingServerInterceptor.java

That basically does: If accessdecisonvoter.hasAccess Then return next Else throw

Does that help you?

I currently dont have much time to write this in more detail. If you have a working example, please post it here for others to see.

ST-DDT avatar Feb 04 '23 08:02 ST-DDT

Sorry for late response. I'm learning kotlin with spring in spare time. To solve this issue, I have to learn how spring-security works. I'll post complete working example when I can afford it.

wirekang avatar Feb 13 '23 04:02 wirekang

It looks to me like the least disruptive solution to this issue would be to add a new interceptor that uses AuthorizationManager instead of AccessDecisionManager. Neither Spring Security nor Spring Boot will create beans of either type so the user can choose which is better. Once that is released we could deprecate the existing interceptor (following the pattern in Spring Security).

dsyer avatar Apr 03 '23 05:04 dsyer