micronaut-core icon indicating copy to clipboard operation
micronaut-core copied to clipboard

Published 20 hours ago verified publisher icon micronaut-projects

Secured annotation isn't applied to HttpServerFilter

Open ThraaxSession opened this issue 3 years ago • 6 comments

Expected Behavior

A HttpServerFilter class can be annotated with "@Secured".

Actual Behaviour

The annotation will be ignored

Steps To Reproduce

image

Environment Information

GraalVM 22.2.0.r11

Example Application

No response

Version

3.6.0

ThraaxSession avatar Aug 12 '22 22:08 ThraaxSession

What gave you the impression this should work?

jameskleeh avatar Aug 16 '22 00:08 jameskleeh

Hi @jameskleeh I see HttpServerFilter like a superset on HTTP requests over HTTP Controller. Why it shouldn't be possible to secure this superset? A controller might be more specific endpoints. But the the filters can handle the same as far I figure out. Especially when I need more control over the request. That's why I think it should be possible to secure HttpServerFilter. If Secured annotation is Controller specific, it would be at least useful to have possibility to extend the Filter annotation.

ThraaxSession avatar Aug 16 '22 06:08 ThraaxSession

@jameskleeh what is the alternative for now? I need this annotation. How can I manually check it?

ThraaxSession avatar Aug 20 '22 11:08 ThraaxSession

Ensure it runs after the secured one and get the authentication from the request

On Sat, Aug 20, 2022 at 7:16 AM ThraaxSession @.***> wrote:

@jameskleeh https://github.com/jameskleeh what is the alternative for now? I need this annotation. How can I manually check it?

— Reply to this email directly, view it on GitHub https://github.com/micronaut-projects/micronaut-core/issues/7872#issuecomment-1221295999, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAMCVLPR7IDBQKKAHTHX3E3V2C5CFANCNFSM56NAHHJA . You are receiving this because you were mentioned.Message ID: @.***>

jameskleeh avatar Aug 20 '22 11:08 jameskleeh

@jameskleeh any example?

ThraaxSession avatar Aug 20 '22 15:08 ThraaxSession

Hi @jameskleeh the latest release of micronaut (I guess) security provides for the request new parameters. A first help to solve the authentication issue. Might be to add "request.isAuthenticated". The annotation is still anyway a smoother solution.

ThraaxSession avatar Aug 23 '22 06:08 ThraaxSession

@jameskleeh any update on this?

ThraaxSession avatar Nov 26 '22 17:11 ThraaxSession

james doesn't work on micronaut full-time anymore.

if you want to check for authentication, you can add your filter after the SecurityFilter, and check the SecurityFilter.AUTHENTICATION attribute. I don't think we should implement the annotation for filters, it'd be like filters for filters, which is just weird.

yawkat avatar Nov 28 '22 14:11 yawkat

@yawkat Agreed this should be closed imo

jameskleeh avatar Mar 05 '23 03:03 jameskleeh