spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Provide Native Hints for Beans used in Method Security Annotations

Open marcusdacoregio opened this issue 1 year ago • 1 comments

We should look into how to provide native hints for bean methods used inside Method Security annotations.

Currently, in order to make this work:

@Component
class Authz {
   boolean check(Authentication authentication, String id, String permission) {
      return "admin".equals(authentication.getName());
   }
}

@PreAuthorize("@authz.check(authentication, #id, 'read')")
String findById(String id) {

}

We need to register hints:

@Override
public void registerHints(RuntimeHints hints, ClassLoader classLoader) {
	hints.reflection().registerType(Authz.class, MemberCategory.INVOKE_DECLARED_METHODS);
}

Related to

  • https://github.com/spring-projects/spring-framework/issues/29548

marcusdacoregio avatar Feb 26 '24 16:02 marcusdacoregio

@sbrannen provided some insights on how we could achieve that:

  • Parse the SpEL expression and then walk the AST to find nodes of type BeanReference and then retrieve the beanName from that.
  • beanName is a private field with no getter, we can probably use reflection or parse the bean name from the string returned from toStringAST().
  • Once we know the beanName we can look up that bean in the ApplicationContext and register hints for the bean's concrete type.

marcusdacoregio avatar Mar 20 '24 11:03 marcusdacoregio

beanName is a private field with no getter, we can probably use reflection or parse the bean name from the string returned from toStringAST().

Please note that BeanReference will have a getName() method in Spring Framework 6.2.

If it's needed in 6.1.x, we could consider backporting it.

  • See https://github.com/spring-projects/spring-framework/issues/32640

sbrannen avatar Apr 15 '24 14:04 sbrannen