Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revise AuthorizationAnnotationUtils #14407

Merged
merged 1 commit into from
Jan 18, 2024
Merged

Revise AuthorizationAnnotationUtils #14407

merged 1 commit into from
Jan 18, 2024

Conversation

sbrannen
Copy link
Member

@sbrannen sbrannen commented Jan 5, 2024

Overview

This commit revises AuthorizationAnnotationUtils as follows.

  • Removes code duplication by treating both Class and Method as AnnotatedElement.

  • Avoids duplicated annotation searches by processing merged annotations in a single Stream instead of first using the MergedAnnotations API to find possible duplicates and then again searching for a single annotation via AnnotationUtils (which effectively performs the same search using the MergedAnnotations API internally).

  • Uses .distinct() within the Stream to avoid the need for the workaround introduced in AnnotationConfigurationException when using PreAuthorize, CGLIB and EnableMethodSecurity #13625. Note that the semantics here result in duplicate "equivalent" annotations being ignored. In other words, if @⁠PreAuthorize("hasRole('someRole')") is present multiple times as a meta-annotation, no exception will be thrown and the first such annotation found will be used.

  • Improves the error message when competing annotations are found by including the competing annotations in the error message.

  • Updates AuthorizationAnnotationUtilsTests to cover all known, supported use cases.

  • Configures correct role in @⁠RequireUserRole.

Please note this commit uses .map(MergedAnnotation::withNonMergedAttributes) to retain backward compatibility with previous versions of Spring Security. However, that line can be deleted if the Spring Security team decides that it wishes to support merged annotation attributes via custom composed annotations. If that decision is made, the composedMergedAnnotationsAreNotSupported() test should be renamed and updated as explained in the comment in that method.

Related Issues

@sbrannen sbrannen force-pushed the issues/AuthorizationAnnotationUtils-revision branch from a3971b8 to f7e2ddf Compare January 5, 2024 11:42
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 5, 2024
@sbrannen sbrannen force-pushed the issues/AuthorizationAnnotationUtils-revision branch from f7e2ddf to 58be4b0 Compare January 5, 2024 11:54
@sbrannen
Revise AuthorizationAnnotationUtils
aa4e24d 
This commit revises AuthorizationAnnotationUtils as follows.

- Removes code duplication by treating both Class and Method as
  AnnotatedElement.

- Avoids duplicated annotation searches by processing merged
  annotations in a single Stream instead of first using the
  MergedAnnotations API to find possible duplicates and then again
  searching for a single annotation via AnnotationUtils (which
  effectively performs the same search using the MergedAnnotations API
  internally).

- Uses `.distinct()` within the Stream to avoid the need for the
  workaround introduced in spring-projectsgh-13625. Note that the semantics here
  result in duplicate "equivalent" annotations being ignored. In other
  words, if @⁠PreAuthorize("hasRole('someRole')") is present multiple
  times as a meta-annotation, no exception will be thrown and the first
  such annotation found will be used.

- Improves the error message when competing annotations are found by
  including the competing annotations in the error message.

- Updates AuthorizationAnnotationUtilsTests to cover all known,
  supported use cases.

- Configures correct role in @⁠RequireUserRole.

Please note this commit uses
`.map(MergedAnnotation::withNonMergedAttributes)` to retain backward
compatibility with previous versions of Spring Security. However, that
line can be deleted if the Spring Security team decides that it wishes
to support merged annotation attributes via custom composed
annotations. If that decision is made, the
composedMergedAnnotationsAreNotSupported() test should be renamed and
updated as explained in the comment in that method.

See spring-projectsgh-13625
See spring-projects/spring-framework#31803
@sbrannen sbrannen force-pushed the issues/AuthorizationAnnotationUtils-revision branch from 58be4b0 to aa4e24d Compare January 5, 2024 11:54
@marcusdacoregio marcusdacoregio added in: core An issue in spring-security-core type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 5, 2024
@jzheaux jzheaux added this to the 6.3.0-M2 milestone Jan 18, 2024
@jzheaux jzheaux merged commit 2b7d296 into spring-projects:main Jan 18, 2024
2 checks passed
@jzheaux
Copy link
Contributor

jzheaux commented Jan 18, 2024

Thanks, @sbrannen! This is now merged into main.

@kse-music kse-music mentioned this pull request Mar 7, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jzheaux jzheaux

Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Projects
None yet
Milestone
6.3.0-M2
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@sbrannen @jzheaux @marcusdacoregio @spring-projects-issues