Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question: AccessDecisionManager alternative? #835

Open
wirekang opened this issue Feb 4, 2023 · 3 comments
Open

Question: AccessDecisionManager alternative? #835

wirekang opened this issue Feb 4, 2023 · 3 comments
Labels
feedback required Information are missing or feedback for suggestions is requested question A question about this library or its usage

Comments

@wirekang
Copy link

wirekang commented Feb 4, 2023
edited

The context

Modern way to enable GrpcSecurityMetadataSource.

The question
This question is not directly related to this module, but related with the official document. I was following the document to implement authentication and authorization. It worked very well but AccessDecisionManager and UnanimousBased are depreacated and they told me to use AuthorizationManager instead. But it's hard to find out how to implement the new way. It would be great if you update the document with new way.

    @Bean
    fun accessDecisionManager(): AccessDecisionManager {
        return UnanimousBased(listOf(AccessPredicateVoter()))
    }

Which versions do you use?

  • Spring boot: 3.0.2
  • java: 17
@wirekang wirekang added the question A question about this library or its usage label Feb 4, 2023
@ST-DDT
Copy link
Collaborator

ST-DDT commented Feb 4, 2023
edited

I googled a bit and found this document:

https://github.com/spring-projects/spring-security/blob/177baba8c913e465d2a3cd3add5b5bc462226f4b/docs/modules/ROOT/pages/servlet/authorization/architecture.adoc#adapting-accessdecisionmanager-and-accessdecisionvoters

You also need to write a custom https://github.com/yidongnan/grpc-spring-boot-starter/blob/master/grpc-server-spring-boot-autoconfigure/src/main/java/net/devh/boot/grpc/server/security/interceptors/AuthorizationCheckingServerInterceptor.java

That basically does:
If accessdecisonvoter.hasAccess
Then return next
Else throw

Does that help you?

I currently dont have much time to write this in more detail.
If you have a working example, please post it here for others to see.

@ST-DDT ST-DDT added the feedback required Information are missing or feedback for suggestions is requested label Feb 4, 2023
@wirekang
Copy link
Author

Sorry for late response. I'm learning kotlin with spring in spare time. To solve this issue, I have to learn how spring-security works. I'll post complete working example when I can afford it.

@dsyer
Copy link
Contributor

dsyer commented Apr 3, 2023

It looks to me like the least disruptive solution to this issue would be to add a new interceptor that uses AuthorizationManager instead of AccessDecisionManager. Neither Spring Security nor Spring Boot will create beans of either type so the user can choose which is better. Once that is released we could deprecate the existing interceptor (following the pattern in Spring Security).

@dsyer dsyer mentioned this issue Apr 3, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feedback required Information are missing or feedback for suggestions is requested question A question about this library or its usage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dsyer @ST-DDT @wirekang