Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: improve documentation about SensitiveEndpointRule replacement #619

Merged
merged 2 commits into from
Apr 12, 2021
Merged

docs: improve documentation about SensitiveEndpointRule replacement #619

merged 2 commits into from
Apr 12, 2021

Conversation

sdelamo
Copy link
Contributor

@sdelamo sdelamo commented Apr 12, 2021

close: #606
close: #589

@oscarcitoz this PR refactors SensitiveEndpointRule to ease replacement. Moreover, it documents how to restrict management endpoints for a particular role.

@sdelamo sdelamo added the type: improvement A minor improvement to an existing feature label Apr 12, 2021
@sdelamo sdelamo added this to the 2.5.0 milestone Apr 12, 2021
@sdelamo sdelamo requested a review from ilopmar April 12, 2021 03:21
@sdelamo sdelamo mentioned this pull request Apr 12, 2021
Closed
oscarcitoz
oscarcitoz approved these changes Apr 12, 2021
View reviewed changes
Copy link

@oscarcitoz oscarcitoz left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

approved, it hurts that it could not be done with my PR because I did it so that it was not necessary to create a new class to specify the role but from configurations (from applicaiton.yml). anyway thank you very much

ilopmar
ilopmar reviewed Apr 12, 2021
View reviewed changes
security/src/main/java/io/micronaut/security/rules/SensitiveEndpointRule.java
Comment on lines +105 to +113
Boolean sensitive = endpointMethods.get(method);
if (sensitive) {
if (claims == null) {
return checkSensitiveAnonymous(request, method);
}
return checkSensitiveAuthenticated(request, claims, method);
}
return checkNotSensitive(request, claims, method);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if this is the best way to encapsulate everything calling the threes protected methods from here. All three methods are the same in the sense that they log a message and return the appropriate SecurityRuleResult but they don't check any condition. Everything is decided in this method.
Did you create those three methods in other for users to be able to override them without override this one?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, three protected methods makes easier the replacement. See example, in the tests which I show in the docs.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@sdelamo sdelamo requested a review from ilopmar April 12, 2021 10:21
@sdelamo
Copy link
Contributor Author

sdelamo commented Apr 12, 2021

thanks @oscarcitoz for pointing us to improving this part of the security module. Really valuable feedback.

@sdelamo sdelamo modified the milestones: 2.5.0, 2.4.1 Apr 12, 2021
@sdelamo sdelamo merged commit 14497fe into master Apr 12, 2021
@sdelamo sdelamo deleted the issue-606 branch April 12, 2021 17:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ilopmar ilopmar ilopmar approved these changes

@oscarcitoz oscarcitoz oscarcitoz approved these changes

Assignees
No one assigned
Labels
type: improvement A minor improvement to an existing feature
Projects
None yet
Milestone
2.4.1
Development

Successfully merging this pull request may close these issues.

Security endpoints sentitive by roles
3 participants
@sdelamo @ilopmar @oscarcitoz