-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Spring Security's @Secured #5225
Conversation
@aureamunoz quick question, I haven't looked at the implementation: does it support the EL Spring Security has (things such as |
BTW, I should have started by that: it's an exciting new addition. |
Nice work! To answer your question @gsmet, the stuff you describe I am pretty sure is covered by Spring's |
Suggestion: I don't know if it's possible, but it would be nice to have security configuration support.
|
@netodevel we aren't planning to support that style of configuration at this time. That doesn't mean that we won't in the future, but just that it's not in the immediate plans. |
@geoand, |
You are welcome! |
@michalszynkiewicz @aureamunoz what is the status of #5074? Is there anything I can do to help? |
@geoand imo done, Stuart asked if I can use index instead of looping throug all classes but AFAIK I can't |
Which part of your PR is the code in question @michalszynkiewicz ? I can take a look on Monday if you like |
I'll be looking at #5074 today |
@michalszynkiewicz Nice work! I was thinking of implementing this in a slightly different manner however. The basic premise that I have in mind is that methods need to be "mapped" to a There are probably a few mechanics involved to make this work properly but I will start from your PR and build on it to incorporate the solution I have in mind which I think should turn out to be simpler and avoid the need to go over all classes in the index. |
I'm going to try to come up with a way to do this that will also allow for the types of SecurityChecks that will be needed for Spring's |
This is done by allowing the registration of arbitrary SecurityCheck implementations. Furthermore the use of the AnnotationStore is hidden so as to not give the impression that it's a feature that magically makes security annotations work This change paves the way for quarkusio#5225 and more related improvements in the future
f60a495
to
6a2b5f7
Compare
I just updated the PR to align with the changes made in the core Quarkus security |
One thing that is missing is an integration test that will ensure this works in native mode |
@geoand maybe add it to the |
@michalszynkiewicz we don't want to add Spring Security to the main module because that one should not depend on any Spring things. |
@geoand if you ask me, we should have native tests for all the stuff. OTOH, the native test modules are really costly. |
We do have a Spring Web integration test module so I propose @aureamunoz add them there |
Yes, of course. It's what I'm doing, sorry for not saying nothing until now 😏 |
This is done by allowing the registration of arbitrary SecurityCheck implementations. Furthermore the use of the AnnotationStore is hidden so as to not give the impression that it's a feature that magically makes security annotations work This change paves the way for quarkusio#5225 and more related improvements in the future
6a2b5f7
to
5c90300
Compare
@aureamunoz can you please squash the second commit? |
import org.jboss.jandex.MethodInfo; | ||
import org.springframework.security.access.annotation.Secured; | ||
|
||
public class SpringSecurityTransformerUtils { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this class needed? I don't think it's used, correct?
...ployment/src/test/java/io/quarkus/spring/security/deployment/SpringSecuredAnnotatedTest.java
Show resolved
Hide resolved
5c90300
to
e5ac403
Compare
Co-authored-by: geoand <geoand@gmail.com>
760f6ad
to
6e7f5e3
Compare
Haven't checked the logic itself but the things I noted were addressed.
It wouldn't hurt to have a test for the newly added check but that's not a big issue. |
There is one test, indeed there could have been more :) |
Thanks for all the work @aureamunoz and for all the support @michalszynkiewicz ! |
👍 good job!
sorry, I missed that. |
No worries! |
This is done by allowing the registration of arbitrary SecurityCheck implementations. Furthermore the use of the AnnotationStore is hidden so as to not give the impression that it's a feature that magically makes security annotations work This change paves the way for quarkusio#5225 and more related improvements in the future
This is done by allowing the registration of arbitrary SecurityCheck implementations. Furthermore the use of the AnnotationStore is hidden so as to not give the impression that it's a feature that magically makes security annotations work This change paves the way for quarkusio#5225 and more related improvements in the future
This is done by allowing the registration of arbitrary SecurityCheck implementations. Furthermore the use of the AnnotationStore is hidden so as to not give the impression that it's a feature that magically makes security annotations work This change paves the way for quarkusio#5225 and more related improvements in the future
This PR contains a new extension
spring-security
implementing@Secured
annotation.It's based on #5074 and is a draft.
I let you, @geoand and @michalszynkiewicz , take a look and forward to others if needed.
Thank you