Expose mapped handler as an exchange attribute [SPR-15564] #20123
Comments
|
Rossen Stoyanchev commented Jon Schneider would exposing the This fits with what we provide. Currently |
|
Jon Schneider commented I see that |
|
Rossen Stoyanchev commented Sorry for taking so long. There is now a |
|
Igal commented I see that this issue was done and from the above comments i understand that BEST_MATCHING_HANDLER_ATTRIBUTE will be available in the WebFilters. but that code occurs after the webfilter were performed? |
|
Igal commented
|
|
Rossen Stoyanchev commented
In this case "after" is ambiguous because the request is handled asynchronously. If you mean after the filter chain returns, this is expected. Most likely you need to use one of the operators on |
|
Igal commented Just to be sure my question is clear: Im writing a Security filter, which will be used if the user is authorized to access the api method: @Override
public Mono<Void> filter(final ServerWebExchange exchange, final WebFilterChain chain) {
HandlerMethod handlerMethod = exchange.getAttribute(HandlerMapping.BEST_MATCHING_HANDLER_ATTRIBUTE);
// Make some authorization check on the handlerMethod and decide whether to continue or throw exception if not authorized
return chain.filter(exchange);
}The problem is that HandlerMethod value is null in that point. the code which populates that attribute occurs after all web filters are already executed. Thanks |
|
Doron Gold commented To clarify Igal's point: We are trying to use this feature for authorization. Currently we use aop with custom annotations, but we prefer to use a WebFilter. |
|
Rossen Stoyanchev commented Okay I see. That is before rather than after... Well, in that case the attribute can't help much. It simply reflects what handler was chosen after the fact. In other words there is no way to know how the request will be mapped before the mapping takes place. I believe Spring Security has a work in progress on method-based security that Rob Winch would be able to say more about what's coming. I presume you also have URL-based security and this is in addition? |
|
Doron Gold commented We don't have URL-based security. Therefore we chose to use annotations. We are currently using a custom We were hoping that this feature would allow us to replace our AOP Aspect with a WebFilter that does the same: runs authorization logic that based on a custom annotation on the handler method, decides if it is allowed to be called. Since this feature allows for getting the handler method only after it has been invoked, we will stay with AOP. We are following the Spring Security project to see when annotation based security is implemented. Thanks! |
|
Doron Gold commented Just to clarify, Spring Security does provide annotation base security with its |
|
Rob Winch commented Doron Gold This thread is quite old, but I wanted to ensure you (and others reading) were aware that reactive method security is provided in Spring Security 5.0.0.RELEASE which is available in Maven central. See https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#jc-erms |
spring-projects-issues
added
type: enhancement
Jon Schneider opened SPR-15564 and commented
For Spring Metrics, Spring Cloud Sleuth, and possible security, there is a need for a corollary to the
HandlerMethodconcept from webmvc.If we can somehow retrieve the
HandlerMethodfrom aWebFilter, it should be sufficient.As long as there is a way to register a
WebFilterglobally for all annotation-based Webflux request mappings, there will be no need for aHandlerInterceptorcorollary.Affects: 5.0 RC1
Referenced from: commits 67330df
1 votes, 6 watchers
The text was updated successfully, but these errors were encountered: