[SECOAUTH-285] Security expression handler should only throw exception at the end of the decision (if that's possible)

[dsyer]

Priority: Major
Original Assignee: Rob Winch
Reporter: Dave Syer
Created At: Tue, 12 Jun 2012 10:12:20 +0100
Last Updated on Jira: Fri, 12 Apr 2013 09:16:13 +0100

Security expression handler should only throw exception at the end of the decision (if that's possible). The current implementation is OK for simple use cases where there is only one or multiple expressions combined with AND, but with OR, you don't want one branch of the condition to throw an exception without the other having a chance to be evaluated.

Comments:

david_syer on Tue, 12 Jun 2012 15:47:06 +0100

Done: revised exception handling in expression handlers

• Using a shared expression root for the oauth bits makes sense
• Need to use ThreadLocal (boo) to work around a limitation of
  SpEL
• Added special wrapper method oauthSufficientScope(...) to be
  used where complex expressions might test for invalid scopes
  but eventually still result in a positive access decision

rwinch on Fri, 15 Jun 2012 14:52:29 +0100

Instead we will leverage SEC-1971. This avoids the ThreadLocal which causes a memory leak in the application.

david_syer on Fri, 15 Jun 2012 17:28:12 +0100

An interim solution until SEC-1971 is resolved and the new Spring Security is released is to set throwExceptionOnInvalidScope=false in the expression handler, and then use #oauth2.sufficientScope() to wrap all the expressions. Maybe we can even get something that works with both versions of Spring Security if we retain that flag?

rwinch on Fri, 15 Jun 2012 19:23:56 +0100

Pull request #41