You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
RunAsManager can add to or change the existing authentication for the duration of a message, a request, or a method call.
It overloads the authority string to include instructions to Spring Security as to what authorities to temporarily grant. It is primarily designed to work with the @Secured annotation and with the access XML attribute when not using expressions.
As a first step to supporting this with the authorization manager API, we should:
Improve AuthorizationFilterParser to support use-expressions="false"
Improve AuthorizationFilterParser to adapt the Supplier<Authentication> for RUN_AS attributes
Improve @Secured method handling to adapt the Supplier<Authentication> for RUN_AS attributes
UPDATE: Let's wait on these subtasks. This isn't the way that we want to do impersonation and privilege escalation going forward, and so I don't really want to support a legacy way in a new API. I'll leave this ticket open for investigating what this support should look like going forward.
It's worth considering whether a new contract is needed like Supplier<Authentication> adapt(Supplier<Authentication> authentication, T context) that can be supplied to alter how the adaptation is performed.
The text was updated successfully, but these errors were encountered:
Sorry I wasn't clear when we met what I was looking for. Let's leave this on 5.8.s as you had very valid reasons for us needing to include it. Specifically we will be deprecating the old RunAsManager behavior without a replacement for users to migrate to before moving to Security 6.0. This fits into our theme of deprecations for 5.x and ensuring we provide a way to opt into their replacements before 6.0x to ease migrations.
RunAsManager
can add to or change the existing authentication for the duration of a message, a request, or a method call.It overloads the authority string to include instructions to Spring Security as to what authorities to temporarily grant. It is primarily designed to work with the
@Secured
annotation and with theaccess
XML attribute when not using expressions.As a first step to supporting this with the authorization manager API, we should:
ImproveAuthorizationFilterParser
to supportuse-expressions="false"
ImproveAuthorizationFilterParser
to adapt theSupplier<Authentication>
forRUN_AS
attributesImprove@Secured
method handling to adapt theSupplier<Authentication>
forRUN_AS
attributesUPDATE: Let's wait on these subtasks. This isn't the way that we want to do impersonation and privilege escalation going forward, and so I don't really want to support a legacy way in a new API. I'll leave this ticket open for investigating what this support should look like going forward.
It's worth considering whether a new contract is needed like
Supplier<Authentication> adapt(Supplier<Authentication> authentication, T context)
that can be supplied to alter how the adaptation is performed.The text was updated successfully, but these errors were encountered: