Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RequestMatcherDelegatingAuthorizationManager should deny when no match #11958

Closed
Tracked by #10945
rwinch opened this issue Oct 5, 2022 · 2 comments
Closed
Tracked by #10945

RequestMatcherDelegatingAuthorizationManager should deny when no match #11958

rwinch opened this issue Oct 5, 2022 · 2 comments
Assignees
@jgrandja
Labels
in: web An issue in web modules (web, webmvc) type: breaks-passivity A change that breaks passivity with the previous release
Milestone
6.0.0-RC1

Comments

@rwinch
Copy link
Member

rwinch commented Oct 5, 2022
edited by jzheaux
Loading

In Spring Security 5, the default AuthorizationManager for RequestMatcherDelegatingAuthorizationManager abstains.

This default should be changed to instead deny.

As part of this commit, AuthorizationFilterParser should no longer add an any-matcher authenticated to the user's configuration.
@rwinch rwinch mentioned this issue Oct 5, 2022
Open
2 tasks
@rwinch rwinch modified the milestones: 6.0.0-RC1, 5.8.0-RC1 Oct 5, 2022
@jgrandja
Copy link
Contributor

jgrandja commented Oct 6, 2022

@rwinch This appears to be a duplicate of gh-11963 ?

@jzheaux jzheaux changed the title Add default AuthorizationDecision property for RequestMatcherDelegatingAuthorizationManager RequestMatcherDelegatingAuthorizationManager default AuthorizationManager should deny Oct 6, 2022
@jzheaux jzheaux modified the milestones: 5.8.0-RC1, 6.0.0-RC1 Oct 6, 2022
@jzheaux jzheaux mentioned this issue Oct 6, 2022
Closed
@jgrandja jgrandja changed the title RequestMatcherDelegatingAuthorizationManager default AuthorizationManager should deny RequestMatcherDelegatingAuthorizationManager should deny by default when no match Oct 13, 2022
@jgrandja jgrandja added in: web An issue in web modules (web, webmvc) type: breaks-passivity A change that breaks passivity with the previous release labels Oct 13, 2022
@jgrandja jgrandja changed the title RequestMatcherDelegatingAuthorizationManager should deny by default when no match RequestMatcherDelegatingAuthorizationManager should deny when no match Oct 13, 2022
jgrandja added a commit to spring-projects/spring-security-samples that referenced this issue Oct 14, 2022
@jgrandja
RequestMatcherDelegatingAuthorizationManager requires mapping
32d5733 
Related spring-projects/spring-security#11958
@biergit
Copy link

biergit commented Nov 1, 2022
edited
Loading

Hi, I think this issue should be documented as breaking change?
Edit: Just saw that it has the label "breaks-passivity" but it doesn't show up in the documentation.

@marcusdacoregio marcusdacoregio mentioned this issue Jan 17, 2023
Closed
@wilkinsona wilkinsona mentioned this issue Feb 12, 2023
Closed
@JoeWang1127 JoeWang1127 mentioned this issue Feb 12, 2023
Open
marcusdacoregio pushed a commit to spring-projects/spring-security-samples that referenced this issue Feb 23, 2023
@jgrandja @marcusdacoregio
RequestMatcherDelegatingAuthorizationManager requires mapping
bf5abed 
Related spring-projects/spring-security#11958
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
in: web An issue in web modules (web, webmvc) type: breaks-passivity A change that breaks passivity with the previous release
Projects
Spring Security Team
Status: Done
Milestone
6.0.0-RC1
Development

No branches or pull requests
4 participants
@rwinch @biergit @jzheaux @jgrandja