Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revisit Authorization Documentation #13088

Open
3 of 7 tasks
Tracked by #12508
jzheaux opened this issue Apr 24, 2023 · 2 comments
Open
3 of 7 tasks
Tracked by #12508

Revisit Authorization Documentation #13088

jzheaux opened this issue Apr 24, 2023 · 2 comments
Assignees

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Apr 24, 2023

  • Request Authorization (Servlet)
  • Method Authorization (Servlet)
  • Request Authorization (Reactive)
  • Method Authorization (Reactive)
  • SpEL support
  • ACLs
  • Events
@jzheaux jzheaux mentioned this issue Apr 24, 2023
11 tasks
@jzheaux jzheaux changed the title Authorization Revisit Authorization Documentation Apr 24, 2023
@jzheaux jzheaux self-assigned this May 1, 2023
jzheaux added a commit that referenced this issue May 1, 2023
@tvogel8570
Copy link

tvogel8570 commented May 31, 2023

When updating documentation on Reactive Oauth2, a diagram of the interfaces and classes would be a tremendous help. I find it hard to trace through the java files and keep the relationships between interfaces / classes for Registrations, Providers, Clients, etc straight in my head. It might be different if I was primarily a "security developer" but I'm working on features that need to use Oauth2.

An example of a diagram that I found very helpful in understanding Basic Auth is in this medium article

@jzheaux jzheaux mentioned this issue May 31, 2023
12 tasks
@bonobonohu
Copy link

bonobonohu commented Jun 6, 2023

Hey, I found several issues in the following doc:

https://github.com/spring-projects/spring-security/blob/6.1.0/docs/modules/ROOT/pages/reactive/authorization/method.adoc

  1. @bean refers to a custom component you have defined, where apply can return Boolean or Mono<Boolean> to indicate the authorization decision. A bean like that might look something like this:
    In fact, in the code above it is @func.

  2. useAuthorizationManager=true became the default behavior, so emphasizing its usage feels redundant.

  3. In Example 5. return types are "*Interceptor" while in Example 6, 7 and 8 simply "Advisor". Maybe I'm just too lame, but for me this is a bit confusing, why. (I understand, that technically these Interceptors are PointcutAdvisors which is Advisor, but still.)

  4. @Bean BeanDefinitionRegistryPostProcessor aopConfig() { return AopConfigUtils::registerAutoProxyCreatorIfNecessary; } - pasting this to my editor indicates this should not work.
    Maybe the following should be used instead (disclaimer: haven't tested yet!):
    @Bean fun aopConfig(): BeanFactoryPostProcessor = BeanFactoryPostProcessor { beanFactory -> if (beanFactory is BeanDefinitionRegistry) { AopConfigUtils.registerAutoProxyCreatorIfNecessary(beanFactory) } } (Sorry for my Kotlin!)

  5. In Example 6: PostFilterAuthorizationMethodInterceptor interceptor should be PostFilterAuthorizationReactiveMethodInterceptor, and AuthorizationInterceptorOrders should be AuthorizationInterceptorsOrder! Also I'm not sure intent was not suggesting POST_FILTER instead of POST_AUTHORIZE here, since the snippet is about postFilterAuthorization(Reactive!)MethodInterceptor.

  6. Example 8 and 10 mentions PRE_AUTHORIZE_ADVISOR_ORDER and POST_AUTHORIZE_ADVISOR_ORDER, i can see only PRE_AUTHORIZE and POST_AUTHORIZE values now: https://github.com/spring-projects/spring-security/blob/main/core/src/main/java/org/springframework/security/authorization/method/AuthorizationInterceptorsOrder.java

  7. Maybe I'm lame again, but doc should explain better this: "Uses the simplified AuthorizationManager API instead of metadata sources, config attributes, decision managers, and voters. This simplifies reuse and customization.". The name "simplified AuthorizationManager API" suggests this simplified "AuthorizationManager API" has something with ReactiveAuthorizationManager interface - which is seemingly not the case. It's especially confusing, since this "useAuthorizationManager=true". So what kind of "AuthorizationManager" will it use - compared to "useAuthorizationManager=false" setting? Edit: I see, these Interceptors use ReactiveAuthorizationManager<MethodInvocation> authorizationManager instances, indeed. A few word on the topic explaining the concept would be welcome, still.

  8. In Example 7 there is also AuthorizationManagerBeforeMethodInterceptor and not AuthorizationManagerBeforeReactiveMethodInterceptor.

  9. Example 9: ReactiveAuthorizationManager<MethodInvocation> rule = AuthorityAuthorizationManager.isAuthenticated(); line seems wrong.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants