SEC-1491: Add support for Enum in Secured Annotation #1730

Closed
spring-issuemaster opened this Issue Jun 1, 2010 · 4 comments

1 participant

@spring-issuemaster

Luke Taylor (Migrated from SEC-1491) said:

In an RBAC style application, with operations protected by specific "rights" rather than roles, it makes sense to define these rights using an enum. The Secured annotation should support an additional attribute which directly provides a collection of ConfigAttributes that are required, in addition to the current approach of using Strings. The Enum should implement ConfigAttribute, and also potentially GrantedAuthority, to provide efficient lookup in a custom voter which takes into account the use of an authority set (or EnumSet) to store the current user's authorities.

SecuredAnnotationSecurityMetadataSource needs to be altered to support the extra attribute on the annotation.

@spring-issuemaster

Luke Taylor said:

This isn't actually possible, since ConfigAttribute[] isn't a valid annotation member type. An annotation can use an Enum as the type, but the Enum in this case will be defined by the user.

An alternative may be to allow a custom annotation, so the user defines the annotation and Enum:

@interface MySecurityAnnotation {
SecurityEnum[] value();
}

and then configures Spring Security to advise methods based on this attribute rather than the standard "@Secured".

@spring-issuemaster

Luke Taylor said:

Added a separate parametrized strategy to SecuredAnnotationSecurityMetadataSource to allow use of a custom annotation, potentially with an enum as the value.

@spring-issuemaster

Luke Taylor said:

The AnnotationMetadataExtractor strategy combined with the ability to use an external SecurityMetadataSource (which takes priority) should make it simple enough to add support for custom annotations, including those which use enum values.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC2 milestone Feb 5, 2016
@spring-issuemaster

This issue depends on #1943

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment