Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
SEC-2332: GlobalMethodSecurityConfiguration does not configure the proper voters #2535
I could be missing something obvious here, and if so, please forgive me and skip to the bottom of this description.
First, it always configures a
Second, it never adds a
It also never adds a
I believe it should be adding other voters (but, again, only when necessary) to fully complete the voting system and make it match the configuration.
Rob Winch said:
You are correct. This has been fixed.
You are correct. This got past the tests because there was only a test for verifying if
The HttpServletRequest is not available on method invocations so this does not make sense.
AclEntryVoter would be used by your PermissionEvaluator (i.e. AclPermissionEvaluator) so it doesn't make sense to include this as a voter.
RoleHierarchyVoter is not added with the namespace either.
I'm not very keen on adding another method as this starts to make GlobalMethodSecurityConfiguration too granular. There is a very easy way to do this by overriding the accessDecisionManager method already. Yes it does involve some code, but at this time this sort of customizations are relatively rare. I'd prefer not to make GlobalMethodSecurityConfiguration too complex. If you really disagree, feel free to create an enhancement request and we will see how much traction it gets. At that point I can re-evaluate the request.
Nick Williams said:
Duh. What was I thinking? :-)
I'm a little confused about these two. First,
So if the namespace configures neither of these voters, then how can they ever get configured? Once an
I'll consider filing an enhancement request and submitting a pull request. Don't know yet how much it's worth to me. :-)
Rob Winch said:
You are correct. What I meant to type was that most people (or least should) tend to use the AclPermissionEvaluator. So if they need Acl support they would configure this and not need the AclEntryVoter.
Yes. Keep in mind adding every bell and whistle to Java Configuration support will make Java Configuration support just as difficult as using standard @bean so we must consider this carefully before adding it.