Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Suggestion: some reflection based method of supplying HttpSecurity #4038

Open
xenoterracide opened this issue Aug 23, 2016 · 1 comment
Open
Labels
status: waiting-for-triage An issue we've not yet triaged

Comments

@xenoterracide
Copy link

xenoterracide commented Aug 23, 2016

Feature Request

So I have this,

public interface UserRepository extends PagingAndSortingRepository<User, Long> {
}

protected void configure( final HttpSecurity http ) throws Exception {
    http.authorizeRequests()
            .mvcMatchers( HttpMethod.OPTIONS ).permitAll()
            .mvcMatchers( HttpMethod.GET, "/health" ).permitAll()
            .mvcMatchers( HttpMethod.POST, "/users" ).permitAll()
            .mvcMatchers( "/profile/**" ).permitAll()

and it works fine... well actually I broke it when I set this, which is sort of the crux of my problem, I changed a path and it broke my security.

@Configuration
class RestConfig extends RepositoryRestConfigurerAdapter {

@Override
public void configureRepositoryRestConfiguration( final RepositoryRestConfiguration config ) {
    config.setBasePath( "/v0" );

but I think it would be cool if we could define security like this

 .interfaceMatchers( HttpMethod.POST, UserRepository.class )

or if I had an mvc controller

@Controller
@RequestMapping( "files" )
class FilesController {
    @RequestMapping( method = RequestMethod.GET, value = "/{filename:.+}" )
    public ResponseEntity<?> getFile( @PathVariable final String filename ) throws IOException, MimeTypeException {
        Path path = root.resolve( filename );
        return this.getFile( path );

maybe

 .controllerMatchers( HttpMethod.GET, FilesController.class, "/{filename:.+}" )

or another alternative we could have the following annotation based (maybe this is the best way?)

  .authorizeRequests()
       .annotationBased() // scan classpath
       ...
       .denyAll()                // deny by default, anything not configured by a annotation is not allowed or maybe allow authenticated or other such by default here...
       ... cors()...etc


public interface UserRepository extends PagingAndSortingRepository<User, Long> {

     @HttpSecurity( method = HttpMethod.POST, permitAll = true )
     @Override
     ... save(...);
}

and controller example

@Controller
@RequestMapping( "files" )
class FilesController {

   @HttpSecurity( authenticated = true )
    @RequestMapping( method = RequestMethod.GET, value = "/{filename:.+}" )
    public ResponseEntity<?> getFile( @PathVariable final String filename ) throws IOException, MimeTypeException {
        Path path = root.resolve( filename );
        return this.getFile( path );

or maybe there's a better idea/api for ensure that if I update some parent route all of the security doesn't need to be reaudited. also prepending /v0/ .mvcMatchers( HttpMethod.POST, "/v0/users" ).permitAll() seems like it might get a bit tedious.

@xenoterracide xenoterracide changed the title some reflection based method of supply HttpSecurity Suggestion: some reflection based method of supplying HttpSecurity Aug 23, 2016
@xenoterracide
Copy link
Author

further reflection on this idea suggests that the annotation based method would be the best, not sure if the api I'm showing is the best one.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: waiting-for-triage An issue we've not yet triaged
Projects
None yet
Development

No branches or pull requests

2 participants