Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate @EnableGlobalMethodSecurity usage #5341

Closed
jzheaux opened this issue May 11, 2018 · 0 comments
Closed

Validate @EnableGlobalMethodSecurity usage #5341

jzheaux opened this issue May 11, 2018 · 0 comments
Labels
type: enhancement A general enhancement
Milestone
5.1.0

Comments

@jzheaux
Copy link
Contributor

jzheaux commented May 11, 2018

Summary

It is possible and even easy to accidentally misconfigure @EnableGlobalMethodSecurity to actually do nothing, e.g.

@EnableGlobalMethodSecurity

The above will not secure any methods because none of prePostEnabled, securedEnabled, or jsr250Enabled is set to true, e.g.

@EnableGlobalMethodSecurity(prePostEnabled=true)

Because Spring Security supports multiple @EnableGlobalMethodSecurity annotations, these need to continue to default to false.

But we could add validation at runtime that would warn that in the composition of all global method configuration, no annotation support was actually activated.
@jzheaux jzheaux added the type: enhancement A general enhancement label May 11, 2018
@ayudovin ayudovin mentioned this issue Jul 24, 2018
Closed
@jzheaux jzheaux added this to the 5.1.0 milestone Sep 18, 2018
jzheaux pushed a commit to jzheaux/spring-security that referenced this issue Sep 18, 2018
@jzheaux
Validate @EnableGlobalMethodSecurity usage
7ca97a7 
Fixes: spring-projectsgh-5341
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 18, 2018
@jzheaux
EnableGlobalMethodSecurity Misconfiguration Check
8d95815 
This polishes the EnableGlobalMethodSecurity misconfiguration check to
not error if the user has specified a custom method security metadata
source.

Issue: spring-projectsgh-5341
@jzheaux jzheaux added this to jzheaux in Security Team Sep 20, 2018
@jzheaux jzheaux moved this from jzheaux to In Progress in Security Team Sep 20, 2018
jzheaux added a commit that referenced this issue Sep 20, 2018
@jzheaux
EnableGlobalMethodSecurity Misconfiguration Check
73c1abb 
This polishes the EnableGlobalMethodSecurity misconfiguration check to
not error if the user has specified a custom method security metadata
source.

Issue: gh-5341
@jzheaux jzheaux removed this from In Progress in Security Team Sep 20, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: enhancement A general enhancement
Projects
None yet
Milestone
5.1.0
Development

No branches or pull requests
1 participant
@jzheaux