Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SecurityExpressionHandler#createEvaluationContext should defer lookup of Authentication #9667

Closed
jzheaux opened this issue Apr 21, 2021 · 3 comments · Fixed by #11187
Closed

SecurityExpressionHandler#createEvaluationContext should defer lookup of Authentication #9667

jzheaux opened this issue Apr 21, 2021 · 3 comments · Fixed by #11187
Assignees
@evgeniycheban
Labels
in: core An issue in spring-security-core type: breaks-passivity A change that breaks passivity with the previous release type: enhancement A general enhancement
Milestone
5.8.0-M1

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Apr 21, 2021

Like AuthorizationManager, it would be nice to be able to defer the looking up Authentication in SecurityExpressionHandler.

A default createEvaluationContext method could be added:

default EvaluationContext createEvaluationContext(Supplier<Authentication> authentication, T invocation) {
    return createEvaluationContext(authentication.get(), invocation);
}

And then DefaultXXXSecurityExpressionHandlers would be updated to defer evaluation until the authentication was inspected.
@jzheaux jzheaux added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Apr 21, 2021
@jzheaux jzheaux mentioned this issue Apr 21, 2021
Merged
@jzheaux jzheaux added in: core An issue in spring-security-core and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 26, 2021
@jzheaux jzheaux modified the milestone: 6.x Apr 26, 2021
@rwinch rwinch added this to the 5.6.x milestone Apr 28, 2021
@jzheaux jzheaux mentioned this issue May 5, 2022
Merged
@evgeniycheban
Copy link
Contributor

@jzheaux I can take this.

@jzheaux jzheaux modified the milestones: 5.6.x, 5.8.0-M1 May 6, 2022
@evgeniycheban evgeniycheban mentioned this issue May 7, 2022
Merged
@evgeniycheban
Copy link
Contributor

@jzheaux I've opened the PR, please take a look.

evgeniycheban added a commit to evgeniycheban/spring-security that referenced this issue May 18, 2022
@evgeniycheban
createEvaluationContext should defer lookup of Authentication
6e578d3 
- Added createEvaluationContext method that accepts Supplier<Authentication>
- Refactored classes that use EvaluationContext to use lazy initialization of Authentication

Closes spring-projectsgh-9667
@jzheaux jzheaux added the type: breaks-passivity A change that breaks passivity with the previous release label May 18, 2022
@jzheaux
Copy link
Contributor Author

jzheaux commented May 18, 2022

In order to accommodate changing to Supplier<Authentication> in SecurityExpressionRoot, the protected Authentication authentication member variable is changed to private Supplier<Authentication> authentication.

Classes that extend SecurityExpressionRoot and access the protected member variable should instead call getAuthentication().

jzheaux pushed a commit that referenced this issue May 18, 2022
@evgeniycheban @jzheaux
createEvaluationContext should defer lookup of Authentication
362f155 
- Added createEvaluationContext method that accepts Supplier<Authentication>
- Refactored classes that use EvaluationContext to use lazy initialization of Authentication

Closes gh-9667
@jzheaux jzheaux mentioned this issue May 19, 2022
Merged
jzheaux added a commit that referenced this issue May 23, 2022
@jzheaux
Fix Import Order Checkstyle Error
57fe5b8 
Issue gh-9667
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@evgeniycheban evgeniycheban

Labels
in: core An issue in spring-security-core type: breaks-passivity A change that breaks passivity with the previous release type: enhancement A general enhancement
Projects
None yet
Milestone
5.8.0-M1
Development

Successfully merging a pull request may close this issue.

createEvaluationContext should defer lookup of Authentication evgeniycheban/spring-security
3 participants
@rwinch @jzheaux @evgeniycheban