Skip to content

Add AuthorizationManagerFactory #17673

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 9, 2025
Merged

Add AuthorizationManagerFactory #17673

merged 1 commit into from
Sep 9, 2025

Conversation

sjohnr
Copy link
Contributor

@sjohnr sjohnr commented Aug 8, 2025
edited
Loading

Closes gh-17585

@sjohnr sjohnr mentioned this pull request Aug 8, 2025
Closed
@sjohnr sjohnr force-pushed the gh-17585-authorization-manager-factory branch 4 times, most recently from 4ef91a4 to 1de115e Compare August 13, 2025 15:49
rwinch
rwinch requested changes Aug 14, 2025
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates @sjohnr! I've provided feedback inline.

@sjohnr
Copy link
Contributor Author

sjohnr commented Aug 19, 2025

@rwinch Thanks for the review! Changing the generic type of MessageSecurityExpressionRoot to Message<T> is a breaking change. Please confirm if that's something we want to do here and I will work on this and the other changes from your review.

@rwinch
Copy link
Member

rwinch commented Aug 19, 2025
edited
Loading

@sjohnr

@rwinch Thanks for the review! Changing the generic type of MessageSecurityExpressionRoot to Message<T> is a breaking change. Please confirm if that's something we want to do here and I will work on this and the other changes from your review.

I think that this can work if we update the constructor too. For example:

public class MessageSecurityExpressionRoot<T> extends SecurityExpressionRoot {

	public final Message<T> message;

	public MessageSecurityExpressionRoot(Authentication authentication, Message<T> message) {
	  ...
	public MessageSecurityExpressionRoot(Supplier<Authentication> authentication, Message<T> message) {
	  ...

Then this will compile:

Message<?> message = ...
MessageSecurityExpressionRoot root = new MessageSecurityExpressionRoot<>(authentication, message);

@sjohnr sjohnr force-pushed the gh-17585-authorization-manager-factory branch from 1de115e to 5fb6f37 Compare August 20, 2025 14:50
@sjohnr
Copy link
Contributor Author

sjohnr commented Aug 20, 2025

@rwinch I've working through the changes and it's looking really good. The only thing I'm noticing is that a few packages are missing nullability defaults.

  • org.springframework.security.web.access.expression has a package-info.java but no @NullMarked. Is this intended or perhaps it should be addressed separately?
  • org.springframework.security.messaging.access.expression is missing package-info.java along with all the other packages in spring-security-messaging.

As it stands now, classes in these packages show as having inconsistent nullability. These show up as IntelliJ inspections for me, similar to our conversation a few weeks ago. I think adding @NullMarked at the package level will address this, but if omitting that was intentional, let me know. I've added @NullMarked at the class level to show where these issues are but I will revert that after you review.

@sjohnr sjohnr requested a review from rwinch August 20, 2025 15:04
@sjohnr sjohnr marked this pull request as ready for review August 20, 2025 17:58
@rwinch rwinch mentioned this pull request Aug 20, 2025
Open
rwinch
rwinch requested changes Aug 20, 2025
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is looking great @sjohnr!

I think we are very close 😄 I provided a few minor comments inline.

Now that we are almost done, please also add documentation (using include-code).

After those are addressed, I think we will be ready to merge!

@rwinch
Copy link
Member

rwinch commented Aug 20, 2025

We've only added nullability for crypto and core so feel free to leave as is. We'll get the rest of the module in a different ticket commit.

This was referenced Aug 20, 2025
Open
Open
@sjohnr sjohnr force-pushed the gh-17585-authorization-manager-factory branch from 5fb6f37 to d8d5eb7 Compare August 26, 2025 15:32
@rwinch rwinch force-pushed the gh-17585-authorization-manager-factory branch 2 times, most recently from 0e4933a to d8d5eb7 Compare August 29, 2025 14:55
@sjohnr sjohnr force-pushed the gh-17585-authorization-manager-factory branch from d8d5eb7 to 0e4933a Compare September 2, 2025 02:10
@rwinch rwinch force-pushed the gh-17585-authorization-manager-factory branch 2 times, most recently from 23d776d to 913c7e8 Compare September 5, 2025 03:06
@sjohnr sjohnr force-pushed the gh-17585-authorization-manager-factory branch 2 times, most recently from 0a9448b to 06e5a21 Compare September 9, 2025 15:12
sjohnr
sjohnr commented Sep 9, 2025
View reviewed changes
Copy link
Contributor Author

@sjohnr sjohnr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rwinch I've added documentation, code examples with include-code, and tests. I've also added two additional notes for your review below. Aside from the note below, I believe this PR is ready to merge.

I will also be creating a GH issue for the Kotlin authorizeHttpRequests DSL, which doesn't currently support using the new AuthorizationManagerFactory. I doubt I'll have time to work on that change though (if needed for 7.0).

@sjohnr sjohnr mentioned this pull request Sep 9, 2025
Closed
@rwinch
Copy link
Member

rwinch commented Sep 9, 2025

@sjohnr Thanks for the PR. Overall, I think that we are ready to merge after you address my two replies to your comments.

I will also be creating a GH issue for the Kotlin authorizeHttpRequests DSL, which doesn't currently support using the new AuthorizationManagerFactory. I doubt I'll have time to work on that change though (if needed for 7.0).

Thanks for the heads up. We will ensure that this gets taken care of.

rwinch
rwinch requested changes Sep 9, 2025
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've provided feedback inline. Can you please include a link in the whats-new.adoc as well?

@sjohnr
Add AuthorizationManagerFactory
90a29ce 
Signed-off-by: Steve Riesenberg <5248162+sjohnr@users.noreply.github.com>
@sjohnr sjohnr force-pushed the gh-17585-authorization-manager-factory branch from 06e5a21 to 90a29ce Compare September 9, 2025 20:21
@rwinch rwinch self-assigned this Sep 9, 2025
@rwinch rwinch added in: core An issue in spring-security-core type: enhancement A general enhancement labels Sep 9, 2025
@rwinch rwinch added this to the 7.0.0-M3 milestone Sep 9, 2025
rwinch
rwinch approved these changes Sep 9, 2025
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome work @sjohnr! This is ready for merge

@rwinch rwinch merged commit eeb4574 into spring-projects:main Sep 9, 2025
6 checks passed
@sjohnr sjohnr deleted the gh-17585-authorization-manager-factory branch September 15, 2025 15:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rwinch rwinch rwinch approved these changes

Assignees

@rwinch rwinch

Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Projects
None yet
Milestone
7.0.0-M3
Development

Successfully merging this pull request may close these issues.

Add AuthorizationManagerFactory
2 participants
@sjohnr @rwinch