Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Method Security Templates Do Not Use Deep Non-Aliased Attributes #16498

Open
rwinch opened this issue Jan 28, 2025 · 0 comments
Open

Method Security Templates Do Not Use Deep Non-Aliased Attributes #16498

rwinch opened this issue Jan 28, 2025 · 0 comments
Assignees
@jzheaux
Labels
in: core An issue in spring-security-core type: bug A general bug

Comments

@rwinch
Copy link
Member

rwinch commented Jan 28, 2025
edited
Loading

Method Security expressions that use templates do not use deep non-aliased attributes. A complete sample can be found in my sample repository, but is highlighted below:

@Service
public class Authz {
	public boolean hasPermission(Authentication authentication, Object object, String permission) {
		return true;
	}
}

@Documented
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.TYPE, ElementType.METHOD})
@PreAuthorize("@authz.hasPermission(authentication, {object}, {permission})")
public @interface HasPermission {

	String object();

	String permission();
}

@Documented
@Retention(RetentionPolicy.RUNTIME)
@Target({ ElementType.TYPE, ElementType.METHOD})
@HasPermission(object = "{value}", permission = "'read'")
public @interface HasReadPermission {
// If the alias is used, then Spring Security does work. However, there may be templates where a new variable is introduced and thus nothing to alias
//	@AliasFor(annotation = HasPermission.class, value = "object")
	String value();
}

@Service
public class MessageService {

	@HasReadPermission("#name")
	String sayHello(String name) {
		return "Hello " + name;
	}
}

This will produce the error Failed to evaluate expression '@authz.hasPermission(authentication, {value}, 'read')'.

I'd expect the expression to replace {value} with #name.
@rwinch rwinch added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jan 28, 2025
@jzheaux jzheaux self-assigned this Jan 29, 2025
@jzheaux jzheaux added in: core An issue in spring-security-core and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: core An issue in spring-security-core type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rwinch @jzheaux