On Abstain Access Should be Denied #10945

rwinch · 2022-03-08T21:39:26Z

We should look in every location and require that if an authorization manager abstained, then access should be denied. One option is that if the AuthorizationResult is null, then deny access. Another option is to require AuthorizationResult to be non-null going forward.

This depends on:

RequestMatcherDelegatingAuthorizationManager should deny when no match #11958
Consider XML and Java support to simplify migration to filter-based default deny #11967

The text was updated successfully, but these errors were encountered:

rwinch added in: core An issue in spring-security-core type: enhancement A general enhancement labels Mar 8, 2022

rwinch added this to the 6.0.0-M2 milestone Mar 8, 2022

rwinch self-assigned this Mar 8, 2022

sjohnr modified the milestones: 6.0.0-M2, 6.0.0-M3, 6.0.0-M4 Mar 18, 2022

sjohnr modified the milestones: 6.0.0-M4, 6.0.0-M5, 6.0.0-M6 May 16, 2022

rwinch removed their assignment Jun 9, 2022

rwinch added this to Spring Security Team Jun 14, 2022

marcusdacoregio self-assigned this Jun 22, 2022

marcusdacoregio modified the milestones: 6.0.0-M6, 6.0.0-M7 Jul 15, 2022

marcusdacoregio removed their assignment Aug 29, 2022

marcusdacoregio removed this from Spring Security Team Aug 29, 2022

marcusdacoregio modified the milestones: 6.0.0-M7, 6.0.0-RC1 Sep 16, 2022

rwinch added this to Spring Security Team Oct 4, 2022

rwinch removed this from the 6.0.0-RC1 milestone Oct 5, 2022

rwinch removed this from Spring Security Team Oct 5, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

On Abstain Access Should be Denied #10945

On Abstain Access Should be Denied #10945

rwinch commented Mar 8, 2022 •

edited by jzheaux

Loading

On Abstain Access Should be Denied #10945

On Abstain Access Should be Denied #10945

Comments

rwinch commented Mar 8, 2022 • edited by jzheaux Loading

rwinch commented Mar 8, 2022 •

edited by jzheaux

Loading