Skip to content

Method Security Templates Do Not Use Deep Non-Aliased Attributes #16498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rwinch opened this issue Jan 28, 2025 · 1 comment · Fixed by #16550
Closed

Method Security Templates Do Not Use Deep Non-Aliased Attributes #16498

rwinch opened this issue Jan 28, 2025 · 1 comment · Fixed by #16550
Assignees
@jzheaux
Labels
in: core An issue in spring-security-core status: duplicate A duplicate of another issue type: bug A general bug

Comments

@rwinch
Copy link
Member

rwinch commented Jan 28, 2025
edited
Loading

Method Security expressions that use templates do not use deep non-aliased attributes. A complete sample can be found in my sample repository, but is highlighted below:

@Service
public class Authz {
	public boolean hasPermission(Authentication authentication, Object object, String permission) {
		return true;
	}
}

@Documented
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.TYPE, ElementType.METHOD})
@PreAuthorize("@authz.hasPermission(authentication, {object}, {permission})")
public @interface HasPermission {

	String object();

	String permission();
}

@Documented
@Retention(RetentionPolicy.RUNTIME)
@Target({ ElementType.TYPE, ElementType.METHOD})
@HasPermission(object = "{value}", permission = "'read'")
public @interface HasReadPermission {
// If the alias is used, then Spring Security does work. However, there may be templates where a new variable is introduced and thus nothing to alias
//	@AliasFor(annotation = HasPermission.class, value = "object")
	String value();
}

@Service
public class MessageService {

	@HasReadPermission("#name")
	String sayHello(String name) {
		return "Hello " + name;
	}
}

This will produce the error Failed to evaluate expression '@authz.hasPermission(authentication, {value}, 'read')'.

I'd expect the expression to replace {value} with #name.
@rwinch rwinch added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jan 28, 2025
@jzheaux jzheaux self-assigned this Jan 29, 2025
@jzheaux jzheaux added in: core An issue in spring-security-core and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 29, 2025
kse-music added a commit to kse-music/spring-security that referenced this issue Feb 7, 2025
@kse-music
Method Security templates support use deep non-aliased attributes
d7132b4 
Closes spring-projectsgh-16498

Signed-off-by: DingHao <[email protected]>
@kse-music kse-music mentioned this issue Feb 7, 2025
Merged
kse-music added a commit to kse-music/spring-security that referenced this issue Mar 21, 2025
@kse-music
Method Security templates support use deep non-aliased attributes
a37dfda 
Closes spring-projectsgh-16498

Signed-off-by: DingHao <[email protected]>
@jzheaux
Copy link
Contributor

jzheaux commented Apr 21, 2025

Closed in favor of #16550

@jzheaux jzheaux added the status: duplicate A duplicate of another issue label Apr 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: core An issue in spring-security-core status: duplicate A duplicate of another issue type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Method Security templates support use deep non-aliased attributes kse-music/spring-security
2 participants
@rwinch @jzheaux