Skip to content

Provide Runtime Hints for objects authorized by @AuthorizeReturnObject #15709

New issue
New issue
Closed
Closed
Provide Runtime Hints for objects authorized by @AuthorizeReturnObject#15709
Assignees
jzheaux
Labels
in: coreAn issue in spring-security-coretype: enhancementA general enhancement
Milestone
 
6.4.x
@jzheaux

Description

@jzheaux
jzheaux
opened on Aug 29, 2024

Related to #14652

Native applications currently need to manually register their authorization proxy classes using a BeanFactoryInitializationAotProcessor like so:

public class AuthorizationProxyFactoryAotProcessor implements BeanFactoryInitializationAotProcessor {

	@Override
	public BeanFactoryInitializationAotContribution processAheadOfTime(ConfigurableListableBeanFactory beanFactory) {
		return new AuthorizationProxyFactoryAotContribution(beanFactory);
	}

	private static final class AuthorizationProxyFactoryAotContribution implements BeanFactoryInitializationAotContribution {

		private final ConfigurableListableBeanFactory beanFactory;

		private AuthorizationProxyFactoryAotContribution(ConfigurableListableBeanFactory beanFactory) {
			this.beanFactory = beanFactory;
		}

		@Override
		public void applyTo(GenerationContext generationContext,
				BeanFactoryInitializationCode beanFactoryInitializationCode) {
			registerProxyClass(generationContext.getRuntimeHints().reflection(), Message.class);
			registerProxyClass(generationContext.getRuntimeHints().reflection(), User.class);
			// ...
		}

		private void registerProxyClass(ReflectionHints reflection, Class<?> clazz) {
			AuthorizationProxyFactory proxyFactory = this.beanFactory.getBean(AuthorizationProxyFactory.class);
			Class<?> proxied = (Class<?>) proxyFactory.proxy(clazz);			
			reflection.registerType(proxied, MemberCategory.INVOKE_PUBLIC_METHODS, MemberCategory.PUBLIC_FIELDS);
		}

	}
	
}

It would be nice to remove this need, either by scanning the classpath for @AuthorizeReturnObject usage and/or by introducing an API where security-specific proxy hints can be specified.

Some things that should be considered:

  • Adding a Data-specific AotProcessor that inspects the generic types for beans of type RepositoryFactoryBeanSupport that use @AuthorizeReturnObject
  • Adding an AotProcessor that inspects the return values of bean methods that use @AuthorizeReturnObject, traversing the return type's object graph for any nested authorized return objects
  • Adding a way to directly indicate non-bean types that Security should proxy

Metadata

Metadata

Assignees

Labels

in: coreAn issue in spring-security-coretype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions