CODEWITHSUNDEEP
spring-bootspring-securityauthorizationaccess-control
hotmeatballsoup
hotmeatballsoup

Reputation: 625

Implementing Spring Security AccessDecisionManager by example

Please note: someone seems to be serially DVing my questions without explanation. This question is on topic, is not a duplicate, shows research and provides an SSCCE. If you wish to DV or CV it, that's fine, but please provide a comment as to why so I can have a chance to address your concerns...

Spring Boot 2.3.x and Spring Security here.

I have some pretty complicated authorization logic, and so I believe I need to write my own AccessDecisionManager impl and wire it into my WebSecurityConfigurerAdapter impl (if that's wrong or misunderstood in any way, please correct me!).

So then, to implement your own AccessDecisionManager you need to implement 3 methods, one of which is:

public class MyCustomAccessDecisionManager implements AccessDecisionManager {

    @Override
    public void decide(
            Authentication authentication,
            Object object,
            Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {

        // TODO

    }

}

I have scoured the Google Gods high and low, and for the life of me I cannot find a meaningful, real world example of what the Object object and Collection<ConfigAttribute> configAttributes arguments are, what they are used for, how they are intended on being used, and what some real world (concrete) examples of them will be at runtime.

The Authentication argument is obvious: it is my auth token and will contain the principal, possibly their credential, and a list of GrantedAuthorities (permissions) associated with the principal.

But the other two arguments (object and configAttributes ) are absolute mysteries to me.

Does anybody know what these arguments are, what some real world use cases of them are, and how they are intended to be used?

Upvotes: 1

Views: 587

Answers (1)

Serhii Vasniev
Serhii Vasniev

Reputation: 793

As JavaDoc for AccessDecisionManager says:

object – the secured object being called

Usually, it's an instance of the MethodInvocation interface and it represents the method for which call security decision should be performed.

configAttributes - the configuration attributes associated with the secured object being invoked

It's a collection of metadata attributes related to the security object (Method). For example, it can contain information about annotations related to this method, such as @PermitAll, @PreAuthorize, @PostFilter, etc.

Upvotes: 1

Related Questions