Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support Spring Security @Secured annotation

See original GitHub issue

Annotating a server implementation method with @Secured annotation currently doesn’t have any effect. It would be nice if the @Secured annotation is supported and a Status.PERMISSION_DENIED error is sent if the Authentication doesn’t contain the proper authority.

@Component
public class AuthenticationInterceptor implements ServerInterceptor {
    @Override
    public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(ServerCall<ReqT, RespT> serverCall, Metadata metadata, ServerCallHandler<ReqT, RespT> serverCallHandler) {
        Authentication authentication = new UsernamePasswordAuthenticationToken("user", "user",
            Collections.singletonList(new SimpleGrantedAuthority(AuthoritiesConstants.USER));
        SecurityContextHolder.getContext().setAuthentication(authentication);
        return serverCallHandler.startCall(serverCall, metadata);  
    }
}

@GRpcService(interceptors = { LogInterceptor.class, AuthenticationInterceptor.class })
public class GreeterService extends GreeterGrpc.GreeterImplBase {
    @Override
    @Secured({ "ROLE_ADMIN" })
    public void sayHello(GreeterOuterClass.HelloRequest request, StreamObserver<GreeterOuterClass.HelloReply> responseObserver) {
        String message = "Hello " + request.getName();
        final GreeterOuterClass.HelloReply.Builder replyBuilder = GreeterOuterClass.HelloReply.newBuilder().setMessage(message);
        responseObserver.onNext(replyBuilder.build());
        responseObserver.onCompleted();
        log.info("Returning " +message);
    }
}

then stub.sayHello should fail with Status.PERMISSION_DENIED

Issue Analytics

State:
Created 6 years ago
Reactions:1
Comments:19 (1 by maintainers)

Top GitHub Comments

2reactions

alexleighcommented, Nov 10, 2017

I’ve also put together a standalone example of method-based security with gRPC (using pre-post-annotations instead of secured-annotations) with an exception-to-status translator, using Authorization metadata for Basic Auth credentials and JWT tokens. It works pretty well for our production use-case, though the default ThreadLocal security context storage is less than ideal.

1reaction

majuskocommented, Nov 11, 2019

@cbornet , @ST-DDT , @jvmlet

Probably not interested anymore, but if so:

I created a simple JWT Spring Boot Starter extending this library from LogNet: https://github.com/majusko/grpc-jwt-spring-boot-starter

Already using it in few production projects so it will be definitely supported. Also, feel free to contribute 😉

Simple usage showcase here: https://github.com/majusko/grpc-example/blob/master/src/main/kotlin/io/github/majusko/grpc/example/ServerExample.kt

Top Results From Across the Web

Introduction to Spring Method Security - Baeldung

The @Secured annotation is used to specify a list of roles on a method. So, a user only can access that method if...

Method Security - Spring

Spring Security's native annotation support defines a set of attributes for the method. These are passed to the AccessDecisionManager for it to make...

Spring Security @Secured Annotation Example

@Secured annotation is used on a method level. For example, you can add the @Secured annotation above the @RequestMapping method that handles ...

Spring Security @Secured annotation and User authorities

Spring Security @Secured annotation and User authorities · 1. Possible duplicate of Spring security added prefix "ROLE_" to all roles name? · Nope,...

Declarative authorization with Spring-Security ... - Medium

But when we ask a bigger question that, is @Secured annotation ... Are both of these supported by spring-security out of the box?...