Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Bean validation is executed before @PreAuthorize

See original GitHub issue

@RestController
public class SomeController {

    @PreAuthorize("@security.isAuthenticated()")
    @PostMapping("/todo")
    public void add(@Valid @RequestBody dto: SomeDto) {
    }
}

Method isAuthenticated should be executed before deserialization and validation of action parameters.

Issue Analytics

State:
Created 6 years ago
Comments:8 (3 by maintainers)

Top GitHub Comments

8reactions

ghostcommented, Dec 14, 2018

I think everybody agree with the simply rule “Security First” . Sorry but for me this is a big issue why do we want to run the validation and return validation error if somebody has not event permission to this endpoint? Also the explanation for me its not professional, its sound like “we don’t care with the basic security rules the design is more important than the security”.

Now how we can be confident by using spring security once we know that we can run some other methods before we actually authorise user. The simple question after all is: what else other than validation is running before security check ?

3reactions

ghostcommented, Dec 14, 2018

@wilkinsona sorry for that I just want to express that I really dislike this behaviour. I updated my comment so now I hope is fine. I will definitely raise this ticket with spring security team and chat with them on Gitter.