Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

DefaultMethodSecurityExpressionHandler createSecurityExpressionRoot Should Have Protected Access Instead Of Private

See original GitHub issue

Describe the bug DefaultMethodSecurityExpressionHandler for v5.8.0 adds a new signature for createSecurityExpressionRoot as createSecurityExpressionRoot(Supplier<Authentication> authentication, MethodInvocation invocation) in addition to the existing createSecurityExpressionRoot(Authentication authentication, MethodInvocation invocation) . However, the new signature is private while the existing one is protected. This causes an issue for any usage that extends the DefaultMethodSecurityExpressionHandler and overrides the protected createSecurityExpressionRoot because the createEvaluationContext method always calls the private createSecurityExpressionRoot, leaving any extension of DefaultMethodSecurityExpressionHandler unable to override this behavior. A work around could be to also override createEvaluationContext however that method uses MethodSecurityEvaluationContext which is package private and therefore cannot be used when overriding createEvaluationContext.

Proposed Fix Make MethodSecurityExpressionOperations createSecurityExpressionRoot(Supplier<Authentication> authentication, MethodInvocation invocation) protected instead of private

Sample See - DefaultMethodSecurityExpressionHandler for the code in question

Issue Analytics

  • State:closed
  • Created 10 months ago
  • Reactions:1
  • Comments:10 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
jzheauxcommented, Dec 8, 2022

I’ve added https://github.com/spring-projects/spring-security/issues/12356 to provide more detail on the migration steps for DefaultMethodSecurityExpressionHandler usage.

Given that, I’ll close this ticket. @paveljandejsek, please try the migration guide once that ticket is complete. If the migration steps don’t work for you, we can come back here and revisit.

1reaction
jzheauxcommented, Dec 8, 2022

Another option I believe is to extend the createEvaluationContext method itself, like so:

@Component
public class MyExpressionHandler extends DefaultMethodSecurityExpressionHandler {
    @Override 
    public EvaluationContext createEvaluationContext(Supplier<Authentication> authentication, MethodInvocation mi) {
        CustomMethodSecurityExpressionRoot adminMethodSecurityExpressionRoot = 
                new CustomMethodSecurityExpressionRoot(authentication,	invocation);
	adminMethodSecurityExpressionRoot.setPermissionEvaluator(getPermissionEvaluator());
	adminMethodSecurityExpressionRoot.setTrustResolver(new AuthenticationTrustResolverImpl());
	adminMethodSecurityExpressionRoot.setRoleHierarchy(getRoleHierarchy());
        StandardEvaluationContext context = (StandardEvaluationContext) super.createEvaluationContext(authentication, mi);
        context.setRootObject(adminMethodSecurityExpressionRoot);
        return context;
    }
}

As @adase11 has already found, using a custom bean in the annotation expression is often preferrable.

Read more comments on GitHub >

github_iconTop Results From Across the Web

A Custom Security Expression with Spring Security - Baeldung
A guide to creating a new, custom security expression with Spring Security, and then using the new expression with the Pre and Post ......
Read more >
java - my Spring CustomSecurityExpressionRoot not working
I created a New Security Expression in my spring project but it not working. Here is my code. ... Apart from the fact...
Read more >
spring-projects/spring-security - Gitter
When building a custom WithSecurityContextFactory is there a way to get access to the TestContext ? I want to be able to get...
Read more >
SEC-1887: Cannot override (protected ... - GitHub
createSecurityExpressionRoot (Authentication, MethodInvocation) is protected but it returns an instance of a package private class MethodSecurityExpressionRoot .
Read more >
Spring 4 - Custom SecurityExpression with Service-Java
In createSecurityExpressionRoot using the applicationContext pass in the ... extends DefaultMethodSecurityExpressionHandler { private final ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Supporting postman collections

Next page

`NoSuchBeanDefinitionException` after migration from `antMatchers` to `requestMatchers` (5.8.0)