Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pass secured method arguments into security checks for @PreAuthorize security annotation on SpringWeb endpoints #44667

Merged
merged 1 commit into from
Nov 25, 2024
Merged

Pass secured method arguments into security checks for @PreAuthorize security annotation on SpringWeb endpoints #44667

merged 1 commit into from
Nov 25, 2024
+35 −0

Conversation

michalvavrik
Copy link
Member

@michalvavrik michalvavrik commented Nov 23, 2024
edited
Loading

When @PreAuthorize placed on endpoints requires secured method arguments, we need to divide security check into 2, one is done eagerly ("is authenticated") and one is done by CDI interceptors when secured method arguments are already available. This is valid for both RESTEasy and Quarkus REST used together with Spring Web, but we only need to test that

quarkus/extensions/security/runtime-spi/src/main/java/io/quarkus/security/spi/runtime/SecurityCheck.java

Line 46 in 9007580

default boolean requiresMethodArguments() {
returns true (as the mechanism itself is heavily tested for other reasons). I don't know if in Spring you can pass secured method arguments for anonymous users as well, but that we won't support.

@michalvavrik michalvavrik added area/security area/spring Issues relating to the Spring integration labels Nov 23, 2024
@michalvavrik michalvavrik mentioned this pull request Nov 23, 2024
Closed
@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented Nov 23, 2024
edited by github-actions bot
Loading

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit 245a281.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

geoand
geoand approved these changes Nov 25, 2024
View reviewed changes
Copy link
Contributor

@geoand geoand left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot!

@geoand geoand merged commit fc548b3 into quarkusio:main Nov 25, 2024
20 checks passed
@quarkus-bot quarkus-bot bot added this to the 3.18 - main milestone Nov 25, 2024
@michalvavrik michalvavrik deleted the feature/preauthorize-spring-resteasy-fix branch November 25, 2024 08:14
@gsmet gsmet modified the milestones: 3.18 - main, 3.17.1 Nov 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geoand geoand geoand approved these changes

Assignees
No one assigned
Labels
area/security area/spring Issues relating to the Spring integration kind/bugfix
Projects
None yet
Milestone
3.17.1
Development

Successfully merging this pull request may close these issues.

NPE during custom bean invocation via PreAuthorize annotation in Quarkus RESTEasy
3 participants
@michalvavrik @geoand @gsmet