GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Merge branch '7.0.x' 

Closes gh-18471
pull/18474/head
Robert Winch 3 weeks ago
parent
a3b57c470f e9a92a8e9a
commit
5a7d93ee3b
No known key found for this signature in database
2 changed files with 2 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      docs/modules/ROOT/pages/servlet/authorization/architecture.adoc
  2. 2
      docs/modules/ROOT/pages/servlet/authorization/method-security.adoc

2
docs/modules/ROOT/pages/servlet/authorization/architecture.adoc
Unescape View File

@ -107,7 +107,7 @@ default void verify(Supplier<Authentication> authentication, Object secureObject @@ -107,7 +107,7 @@ default void verify(Supplier<Authentication> authentication, Object secureObject
}
----
The ``AuthorizationManager``'s `check` method is passed all the relevant information it needs in order to make an authorization decision.
The ``AuthorizationManager``'s `authorize` method is passed all the relevant information it needs in order to make an authorization decision.
In particular, passing the secure `Object` enables those arguments contained in the actual secure object invocation to be inspected.
For example, let's assume the secure object was a `MethodInvocation`.
It would be easy to query the `MethodInvocation` for any `Customer` argument, and then implement some sort of security logic in the `AuthorizationManager` to ensure the principal is permitted to operate on that customer.

2
docs/modules/ROOT/pages/servlet/authorization/method-security.adoc
Unescape View File

@ -118,7 +118,7 @@ A given invocation to `MyCustomerService#readCustomer` may look something like t @@ -118,7 +118,7 @@ A given invocation to `MyCustomerService#readCustomer` may look something like t
image::{figures}/methodsecurity.png[]
1. Spring AOP invokes its proxy method for `readCustomer`. Among the proxy's other advisors, it invokes an javadoc:org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor[] that matches <<annotation-method-pointcuts,the `@PreAuthorize` pointcut>>
2. The interceptor invokes javadoc:org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager[`PreAuthorizeAuthorizationManager#check`]
2. The interceptor invokes javadoc:org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager[`PreAuthorizeAuthorizationManager#authorize`]
3. The authorization manager uses a `MethodSecurityExpressionHandler` to parse the annotation's <<authorization-expressions,SpEL expression>> and constructs a corresponding `EvaluationContext` from a `MethodSecurityExpressionRoot` containing xref:servlet/authentication/architecture.adoc#servlet-authentication-authentication[a `Supplier<Authentication>`] and `MethodInvocation`.
4. The interceptor uses this context to evaluate the expression; specifically, it reads xref:servlet/authentication/architecture.adoc#servlet-authentication-authentication[the `Authentication`] from the `Supplier` and checks whether it has `permission:read` in its collection of xref:servlet/authorization/architecture.adoc#authz-authorities[authorities]
5. If the evaluation passes, then Spring AOP proceeds to invoke the method.

Write Preview
Loading…
Cancel
Save