Spring Security
  1. Spring Security
  2. SEC-1491

Add support for Enum in Secured Annotation

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Complete
    • Affects Version/s: None
    • Fix Version/s: 3.1.0.RC2
    • Component/s: Core
    • Labels:
      None

      Description

      In an RBAC style application, with operations protected by specific "rights" rather than roles, it makes sense to define these rights using an enum. The Secured annotation should support an additional attribute which directly provides a collection of ConfigAttributes that are required, in addition to the current approach of using Strings. The Enum should implement ConfigAttribute, and also potentially GrantedAuthority, to provide efficient lookup in a custom voter which takes into account the use of an authority set (or EnumSet) to store the current user's authorities.

      SecuredAnnotationSecurityMetadataSource needs to be altered to support the extra attribute on the annotation.

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment -

          This isn't actually possible, since ConfigAttribute[] isn't a valid annotation member type. An annotation can use an Enum as the type, but the Enum in this case will be defined by the user.

          An alternative may be to allow a custom annotation, so the user defines the annotation and Enum:

          @interface MySecurityAnnotation

          { SecurityEnum[] value(); }

          and then configures Spring Security to advise methods based on this attribute rather than the standard "@Secured".

          Show
          Luke Taylor added a comment - This isn't actually possible, since ConfigAttribute[] isn't a valid annotation member type. An annotation can use an Enum as the type, but the Enum in this case will be defined by the user. An alternative may be to allow a custom annotation, so the user defines the annotation and Enum: @interface MySecurityAnnotation { SecurityEnum[] value(); } and then configures Spring Security to advise methods based on this attribute rather than the standard "@Secured".
          Hide
          Luke Taylor added a comment -

          Added a separate parametrized strategy to SecuredAnnotationSecurityMetadataSource to allow use of a custom annotation, potentially with an enum as the value.

          Show
          Luke Taylor added a comment - Added a separate parametrized strategy to SecuredAnnotationSecurityMetadataSource to allow use of a custom annotation, potentially with an enum as the value.
          Hide
          Luke Taylor added a comment -

          The AnnotationMetadataExtractor strategy combined with the ability to use an external SecurityMetadataSource (which takes priority) should make it simple enough to add support for custom annotations, including those which use enum values.

          Show
          Luke Taylor added a comment - The AnnotationMetadataExtractor strategy combined with the ability to use an external SecurityMetadataSource (which takes priority) should make it simple enough to add support for custom annotations, including those which use enum values.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Luke Taylor
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: