Spring Security
  1. Spring Security
  2. SEC-1547

Programmatic authorization : AuthorityUtils has been removed in Spring Security 3

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: 3.1.0.M2
    • Component/s: None
    • Labels:
      None

      Description

      Having to iterate over the array of authorities to determine if a user has a role is inconvenient. A simple

      AuthorityUtils.userHasAuthority(String authority)

      would be useful.

      See https://jira.springframework.org/browse/SEC-545 for JIRA asking for this kind of utility.

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment -

          Static methods don't allow any flexibility or optimization in how the security context is accessed. This is the reason why SEC-1516 has been introduced and this kind of functionality would be part of that interface. That way a hasAuthority() method can be optimized to take advantage of situations where the authorities are a particular type of collection - an EnumSet, for example.

          Show
          Luke Taylor added a comment - Static methods don't allow any flexibility or optimization in how the security context is accessed. This is the reason why SEC-1516 has been introduced and this kind of functionality would be part of that interface. That way a hasAuthority() method can be optimized to take advantage of situations where the authorities are a particular type of collection - an EnumSet, for example.
          Hide
          Luke Taylor added a comment -

          Closing, for the reason described. Classes which want to check authorities or other security context-related functions will have a "context-accessor" injected (or can use a particular instance internally if they don't want to use dependency injection). Static utility methods like those in AuthorityUtils should be regarded as internal to the framework.

          Show
          Luke Taylor added a comment - Closing, for the reason described. Classes which want to check authorities or other security context-related functions will have a "context-accessor" injected (or can use a particular instance internally if they don't want to use dependency injection). Static utility methods like those in AuthorityUtils should be regarded as internal to the framework.
          Hide
          adrian added a comment -

          Oups, sorry I didn't found before SEC-1516. Thanks for the link !

          Show
          adrian added a comment - Oups, sorry I didn't found before SEC-1516 . Thanks for the link !

            People

            • Assignee:
              Luke Taylor
              Reporter:
              adrian
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: