Spring Security DelegatingReactiveAuthorizationManager ignores extra mappings

Describe the bug I'm assuming this is a bug. DelegatingReactiveAuthorizationManager is created using a builder and keeps an internal list of mappings (ReactiveAuthorizationManager).

However, only one entry is used in the check method since it's calling .next() on a Flux https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/server/authorization/DelegatingReactiveAuthorizationManager.java#L59

To Reproduce Build a DelegatingReactiveAuthorizationManager with multiple mappings, then call .check().

Expected behavior I expected all mappings in DelegatingReactiveAuthorizationManager to matter.

Comment From: eleftherias

Thanks for reaching out @MitchelLabonte. I believe the DelegatingReactiveAuthorizationManager is behaving as expected. It will look at the list of mappings in order and check the first one that matches. You can see from the tests that this is the desired behaviour https://github.com/spring-projects/spring-security/blob/2471e3296d8fc2e7b20db02ee5efa3b6855b9ad5/web/src/test/java/org/springframework/security/web/server/authorization/DelegatingReactiveAuthorizationManagerTests.java#L79-L85

If you're referring to something else, please describe your scenario.

Comment From: MitchelLabonte

Thanks for looking into it. I see now this is meant to act like an OR, and I was expecting it to act like an AND.

I was trying to secure endpoints by requiring multiple roles (user needs all roles). This is possible with HttpSecurity (web-mvc) by using an expression: http.authorizeRequests().anyRequest().access("hasRole('ROLE_role1') AND hasRole('ROLE_role2')");

I see now I can use .access((authentication, object) -> authentication... to achieve this so I'll close this!

Comment From: eleftherias

Thanks @MitchelLabonte