Summary
Hey,
The current implementation of the Pre- & PostFilter can not be used for the return type of Flux
Actual Behavior
java.lang.IllegalArgumentException: Filter target must be a collection or array type, but was a.b.c.X
at org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler.filter(DefaultMethodSecurityExpressionHandler.java:175) ~[spring-security-core-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
at org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice.after(ExpressionBasedPostInvocationAdvice.java:61) ~[spring-security-core-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
at org.springframework.security.access.prepost.PrePostAdviceReactiveMethodInterceptor.lambda$null$4(PrePostAdviceReactiveMethodInterceptor.java:103) ~[spring-security-core-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
Expected Behavior
A filtered Flux, that removed the objects that do not match the filter.
Example
public class XController {
@GetMapping()
@PostFilter("@someCustomFilter.method(returnObject)")
public <Flux<X> findAll() {
Flux<X> result = someService.findAllX()
return result;
}
}
Version
spring-boot-starter-parent: 2.0.1.RELEASE spring-boot-starter-webflux: 2.0.1.RELEASE spring-security-config: 5.0.4.RELEASE spring-security-core: 5.0.4.RELEASE
Comment From: MarvGilb
Please also consider, that return values as such as:
public Mono<ResponseEntity<Flux<X>>> findAll() {
Flux<X> result = someService.findAllX()
return Mono.just(ResponseEntity.ok(result));
}
should be supported as well, where the inner class is taken.
regards Marvin
Comment From: frankruegamer
Is there any update on this?
Comment From: barrida
How can we contribute for the solution of this feature?
Comment From: rwinch
Closing this in favor of gh-9401