Hello,
I am attempting to migrate my Inception Framework, based on Spring Boot 2, to Spring Boot 3.
I have created a ApiMethodSecurityExpressionHandler class that extends the DefaultMethodSecurityExpressionHandler class.
I have overridden the createSecurityExpressionRoot method, as shown below.
@Override
protected MethodSecurityExpressionOperations createSecurityExpressionRoot(
Authentication authentication, MethodInvocation invocation) {
ApiSecurityExpressionRoot apiSecurityExpressionRoot =
new ApiSecurityExpressionRoot(authentication, applicationContext);
apiSecurityExpressionRoot.setPermissionEvaluator(getPermissionEvaluator());
apiSecurityExpressionRoot.setTrustResolver(this.getTrustResolver());
apiSecurityExpressionRoot.setRoleHierarchy(getRoleHierarchy());
return apiSecurityExpressionRoot;
}
This approach used to work in Spring Boot 2.
With Spring Boot 3, there appears to be an issue with the DefaultMethodSecurityExpressionHandler class.
The createEvaluationContext cannot be overridden because it uses a MethodSecurityEvaluationContext class, which is not accessible. It also invokes a private createSecurityExpressionRoot method, which means my overridden createSecurityExpressionRoot is no longer invoked.
I believe the createEvaluationContext should be modified to unwrap the Supplier
@Override
public EvaluationContext createEvaluationContext(Supplier<Authentication> authentication, MethodInvocation mi) {
MethodSecurityExpressionOperations root = createSecurityExpressionRoot(authentication.get(), mi);
MethodSecurityEvaluationContext ctx = new MethodSecurityEvaluationContext(root, mi,
getParameterNameDiscoverer());
ctx.setBeanResolver(getBeanResolver());
return ctx;
}
Comment From: marcusdacoregio
Hi @marcusportmann,
I think this is related to https://github.com/spring-projects/spring-security/issues/12331, therefore I'll close this as a duplicate.
Feel free to ask to reopen if they are not the same.