Spring Security Revisit Authorization Documentation

• [x] Request Authorization (Servlet)
• [x] Method Authorization (Servlet)
• [ ] Request Authorization (Reactive)
• [ ] Method Authorization (Reactive)
• [x] SpEL support
• [ ] ACLs
• [ ] Events

Comment From: tvogel8570

When updating documentation on Reactive Oauth2, a diagram of the interfaces and classes would be a tremendous help. I find it hard to trace through the java files and keep the relationships between interfaces / classes for Registrations, Providers, Clients, etc straight in my head. It might be different if I was primarily a "security developer" but I'm working on features that need to use Oauth2.

An example of a diagram that I found very helpful in understanding Basic Auth is in this medium article

Comment From: bonobonohu

Hey, I found several issues in the following doc:

https://github.com/spring-projects/spring-security/blob/6.1.0/docs/modules/ROOT/pages/reactive/authorization/method.adoc

1. @bean refers to a custom component you have defined, where apply can return Boolean or Mono<Boolean> to indicate the authorization decision. A bean like that might look something like this: In fact, in the code above it is @func.

2. useAuthorizationManager=true became the default behavior, so emphasizing its usage feels redundant.

3. In Example 5. return types are "*Interceptor" while in Example 6, 7 and 8 simply "Advisor". Maybe I'm just too lame, but for me this is a bit confusing, why. (I understand, that technically these Interceptors are PointcutAdvisors which is Advisor, but still.)

4. @Bean BeanDefinitionRegistryPostProcessor aopConfig() { return AopConfigUtils::registerAutoProxyCreatorIfNecessary; } - pasting this to my editor indicates this should not work. Maybe the following should be used instead (disclaimer: haven't tested yet!): @Bean fun aopConfig(): BeanFactoryPostProcessor = BeanFactoryPostProcessor { beanFactory -> if (beanFactory is BeanDefinitionRegistry) { AopConfigUtils.registerAutoProxyCreatorIfNecessary(beanFactory) } } (Sorry for my Kotlin!)

5. In Example 6: PostFilterAuthorizationMethodInterceptor interceptor should be PostFilterAuthorizationReactiveMethodInterceptor, and AuthorizationInterceptorOrders should be AuthorizationInterceptorsOrder! Also I'm not sure intent was not suggesting POST_FILTER instead of POST_AUTHORIZE here, since the snippet is about postFilterAuthorization(Reactive!)MethodInterceptor.

6. Example 8 and 10 mentions PRE_AUTHORIZE_ADVISOR_ORDER and POST_AUTHORIZE_ADVISOR_ORDER, i can see only PRE_AUTHORIZE and POST_AUTHORIZE values now: https://github.com/spring-projects/spring-security/blob/main/core/src/main/java/org/springframework/security/authorization/method/AuthorizationInterceptorsOrder.java

7. Maybe I'm lame again, but doc should explain better this: "Uses the simplified AuthorizationManager API instead of metadata sources, config attributes, decision managers, and voters. This simplifies reuse and customization.". The name "simplified AuthorizationManager API" suggests this simplified "AuthorizationManager API" has something with ReactiveAuthorizationManager interface - which is seemingly not the case. It's especially confusing, since this "useAuthorizationManager=true". So what kind of "AuthorizationManager" will it use - compared to "useAuthorizationManager=false" setting? Edit: I see, these Interceptors use ReactiveAuthorizationManager<MethodInvocation> authorizationManager instances, indeed. A few word on the topic explaining the concept would be welcome, still.

8. In Example 7 there is also AuthorizationManagerBeforeMethodInterceptor and not AuthorizationManagerBeforeReactiveMethodInterceptor.

9. Example 9: ReactiveAuthorizationManager<MethodInvocation> rule = AuthorityAuthorizationManager.isAuthenticated(); line seems wrong.