We should provide an implementation of Reactive Method Security that leverages ReactiveAuthorizationManager similar to gh-9289 The implementation should support:
- gh-4841 It should support SpEL expressions that return both Boolean and
Mono<Boolean> - It should support
Mono<Authentication> - It should support reactive and non reactive arguments. Reactive types should not be subscribed to unless they are used.
- It should support not resolving the
Mono<Authentication>if it was not used (i.e. ifpermitAllwas used there is no need to resolve theAuthentication) - [x] gh-5664
For full support this may require updates to SpEL support to support Reactor (i.e. it likely needs to support lambdas) but beans can easily return reactive types that would be supported by SpEL.
Related to #9289, #5249, and https://github.com/spring-projects/spring-security/issues/4841
Once #9289 is addressed, we could consider applying the same model to reactive method security.
Comment From: evgeniycheban
@jzheaux I can take this.
Comment From: jzheaux
Great, @evgeniycheban! It's yours. I'd recommend waiting until #9630 is merged before proceeding.
Comment From: rwinch
@evgeniycheban Thanks for volunteering to work on this issue. I've updated the description to include more detailed requirements. I think you can start on this issue before we merge the mentioned PR, but base it off the branch with gh-9630
Comment From: mkrzywanski
What is the status of this ticket?
Comment From: evgeniycheban
What is the status of this ticket?
Waiting for review.
Comment From: rrrship
In the docs it says that adding Kotlin coroutines support for the reactive method security is blocked by https://github.com/spring-projects/spring-framework/issues/22462, which seems to be done now, so are there any new tickets to follow for the development of this?