Spring Security http PATCH w/ spring-data-rest @PreAuthorize save() method, custom PermissionEvaluator receives null object

Summary

Sample: https://github.com/bitsofinfo/spring-boot-data-pre-authorize-issue

spring-security 4.1.3, spring-boot 4.1, latest spring-data-jpa/rest libraries

I have a custom repository interface that extends from other interfaces that ultimately extend from PagingAndSortingRepository with an annotated SPeL protected methods like this. I also have a custom PermissionEvaluator

    @Override
    @PostAuthorize("hasPermission(returnObject, 'READ')")
    T findOne(ID id);

    @Override
    @PreAuthorize("hasPermission(#c,'CREATE,UPDATE')")
    <S extends T> S save(@P("c") S data);

I then have a client do a PATCH of a TestRecord. What happens is as follows - spring-data-rest, calls findOne(id) with the id of the object being updated (to fetch the original record for update). My PermisionEvaluator is properly called with the object. - Next, spring-data-rest calls save() with the object to save. However my PermissionEvaluator at this point is passed a null object for #c above.

Also with the initial POST, the targetObject is NULL on save()...

Expected Behavior

Expected behavior is that my PermissionEvaluator should be invoked with a non-null object when save() is invoked regardless if a POST or a PATCH, and that this all works with intermediary interfaces for repositories deriving from PagingAndSortingRepository

Comment From: nfedyk

+1

Comment From: bitsofinfo

@rwinch sample project: https://github.com/bitsofinfo/spring-boot-data-pre-authorize-issue

Comment From: bitsofinfo

Note the only way this works if if you have no-intermediary repository interfaces between PagingAndSortingRepository and your repository... which if we have to do that sort of defeats the purpose of being able to extend our own intermediary interfaces after PagingAndSortingRepository

such as:

@RepositoryRestResource(collectionResourceRel = "testrecords", path = "testrecords")
public interface TestRecordRepository extends PagingAndSortingRepository<TestRecord,Integer> {


    @Override
    @PostAuthorize("hasPermission(returnObject, 'READ')")
    TestRecord findOne(Integer id);

    @Override
    @PreAuthorize("hasPermission(#c,'CREATE,UPDATE')")
    TestRecord save(@P("c") TestRecord data);

}

Comment From: bmudda

+1

Comment From: peloncano

+1

Comment From: bitsofinfo

Can anyone take a look at this please?

Comment From: bitsofinfo

ping.... this has a sample project attached no less. Please take a look?

Comment From: nfedyk

Can anyone check this issue please?

Comment From: jgrosche

+1

Comment From: bitsofinfo

Is there any chance this will ever be addressed?

Comment From: eepstein

this looks like a (potential) security hole

Comment From: ptahchiev

+1

Comment From: oscarbrookssynacor

Hi, I wanted to follow up. This issues has been open for 8 years seemingly with no comment from Spring team. I am running into a similar issue dealing with a JPA repository. Is there any progress on this?