Expected Behavior
The CurrentSecurityContextArgumentResolver should be capable of supporting property population of different types, meaning it should be able to map information from the security context onto parameters of varying types in controller methods.
Current Behavior
Currently, the CurrentSecurityContextArgumentResolver does not support the functionality of cross-type property population, resulting in data retrieved from the security context being unable to directly populate objects with properties of different types.
package org.springframework.security.web.method.annotation;
public final class CurrentSecurityContextArgumentResolver implements HandlerMethodArgumentResolver {
/***/
public Object resolveArgument(MethodParameter parameter, ModelAndViewContainer mavContainer, NativeWebRequest webRequest, WebDataBinderFactory binderFactory) {
SecurityContext securityContext = this.securityContextHolderStrategy.getContext();
if (securityContext == null) {
return null;
} else {
Object securityContextResult = securityContext;
CurrentSecurityContext annotation = (CurrentSecurityContext)this.findMethodAnnotation(CurrentSecurityContext.class, parameter);
String expressionToParse = annotation.expression();
if (StringUtils.hasLength(expressionToParse)) {
StandardEvaluationContext context = new StandardEvaluationContext();
context.setRootObject(securityContext);
context.setVariable("this", securityContext);
context.setBeanResolver(this.beanResolver);
Expression expression = this.parser.parseExpression(expressionToParse);
securityContextResult = expression.getValue(context);
}
// this
if (securityContextResult != null && !parameter.getParameterType().isAssignableFrom(securityContextResult.getClass())) {
if (annotation.errorOnInvalidType()) {
throw new ClassCastException("" + securityContextResult + " is not assignable to " + parameter.getParameterType());
} else {
return null;
}
} else {
return securityContextResult;
}
}
}
/***/
}
Context
This stems from our desire to leverage user information, acquired from the security context, throughout diverse business logics. We have indeed deliberated on the option of devising a bespoke resolver. However, this approach would inevitably introduce greater intricacy into our code and amplify the overheads tied to its upkeep. Presently, my strategy involves harnessing the ConversionService provided by the Spring framework's context. In scenarios where there are inconsistencies between types, conversions are seamlessly executed via the ConversionService, ensuring that the data can be appropriately utilized regardless of initial type disparities.
Comment From: jzheaux
Hi, @milo-xiaomeng, thanks for the report. I'm not quite understanding what you mean by:
Currently, the CurrentSecurityContextArgumentResolver does not support the functionality of cross-type property population, resulting in data retrieved from the security context being unable to directly populate objects with properties of different types.
To make sure that we address the right thing, will you please post an example of code in your application that is not working and how you would expect it to work? A minimal GitHub reproducer would be even better.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-projects-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.