Expected Behavior
AuthorizationAnnotationUtils may be very useful if you plan to implement your own security annotation and corresponding authorization manager, because it adds additional security behaviour to the classic AnnotationUtils in Spring Framework.
Hence, it would be useful if custom extensions could use it.
Current Behavior
AuthorizationAnnotationUtils is package-private, so can't be used by custom implementations. You either need to copy its code (running the risk to lose fixes in newer versions of Spring Security) or to just use AnnotationUtils (running the risk to process duplicate contradictory annotations in an unsafe way).
Context
I needed to create a custom annotation very similar to Secured, which however works with our role enumeration instead of with plain strings. So I created an Advisor for it as described at https://docs.spring.io/spring-security/reference/5.8/servlet/authorization/method-security.html#jc-method-security-custom-authorization-manager, but I also needed to write a proper AuthorizationManager to extract my annotation value from the target method/class and use it to compute AuthorizationDecisions.
Working with Spring Security 5.8.13.
Comment From: jzheaux
Hi, @mauromol, thanks for the suggestion. Spring Security 6.4 adds SecurityAnnotationScanner, which does exactly this, though it hasn't received much documentation just yet. If you are able to try it out (say, in a sample application) your feedback would be very helpful in determining if the API can be improved.
The basic usage is:
SecurityAnnotationScanner<AnAnnotation> scanner = SecurityAnnotationScanners.requireUnique(AnAnnotation.class);
// ...
AnAnnotation annotation = scanner.scan(method, targetClass);
Are you able to try out 6.4-SNAPSHOT and provide feedback?
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: mauromol
Are you able to try out
6.4-SNAPSHOTand provide feedback?
I backported the SecurityAnnotationScanner class and all the related support classes in our project and it works perfectly fine for us. So I really look forward to see it in 6.4 final.
Thanks a lot!
Comment From: jzheaux
Closed in 626610a9755177c46be88ea6ff40f4352075a09a