Skip to content

Prevent using both authorizeRequests and authorizeHttpRequests #10574

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 6, 2021
Merged

Prevent using both authorizeRequests and authorizeHttpRequests #10574

merged 1 commit into from
Dec 6, 2021

Conversation

marcusdacoregio
Copy link
Contributor

Closes gh-10573

@marcusdacoregio marcusdacoregio added status: duplicate A duplicate of another issue in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Dec 1, 2021
@marcusdacoregio marcusdacoregio added this to the 6.0.0-M1 milestone Dec 1, 2021
@marcusdacoregio marcusdacoregio self-assigned this Dec 1, 2021
@marcusdacoregio marcusdacoregio modified the milestones: 6.0.0-M1, 5.7.0-M1 Dec 1, 2021
rwinch
rwinch requested changes Dec 2, 2021
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it may be valuable to let power users add the Filters manually, but rather prevent both authorizeRequests() and authorizeHttpRequests() from being invoked on the DSL. I also like the simplicity of adding a check on the dsl methods vs iterating over all the Filters. What are your thoughts?

@marcusdacoregio
Copy link
Contributor Author

Thanks for the feedback @rwinch.

Totally agreed. Users who add filters manually know exactly what they are doing. I'm going to apply the changes.

@marcusdacoregio marcusdacoregio changed the title Prevent having both FilterSecurityInterceptor and AuthorizationFilteron filter chain Prevent using both authorizeRequests and authorizeHttpRequests Dec 2, 2021
@marcusdacoregio
Copy link
Contributor Author

I've updated the PR to avoid having authorizeHttpRequests and authorizeRequests in the same configuration.

rwinch
rwinch requested changes Dec 3, 2021
View reviewed changes
...ingframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java Outdated
@Override
public void configure(H http) {
ExpressionUrlAuthorizationConfigurer<?> configurer = http
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we move this to where we are building http? I'd prefer the configurers not need to know about each other.

@marcusdacoregio
Copy link
Contributor Author

Thanks @rwinch. I've updated the PR.

rwinch
rwinch approved these changes Dec 6, 2021
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code looks great!

The only other change is the PR should be pointed to 5.7 branch rather than main since the ticket is (rightfully) assigned to 5.7

@marcusdacoregio marcusdacoregio changed the base branch from main to 5.7.x December 6, 2021 18:29
@marcusdacoregio marcusdacoregio merged commit ed3b0fb into spring-projects:5.7.x Dec 6, 2021
@marcusdacoregio marcusdacoregio deleted the gh-10573 branch December 6, 2021 18:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rwinch rwinch rwinch approved these changes

Assignees

@marcusdacoregio marcusdacoregio

Labels
in: web An issue in web modules (web, webmvc) status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
5.7.0-M1
Development

Successfully merging this pull request may close these issues.

Prevent using both authorizeRequests and authorizeHttpRequests
2 participants
@marcusdacoregio @rwinch