Skip to content

Consider supporting Spring Data container types for AuthorizeReturnObject #16953

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Consider supporting Spring Data container types for AuthorizeReturnObject #16953

wants to merge 1 commit into from

Conversation

evgeniycheban
Copy link
Contributor

Closes gh-15994

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 17, 2025
@evgeniycheban evgeniycheban force-pushed the gh-15994 branch 6 times, most recently from aa991e6 to fe6e014 Compare April 18, 2025 01:17
@jzheaux jzheaux added in: data An issue in spring-security-data type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels May 7, 2025
@jzheaux jzheaux added this to the 7.0.x milestone May 7, 2025
@jzheaux jzheaux self-assigned this May 7, 2025
jzheaux
jzheaux reviewed May 27, 2025
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @evgeniycheban, this looks great. I left a comment that I could use your clarification on.

...ork/security/config/annotation/method/configuration/AuthorizationProxyDataConfiguration.java
@@ -34,4 +44,39 @@ static SecurityHintsRegistrar authorizeReturnObjectDataHintsRegistrar(Authorizat
return new AuthorizeReturnObjectDataHintsRegistrar(proxyFactory);
}

@Bean
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
@Order(Ordered.HIGHEST_PRECEDENCE + 100)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not clear on why this is needed. Can you elaborate? If anything, I would have expected it to have LOWEST_PRECEDENCE to make it easier to have custom TargetVisitor implementations take priority.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The initial reason for this was that the DataTargetVisitor should be executed before ContainerTypeVisitor because the ContainerTypeVisitor checks for Iterable which Spring Data container types are assignable for, also we have a test defining TargetVisitor.defaultsSkipValueTypes() with @Order(0), but generally I agree with your point that this could be set to LOWEST_PRECEDENCE.

@jzheaux jzheaux added the status: waiting-for-feedback We need additional information before we can continue label May 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux left review comments

Assignees

@jzheaux jzheaux

Labels
in: data An issue in spring-security-data status: waiting-for-feedback We need additional information before we can continue type: enhancement A general enhancement
Projects
None yet
Milestone
7.0.x
Development

Successfully merging this pull request may close these issues.

AuthorizeReturnObject should target the authorized object within Spring Data components
3 participants
@evgeniycheban @jzheaux @spring-projects-issues