Provide a ReactiveSecurityEvaluationContextExtension via spring-security-data #8958
Description
Expected Behavior
Add a ReactiveSecurityEvaluationContextExtension (similar to the existing SecurityEvaluationContextExtension) that provides access to the Authentication object obtained from a Reactor Context, so that it can be used within SpEL expressions of annotated Spring Data queries.
@Query("select m from Message m where m.to.id = ?#{ principal?.id }")
Flux<Message> findInbox();Context
Spring Data Commons 2.4.0.M2 now contains the required SPI (ReactiveEvaluationContextExtension) to implement reactive SpEL evaluation extensions. (see: DATACMNS-1108)
Metadata
Metadata
Assignees
Type
Projects
Milestone
Relationships
Development
No branches or pull requests
Participants
Activity
ThomasVitale commentedon May 5, 2021
@jzheaux can I help with this task?
jzheaux commentedon May 6, 2021
Sure, @ThomasVitale, thanks for the offer!
Since
ReactiveEvaluationContextExtensionreturns aMono<? extends EvaluationContextExtension>, let's try and reuseSecurityEvaluationContextExtension. I'm thinking something like:would work nicely.
@christophstrobl, does
getExtensionIdneed to return something different fromSecurityEvaluationContextExtension("security"), and if so, is there a naming convention that's being followed?antoinechamot commentedon Jul 17, 2021
It doesn't work I have "Authentication object cannot be null" with
And
@Query("{ $or :[ {'authorId': ?#{principal?.subject}}, {'assigneeId': ?#{principal?.subject}} ] }")jzheaux commentedon Jul 19, 2021
@ThomasVitale is this something you are able to add?
Thanks for trying this out @antoinechamot. I can confirm that it works when I modify the MongoDB Spring Data example to include Spring Security and the code you posted. I wonder if your application is using reactive repositories and if the user is authenticated.
14 remaining items
svenuthe commentedon Mar 2, 2022
Originally posted by @mp911de in spring-projects/spring-data-r2dbc#658 (comment)
According to my and @mp911de findings a second
SecurityEvaluationContextExtensionis registered by spring-data which prevents the simple use of aReactiveEvaluationContextExtensionbean.@christophstrobl I fixed this by setting the imperative extension to null:
@Bean fun reactiveSecurityContextExtension(): ReactiveEvaluationContextExtension = object : ReactiveEvaluationContextExtension { override fun getExtensionId(): String = "reactiveSecurity" override fun getExtension(): Mono<out EvaluationContextExtension> = ReactiveSecurityContextHolder .getContext() .map { it.authentication as JwtAuthenticationToken } .map { SecurityEvaluationContextExtension(it) } } @Bean fun securityContextExtension(): SecurityEvaluationContextExtension? { return null }@marcusdacoregio Will this behavior be changed in the future?
jzheaux commentedon Mar 11, 2022
@svenuthe, I think Spring Data is willing to take a look if you file a separate issue. I'm not sure there's anything Security can do until that is addressed.
ThomasVitale commentedon Mar 14, 2022
@jzheaux A
SecurityEvaluationContextExtensionbean is configured inSecurityDataConfiguration, which is imported inSecurityAutoConfiguration. Should a new issue be opened in Spring Data, in Spring Boot, or would the change be part of this one?I guess that one option would be adding an extra condition on the
SecurityEvaluationContextExtensionbean so that it's not created in a reactive application if we have already aReactiveEvaluationContextExtensionbean. Or perhaps it should be Spring Data responsible for choosing the proper bean if both are present?