Skip to content

With @PreAuthorize, method validation does not work. #10470

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Tracked by #11335
und3rs opened this issue Nov 4, 2021 · 5 comments
Closed
Tracked by #11335

With @PreAuthorize, method validation does not work. #10470

und3rs opened this issue Nov 4, 2021 · 5 comments
Assignees
@jzheaux
Labels
in: core An issue in spring-security-core type: bug A general bug
Milestone
6.2.0

Comments

@und3rs
Copy link

und3rs commented Nov 4, 2021

Describe the bug
If I use @PreAuthorize, the validation for @RequestParam does not work.

To Reproduce

//-----------------------------------------------------
    // With PreAuthorize: Validation does NOT work
    //-----------------------------------------------------
    @GetMapping("withPreAuthorize")
    @ResponseStatus(HttpStatus.OK)
    @PreAuthorize("hasRole('USER')")
    suspend fun withPreAuthorize(
        @RequestParam(defaultValue = "100", required = true) @Min(1) @Max(100) limit: Int,
    ): String {
        return "OK"
    }


    //-----------------------------------------------------
    // Without PreAuthorize: Validation works
    //-----------------------------------------------------
    @GetMapping("withoutPreAuthorize")
    @ResponseStatus(HttpStatus.OK)
    suspend fun withoutPreAuthorize(
        @RequestParam(defaultValue = "100", required = true) @Min(1) @Max(100) limit: Int,
    ): String {
        return "OK"
    }

Expected behavior
A clear and concise description of what you expected to happen.
@PreAuthorize should not disturb validator.

Sample
https://github.com/und3rs/springboot-helpme
You can test with '\src\test\kotlin\test.http'.
@und3rs und3rs added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Nov 4, 2021
@marcusdacoregio
Copy link
Contributor

Thanks for reaching out @und3rs.

This seems to be related to #10252 where the PrePostAdviceReactiveMethodInterceptor does not call the others interceptors in the chain.

Are you interested in submitting a pull request to fix the issue?

@marcusdacoregio marcusdacoregio added in: core An issue in spring-security-core and removed status: waiting-for-triage An issue we've not yet triaged labels Nov 4, 2021
@scottfrederick scottfrederick mentioned this issue Nov 4, 2021
Closed
@igorpele
Copy link
Contributor

Hi, I just had a look at this code and there is obviously a bug in PrePostAdviceReactiveMethodInterceptor calling Kotlin suspending functions:

        if (isSuspendingFunction) {
         response = toInvoke.flatMapMany((auth) -> Flux
   	.from(CoroutinesUtils.invokeSuspendingFunction(invocation.getMethod(), invocation.getThis(),
   							invocation.getArguments()))
   		.map((r) -> (attr != null) ? this.postAdvice.after(auth, invocation, attr, r) : r));
   }

because the suspending function is called directly using CoroutinesUtils.invokeSuspendingFunction without the proceed method.

The obvious way to solve it would be to call the proceed method

Mono<?> response = toInvoke.flatMap((auth) -> Mono
		.from(PrePostAdviceReactiveMethodInterceptor.<Mono<?>>proceed(invocation))
		.map((r) -> (attr != null) ? this.postAdvice.after(auth, invocation, attr, r) : r));

but that would mean omitting the special treatment of Kotlin suspending function, which is imho architecturally not best placed in a MethodInterceptor and should be handled somewhere centrally ie by placing a dedicated MethodInvocation in the chain. Any thoughts?

@und3rs
Copy link
Author

und3rs commented Jan 7, 2022

Any update, please?

@rwinch rwinch mentioned this issue Jun 3, 2022
Open
7 tasks
@jzheaux
Copy link
Contributor

jzheaux commented Jun 4, 2024

Please see my comment in #10252. Given that, I'll mark this as closed as of 6.2.0.

I can also confirm that when I take the sample provided in the OP and update it to the latest, it demonstrates the expected behavior.

@jzheaux jzheaux closed this as completed Jun 4, 2024
@jzheaux jzheaux self-assigned this Jun 4, 2024
@jzheaux jzheaux added this to the 6.2.0 milestone Jun 4, 2024
@und3rs
Copy link
Author

und3rs commented Jun 10, 2024

Thanks a lot!!!
I checked this bug fixed and update my project successfuly!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: core An issue in spring-security-core type: bug A general bug
Projects
None yet
Milestone
6.2.0
Development

No branches or pull requests
5 participants
@igorpele @jzheaux @eleftherias @marcusdacoregio @und3rs