Skip to content

Add AuthorizationManager #8900

New issue
New issue
Closed
#8996
Closed
Add AuthorizationManager#8900
#8996
Assignees
evgeniycheban
Labels
in: coreAn issue in spring-security-coretype: enhancementA general enhancement
@rwinch

Description

@rwinch
rwinch
opened on Aug 3, 2020

We should add an AuthorizationManager which is an imperative version of ReactiveAuthorizationManager. The class should look something like:

public interface AuthorizationManager<T> {
	AuthorizationDecision check(Supplier<Authentication> authentication, T object);

	default void verify(Supplier<Authentication> authentication, T object) {
		AuthorizationDecision decision = check(authentication, object);
		if (!decision.isGranted()) {
			throw new AccessDeniedException("Access Denied");
		}
	}
}

Using something that allows delaying looking up the Authentication like Supplier<Authentication> vs an Authentication directly.

We should also add support for AuthorizationManager in HttpSecurity.authorizeRequests().

Finally, we should change around the existing classes that use AccessDecisionManager should migrate to AuthorizationManager and AccessDecisionManager should be marked as deprecated.

Metadata

Metadata

Assignees

Labels

in: coreAn issue in spring-security-coretype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions