Skip to content

authorizeHttpRequests should pick up AuthorizationManager bean #11067

Closed
@jzheaux

Description

@jzheaux

authorizeHttpRequests replaces authorizeRequests. Specifically, it presents applications with the option to use a simplified API for programmatic authorization through AuthorizationManager.

It would be nice to pick up authorization manager @Beans and apply them by default. This would simplify constructs like:

@Bean 
SecurityFilterChain web(HttpSecurity http, AuthorizationManager<RequestAuthorizationContext> manager) throws Exception {
    http
        .authorizeRequests((authorize) -> authorize
            .anyRequest().access(manager)
        )
        // ...
}

@Bean 
AuthorizationManager<RequestAuthorizationContext> manager() {
    return AuthorityAuthorizationManager.hasRole("USER");
}

to become:

@Bean 
SecurityFilterChain web(HttpSecurity http) throws Exception {
    http
        .authorizeRequests(Customizer.withDefaults())
        // ...
}

@Bean 
AuthorizationManager<HttpServletRequest> manager() {
    return AuthorityAuthorizationManager.hasRole("USER");
}

Then, applications can specify the authorization subsystem simply by publishing a bean.

Metadata

Metadata

Assignees

Labels

in: webAn issue in web modules (web, webmvc)status: declinedA suggestion or change that we don't feel we should currently applytype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions