You signed in with another tab or window.
Reload
to refresh your session.
You signed out in another tab or window.
Reload
to refresh your session.
You switched accounts on another tab or window.
Reload
to refresh your session.
By clicking “Sign up for GitHub”, you agree to our
terms of service
and
privacy statement
. We’ll occasionally send you account related emails.
Already on GitHub?
Sign in
to your account
see
spring-projects/spring-boot#3317
see
#2672
see
https://docs.spring.io/spring-security/site/docs/3.2.9.RELEASE/reference/htmlsingle/faq.html#faq-dynamic-url-metadata
Please provide an "easy" way, to provide a custom
org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource
when using Java configuration.
We're currently trying to migrate an old Spring application to Spring Security 5.1.5. In this process we'd like to migrate the current xml-based configuration to a
WebSecurityConfigurerAdapter
subclass.
The urls handled by the appication represent Objects in a remote storage which has its own ACL system. Therefore we implemented our own
FilterInvocationSecurityMetadataSource
which queries the remote storage for the correct access restrictions for each object/url.
Ideally we'd like to do something like this:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().securityMetadataSource(myCustomMetadataSource);
Another option I looked into is using a custom AbstractInterceptUrlConfigurer
in order to override its createMetadataSource()
method, but the class is package-private and its public subclasses are final.
.authorizeRequests()
.withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
@Override
public FilterSecurityInterceptor postProcess(FilterSecurityInterceptor filter) {
filter.setSecurityMetadataSource(createMetadataSource());
return filter;
status: feedback-reminder
We've sent a reminder that we need additional information before we can continue
label
Jul 10, 2019