Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support fullyAuthenticated in Kotlin authorizeHttpRequests #16162

Closed
sgrimm opened this issue Nov 25, 2024 · 2 comments · May be fixed by #16190
Closed

Support fullyAuthenticated in Kotlin authorizeHttpRequests #16162

sgrimm opened this issue Nov 25, 2024 · 2 comments · May be fixed by #16190
Assignees
@jzheaux
Labels
in: config An issue in spring-security-config type: enhancement A general enhancement

Comments

@sgrimm
Copy link

sgrimm commented Nov 25, 2024
edited
Loading

Describe the bug
Upgrading from Spring Boot 3.3.5 to 3.4.0 includes an upgrade to Spring Security 6.4, which deprecates the authorizeRequests block in the HTTP configuration DSL. The deprecation message suggests using authorizeHttpRequests instead. But authorizeHttpRequests is missing the fullyAuthenticated property.

w: file:///home/runner/work/terraware-server/terraware-server/src/main/kotlin/com/terraformation/backend/auth/SecurityConfig.kt:67:7 '@Deprecated(...) fun authorizeRequests(authorizeRequestsConfiguration: AuthorizeRequestsDsl.() -> Unit): Unit' is deprecated. Since 6.4. Use authorizeHttpRequests instead.

To Reproduce
In a Spring Boot 3.3.5 app, use a security configuration like

@Configuration
@EnableWebSecurity
class SecurityConfig {
  @Bean
  fun securityFilter(http: HttpSecurity): SecurityFilterChain {
    http {
      authorizeRequests {
        authorize("/api/**", fullyAuthenticated)
      }
    }
  }
}

Upgrade to Spring Boot 3.4.0 and follow the suggestion to replace authorizeRequests with authorizeHttpRequests:

@Configuration
@EnableWebSecurity
class SecurityConfig {
  @Bean
  fun securityFilter(http: HttpSecurity): SecurityFilterChain {
    http {
      authorizeHttpRequests {
        authorize("/api/**", fullyAuthenticated)
      }
    }
  }
}

Compilation will fail because fullyAuthenticated is undefined.

Expected behavior
The suggested replacement in the deprecation message should include all the functionality of the older version or there should be a migration guide describing what to use instead.

Sample
https://github.com/sgrimm/spring-security-fullyauthenticated

SecurityConfig.kt in that repo

Workaround
Define fullyAuthenticated in the application code:

val fullyAuthenticated = AuthenticatedAuthorizationManager.fullyAuthenticated<RequestAuthorizationContext>()
@sgrimm sgrimm added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Nov 25, 2024
@sgrimm sgrimm changed the title Kotlin AuthorizeHttpRequestsDsl missing fullyAuthenticated property 6.4 Kotlin AuthorizeHttpRequestsDsl missing fullyAuthenticated property Nov 25, 2024
@jzheaux
Copy link
Contributor

jzheaux commented Nov 25, 2024

Hi, @sgrimm, thanks for the report. I think this would be a reasonable addition for the 6.5 release. Are you able to submit a PR to add fullyAuthenticated to the Kotlin DSL?

@jzheaux jzheaux added in: config An issue in spring-security-config type: enhancement A general enhancement status: ideal-for-contribution An issue that we actively are looking for someone to help us with and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Nov 25, 2024
@jzheaux jzheaux changed the title 6.4 Kotlin AuthorizeHttpRequestsDsl missing fullyAuthenticated property Support fullyAuthenticated in Kotlin authorizeHttpRequests Nov 25, 2024
franticticktick added a commit to franticticktick/spring-security that referenced this issue Nov 29, 2024
@franticticktick
Add support fullyAuthenticated to Kotlin DSL
70e67e5 
Closes spring-projectsgh-16162
@franticticktick franticticktick mentioned this issue Nov 29, 2024
Open
@jzheaux jzheaux self-assigned this Dec 5, 2024
@jzheaux jzheaux removed the status: ideal-for-contribution An issue that we actively are looking for someone to help us with label Dec 5, 2024
@jzheaux
Copy link
Contributor

jzheaux commented Dec 5, 2024

Thanks, @franticticktick for the PR! Closing this in favor of #16190.

@jzheaux jzheaux closed this as completed Dec 5, 2024
franticticktick added a commit to franticticktick/spring-security that referenced this issue Dec 5, 2024
@franticticktick
Add support fullyAuthenticated to Kotlin DSL
456f7f5 
Closes spring-projectsgh-16162
franticticktick added a commit to franticticktick/spring-security that referenced this issue Dec 5, 2024
@franticticktick
Add support fullyAuthenticated to Kotlin DSL
871deba 
Closes spring-projectsgh-16162
franticticktick added a commit to franticticktick/spring-security that referenced this issue Dec 5, 2024
@franticticktick
Add support fullyAuthenticated to Kotlin DSL
3bbc59a 
Closes spring-projectsgh-16162
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: config An issue in spring-security-config type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support fullyAuthenticated to Kotlin DSL franticticktick/spring-security
2 participants
@sgrimm @jzheaux