Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Support Automatically Checking for Required Authorities in Authorization Rules #17942

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 23, 2025
Merged

Support Automatically Checking for Required Authorities in Authorization Rules #17942

merged 2 commits into from
Sep 23, 2025
+380 −17

Conversation

therepanic
Copy link
Contributor

In order to achieve the goal of the update, I wrap every method related to authorized users in withRequiredAuthorities, which looks at the requiredAuthorities we specified.

Closes: gh-17900

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Sep 21, 2025
@rwinch
DefaultAuthorizationManagerFactory additionalAuthorization
1608465 
This commit adds AuthorizationManager<T> additionalAuthorization to
DefaultAuthorizationManagerFactory which can be used for multi factor
authorization.

There is a builder that allows for creating an instance that requires
static additional authorities, but for more advanced cases users can
inject an additionalAuthorization that looks up if the user has settings
that enable additional required authorities.

The builder can later be updated to support checking that a particular
authority was granted within a specified amount of time.

Issue spring-projectsgh-17900
@rwinch rwinch self-assigned this Sep 23, 2025
@rwinch rwinch added in: core An issue in spring-security-core type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 23, 2025
@rwinch rwinch added this to the 7.0.0-RC1 milestone Sep 23, 2025
@rwinch
Copy link
Member

rwinch commented Sep 23, 2025

@therepanic Thanks for the pull request. I refactored the code to:

  • Support more than requiring additional authorities by allowing the AuthorizationManager to be injected instead of just additional authorities. This will allow for more complex scenarios that might want to lookup in a database if the current user is configured to require MFA.
  • A Builder to simplify configuring static additional authorities. This will also allow adding another method that supports adding rules where the factor might need to have happened within a certain time period (e.g. require password authentication within 10 minutes, otherwise reprompt the user)

I've marked this to be automatically merged once the build completes. Thanks again!

@rwinch rwinch enabled auto-merge September 23, 2025 21:44
@rwinch rwinch merged commit 549569e into spring-projects:main Sep 23, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@rwinch rwinch

Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Projects
None yet
Milestone
7.0.0-RC1
Development

Successfully merging this pull request may close these issues.

Support Automatically Checking for Required Authorities in Authorization Rules
3 participants
@therepanic @rwinch @spring-projects-issues