- 
                Notifications
    You must be signed in to change notification settings 
- Fork 6.2k
Make RequestMatcherDelegatingAuthorizationManager post-processable #15978
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make RequestMatcherDelegatingAuthorizationManager post-processable #15978
Conversation
7342218    to
    6803412      
    Compare
  
    | Thanks, @codeconsole! Will you please also add a unit test in  And when you push your update, it will help if you can change your commit to something more like this: It improves readability in the git history to have a short title. The  | 
6803412    to
    641a480      
    Compare
  
    | @jzheaux Thanks for the feedback. I have changed the commit message and added the test. I also published a snapshot locally and confirmed it works as expected with my application and that I am able to perform the behavior that I needed it to do. This 1 little change allows me to delete 462 lines of code so I will be excited to see it merged. 😄 | 
8611d44    to
    2fdf6a8      
    Compare
  
    2fdf6a8    to
    bf6b163      
    Compare
  
    | @jzheaux The version of  | 
bf6b163    to
    b3d0726      
    Compare
  
    | It didn't cause any issues, @codeconsole, thanks for checking. I moved the PR to be based off of  | 
| Thanks, @codeconsole! This is now merged into  | 
Fix extensibility issue since RequestMatcherDelegatingAuthorizationManager is
finaland does not expose any public methods other than what is available through AuthorizationManager. Fixes #15948Allows the following:
which opens up the possibility to provide additional security checks such as Controller annotations by wrapping the current manager and using the outcome of is authorization check to be compared against other checks.
This works similar to what is already possible with the ObjectPostProcessor for AuthorizationFilter except unlike RequestMatcherDelegatingAuthorizationManager, AuthorizationFilter is not
finaland can be extended.There is no benefit in post processing a
finalclass that doesn't not expose any additional information that is not already provided by it's interface AuthorizationManagerAlternatively, you could just remove
finalfromspring-security/web/src/main/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManager.java
Line 49 in 8a97291
but either solution works.