From d1c4351eb8aaf10caba22cf28af0cf56d30e055a Mon Sep 17 00:00:00 2001 From: Tran Ngoc Nhan Date: Sat, 21 Jun 2025 01:41:15 +0700 Subject: [PATCH] Update document Signed-off-by: Tran Ngoc Nhan --- .../pages/reactive/authorization/method.adoc | 4 +- .../ROOT/pages/servlet/appendix/faq.adoc | 8 ++-- .../servlet/authorization/architecture.adoc | 8 ++-- .../authorize-http-requests.adoc | 2 +- .../pages/servlet/authorization/events.adoc | 41 +++++++++---------- .../authorization/method-security.adoc | 8 ++-- .../pages/servlet/integrations/websocket.adoc | 2 +- 7 files changed, 36 insertions(+), 37 deletions(-) diff --git a/docs/modules/ROOT/pages/reactive/authorization/method.adoc b/docs/modules/ROOT/pages/reactive/authorization/method.adoc index 42a68da609..6e2f96c980 100644 --- a/docs/modules/ROOT/pages/reactive/authorization/method.adoc +++ b/docs/modules/ROOT/pages/reactive/authorization/method.adoc @@ -308,7 +308,7 @@ Java:: @Component public class MyPreAuthorizeAuthorizationManager implements ReactiveAuthorizationManager { @Override - public Mono check(Supplier authentication, MethodInvocation invocation) { + public Mono authorize(Supplier authentication, MethodInvocation invocation) { // ... authorization logic } @@ -321,7 +321,7 @@ Kotlin:: ---- @Component class MyPreAuthorizeAuthorizationManager : ReactiveAuthorizationManager { - override fun check(authentication: Supplier, invocation: MethodInvocation): Mono { + override fun authorize(authentication: Supplier, invocation: MethodInvocation): Mono { // ... authorization logic } diff --git a/docs/modules/ROOT/pages/servlet/appendix/faq.adoc b/docs/modules/ROOT/pages/servlet/appendix/faq.adoc index 0c72852891..a47f591869 100644 --- a/docs/modules/ROOT/pages/servlet/appendix/faq.adoc +++ b/docs/modules/ROOT/pages/servlet/appendix/faq.adoc @@ -544,7 +544,7 @@ public class DynamicAuthorizationManager implements AuthorizationManager authentication, RequestAuthorizationContext context) { + public AuthorizationResult authorize(Supplier authentication, RequestAuthorizationContext context) { // query the external service } } @@ -565,7 +565,7 @@ class DynamicAuthorizationManager : AuthorizationManager?, context: RequestAuthorizationContext?): AuthorizationDecision { + override fun authorize(authentication: Supplier?, context: RequestAuthorizationContext?): AuthorizationResult { // look up rules from the database } } @@ -595,7 +595,7 @@ public class DynamicAuthorizationManager implements AuthorizationManager authentication, MethodInvocation invocation) { + public AuthorizationResult authorize(Supplier authentication, MethodInvocation invocation) { // query the external service } } @@ -617,7 +617,7 @@ class DynamicAuthorizationManager : AuthorizationManager { private val authz: MyExternalAuthorizationService? = null // ... - override fun check(authentication: Supplier?, invocation: MethodInvocation?): AuthorizationDecision { + override fun authorize(authentication: Supplier?, invocation: MethodInvocation?): AuthorizationResult { // query the external service } } diff --git a/docs/modules/ROOT/pages/servlet/authorization/architecture.adoc b/docs/modules/ROOT/pages/servlet/authorization/architecture.adoc index fc80141b45..264ef90e70 100644 --- a/docs/modules/ROOT/pages/servlet/authorization/architecture.adoc +++ b/docs/modules/ROOT/pages/servlet/authorization/architecture.adoc @@ -99,7 +99,7 @@ The `AuthorizationManager` interface contains two methods: [source,java] ---- -AuthorizationDecision check(Supplier authentication, Object secureObject); +AuthorizationResult authorize(Supplier authentication, Object secureObject); default void verify(Supplier authentication, Object secureObject) throws AccessDeniedException { @@ -113,7 +113,7 @@ For example, let's assume the secure object was a `MethodInvocation`. It would be easy to query the `MethodInvocation` for any `Customer` argument, and then implement some sort of security logic in the `AuthorizationManager` to ensure the principal is permitted to operate on that customer. Implementations are expected to return a positive `AuthorizationDecision` if access is granted, negative `AuthorizationDecision` if access is denied, and a null `AuthorizationDecision` when abstaining from making a decision. -`verify` calls `check` and subsequently throws an `AccessDeniedException` in the case of a negative `AuthorizationDecision`. +`verify` calls `authorize` and subsequently throws an `AccessDeniedException` in the case of a negative `AuthorizationDecision`. [[authz-delegate-authorization-manager]] === Delegate-based AuthorizationManager Implementations @@ -180,7 +180,7 @@ public class AccessDecisionManagerAuthorizationManagerAdapter implements Authori private final SecurityMetadataSource securityMetadataSource; @Override - public AuthorizationDecision check(Supplier authentication, Object object) { + public AuthorizationResult authorize(Supplier authentication, Object object) { try { Collection attributes = this.securityMetadataSource.getAttributes(object); this.accessDecisionManager.decide(authentication.get(), object, attributes); @@ -216,7 +216,7 @@ public class AccessDecisionVoterAuthorizationManagerAdapter implements Authoriza private final SecurityMetadataSource securityMetadataSource; @Override - public AuthorizationDecision check(Supplier authentication, Object object) { + public AuthorizationResult authorize(Supplier authentication, Object object) { Collection attributes = this.securityMetadataSource.getAttributes(object); int decision = this.accessDecisionVoter.vote(authentication.get(), object, attributes); switch (decision) { diff --git a/docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc b/docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc index ca3fd6b2bf..47427233d3 100644 --- a/docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc +++ b/docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc @@ -861,7 +861,7 @@ Java:: @Component public final class OpenPolicyAgentAuthorizationManager implements AuthorizationManager { @Override - public AuthorizationDecision check(Supplier authentication, RequestAuthorizationContext context) { + public AuthorizationResult authorize(Supplier authentication, RequestAuthorizationContext context) { // make request to Open Policy Agent } } diff --git a/docs/modules/ROOT/pages/servlet/authorization/events.adoc b/docs/modules/ROOT/pages/servlet/authorization/events.adoc index a791dcb365..5d8fd796e9 100644 --- a/docs/modules/ROOT/pages/servlet/authorization/events.adoc +++ b/docs/modules/ROOT/pages/servlet/authorization/events.adoc @@ -95,29 +95,28 @@ public class MyAuthorizationEventPublisher implements AuthorizationEventPublishe @Override public void publishAuthorizationEvent(Supplier authentication, - T object, AuthorizationDecision decision) { - if (decision == null) { + T object, AuthorizationResult result) { + if (result == null) { return; } - if (!decision.isGranted()) { - this.delegate.publishAuthorizationEvent(authentication, object, decision); + if (!result.isGranted()) { + this.delegate.publishAuthorizationEvent(authentication, object, result); return; } - if (shouldThisEventBePublished(decision)) { + if (shouldThisEventBePublished(result)) { AuthorizationGrantedEvent granted = new AuthorizationGrantedEvent( - authentication, object, decision); + authentication, object, result); this.publisher.publishEvent(granted); } } - private boolean shouldThisEventBePublished(AuthorizationDecision decision) { - if (!(decision instanceof AuthorityAuthorizationDecision)) { - return false; - } - Collection authorities = ((AuthorityAuthorizationDecision) decision).getAuthorities(); - for (GrantedAuthority authority : authorities) { - if ("ROLE_ADMIN".equals(authority.getAuthority())) { - return true; + private boolean shouldThisEventBePublished(AuthorizationResult result) { + if (result instanceof AuthorityAuthorizationDecision authorityAuthorizationDecision) { + Collection authorities = authorityAuthorizationDecision.getAuthorities(); + for (GrantedAuthority authority : authorities) { + if ("ROLE_ADMIN".equals(authority.getAuthority())) { + return true; + } } } return false; @@ -137,22 +136,22 @@ class MyAuthorizationEventPublisher(val publisher: ApplicationEventPublisher, override fun publishAuthorizationEvent( authentication: Supplier?, `object`: T, - decision: AuthorizationDecision? + result: AuthorizationResult? ) { - if (decision == null) { + if (result == null) { return } - if (!decision.isGranted) { - this.delegate.publishAuthorizationEvent(authentication, `object`, decision) + if (!result.isGranted) { + this.delegate.publishAuthorizationEvent(authentication, `object`, result) return } - if (shouldThisEventBePublished(decision)) { - val granted = AuthorizationGrantedEvent(authentication, `object`, decision) + if (shouldThisEventBePublished(result)) { + val granted = AuthorizationGrantedEvent(authentication, `object`, result) this.publisher.publishEvent(granted) } } - private fun shouldThisEventBePublished(decision: AuthorizationDecision): Boolean { + private fun shouldThisEventBePublished(result: AuthorizationResult): Boolean { if (decision !is AuthorityAuthorizationDecision) { return false } diff --git a/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc b/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc index 944e1813f2..f16ce38db0 100644 --- a/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc +++ b/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc @@ -1371,12 +1371,12 @@ Java:: @Component public class MyAuthorizationManager implements AuthorizationManager, AuthorizationManager { @Override - public AuthorizationDecision check(Supplier authentication, MethodInvocation invocation) { + public AuthorizationResult authorize(Supplier authentication, MethodInvocation invocation) { // ... authorization logic } @Override - public AuthorizationDecision check(Supplier authentication, MethodInvocationResult invocation) { + public AuthorizationResult authorize(Supplier authentication, MethodInvocationResult invocation) { // ... authorization logic } } @@ -1388,11 +1388,11 @@ Kotlin:: ---- @Component class MyAuthorizationManager : AuthorizationManager, AuthorizationManager { - override fun check(authentication: Supplier, invocation: MethodInvocation): AuthorizationDecision { + override fun authorize(authentication: Supplier, invocation: MethodInvocation): AuthorizationResult { // ... authorization logic } - override fun check(authentication: Supplier, invocation: MethodInvocationResult): AuthorizationDecision { + override fun authorize(authentication: Supplier, invocation: MethodInvocationResult): AuthorizationResult { // ... authorization logic } } diff --git a/docs/modules/ROOT/pages/servlet/integrations/websocket.adoc b/docs/modules/ROOT/pages/servlet/integrations/websocket.adoc index 9513600dd2..3f57195ede 100644 --- a/docs/modules/ROOT/pages/servlet/integrations/websocket.adoc +++ b/docs/modules/ROOT/pages/servlet/integrations/websocket.adoc @@ -227,7 +227,7 @@ public final class MessageExpressionAuthorizationManager implements Authorizatio } @Override - public AuthorizationDecision check(Supplier authentication, MessageAuthorizationContext context) { + public AuthorizationResult authorize(Supplier authentication, MessageAuthorizationContext context) { EvaluationContext ctx = this.expressionHandler.createEvaluationContext(authentication, context.getMessage()); boolean granted = ExpressionUtils.evaluateAsBoolean(this.expression, ctx); return new ExpressionAuthorizationDecision(granted, this.expression);