refactor: Obtain SecurityContext from the SecurityContextHolderStrategy bean #21665
Conversation
mcollovati
force-pushed
the
feat/security-context-strategy-bean
branch
from
95f2ac4 to
06f63c2
Compare
|
| * @param evaluator | ||
| * evaluator to check path permissions. | ||
| * @deprecated Use | ||
| * {@link #SpringAccessPathChecker(WebInvocationPrivilegeEvaluator, String)} |
There was a problem hiding this comment.
| * {@link #SpringAccessPathChecker(WebInvocationPrivilegeEvaluator, String)} | |
| * {@link #SpringAccessPathChecker(SecurityContextHolderStrategy, WebInvocationPrivilegeEvaluator)} |
There was a problem hiding this comment.
It would be good to add a note mentioning usage of SecurityContextHolder#getContextHolderStrategy() in the deprecated constructors to explain the deprecation (similar to AuthenticationContext)
There was a problem hiding this comment.
I wonder if we should just remove the @Configuration annotation and deprecate the class for 24.8
There was a problem hiding this comment.
Yes, that would be better. I initially removed the class to see what failed without it, but we can keep it and deprecate before complete removal.
mcollovati
force-pushed
the
feat/security-context-strategy-bean
branch
from
06f63c2 to
5eb99f8
Compare
github-project-automation
bot
moved this to 🔎Iteration reviews
in Vaadin Flow | Hilla | Kits ongoing work
mcollovati
changed the title
mcollovati
force-pushed
the
feat/security-context-strategy-bean
branch
from
9d38154 to
4d566a5
Compare
|
One missing part: restore and deprecate |
|
|
|
This fixes #21401 by providing a
SecurityContextHolderStrategybean as part of Spring Security auto-configuration and replaces static invocations ofSecurityContextHolder.getContext()by using the strategy bean instead.SecurityContextHolderStrategyinSpringSecurityAutoConfigurationVaadinAwareSecurityContextHolderStrategyConfigurationVaadinSecurityConfigurerbuild lifecycleVaadinWebSecurityfor backwards compatibilityAuthenticationContextandSpringAccessPathCheckerAuthenticationUtilmethodsBreaking changes
VaadinAwareSecurityContextHolderStrategyConfigurationhas been removed — mild since it was purely for internal useSpringSecurityAutoConfiguration::accessPatchCheckersignature has changed to include the strategy parameter — mild since this class shouldn't be extended (better have package-private bean methods)VaadinAwareSecurityContextHolderStrategyConfigurationmight expect that custom strategy to be used by Flow, instead of the bean — those apps should now provide the custom strategy as a bean (if they expect Flow to use it)DRAFT Tests setting the strategy statically must be updated (some already are)