From 9700368ca378f0a10d3e77a7c4b20dabf2915b51 Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Fri, 23 Aug 2024 16:57:20 -0600 Subject: [PATCH] Simplify AuthorizeReturnObject Usage While the proxy factory feature is cool, it's not needed for this sample. We can point folks to the documentation to understand when something like that is needed. --- servlet/spring-boot/java/data/README.adoc | 4 +++- .../src/main/java/example/DataApplication.java | 15 +++------------ .../java/data/src/main/java/example/Message.java | 2 +- .../java/data/src/main/java/example/User.java | 2 +- 4 files changed, 8 insertions(+), 15 deletions(-) diff --git a/servlet/spring-boot/java/data/README.adoc b/servlet/spring-boot/java/data/README.adoc index b2ca244..ecf3f4a 100644 --- a/servlet/spring-boot/java/data/README.adoc +++ b/servlet/spring-boot/java/data/README.adoc @@ -48,4 +48,6 @@ However, with `rob`, you'll also see `firstName` and `lastName` like so: } } ... -``` \ No newline at end of file +``` + +Read more about the https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html#authorize-object[`@AuthorizeReturnObject`] and https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html#fallback-values-authorization-denied[]`@DeniedHandler`] in the Spring Security Reference. \ No newline at end of file diff --git a/servlet/spring-boot/java/data/src/main/java/example/DataApplication.java b/servlet/spring-boot/java/data/src/main/java/example/DataApplication.java index 5c41939..7d8d5ed 100644 --- a/servlet/spring-boot/java/data/src/main/java/example/DataApplication.java +++ b/servlet/spring-boot/java/data/src/main/java/example/DataApplication.java @@ -21,11 +21,8 @@ import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Role; -import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory; -import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.TargetVisitor; -import org.springframework.security.authorization.method.PrePostTemplateDefaults; -import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity; +import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.provisioning.InMemoryUserDetailsManager; @@ -36,14 +33,8 @@ public class DataApplication { @Bean @Role(BeanDefinition.ROLE_INFRASTRUCTURE) - static Customizer skipValueTypes() { - return (f) -> f.setTargetVisitor(TargetVisitor.defaultsSkipValueTypes()); - } - - @Bean - @Role(BeanDefinition.ROLE_INFRASTRUCTURE) - static PrePostTemplateDefaults templateDefaults() { - return new PrePostTemplateDefaults(); + static AnnotationTemplateExpressionDefaults templateDefaults() { + return new AnnotationTemplateExpressionDefaults(); } @Bean diff --git a/servlet/spring-boot/java/data/src/main/java/example/Message.java b/servlet/spring-boot/java/data/src/main/java/example/Message.java index 0f60bee..f7e1e83 100644 --- a/servlet/spring-boot/java/data/src/main/java/example/Message.java +++ b/servlet/spring-boot/java/data/src/main/java/example/Message.java @@ -29,7 +29,6 @@ import org.springframework.security.authorization.method.AuthorizeReturnObject; @Entity @JsonSerialize(as = Message.class) -@AuthorizeReturnObject public class Message { @Id @@ -45,6 +44,7 @@ public class Message { @ManyToOne private User to; + @AuthorizeReturnObject public User getTo() { return this.to; } diff --git a/servlet/spring-boot/java/data/src/main/java/example/User.java b/servlet/spring-boot/java/data/src/main/java/example/User.java index 3eed6b6..192611c 100644 --- a/servlet/spring-boot/java/data/src/main/java/example/User.java +++ b/servlet/spring-boot/java/data/src/main/java/example/User.java @@ -27,7 +27,7 @@ import jakarta.persistence.Id; * @author Rob Winch */ @Entity(name = "users") -@JsonSerialize(as = User.class, contentUsing = JsonSerializer.class) +@JsonSerialize(as = User.class) public class User { @Id