Skip to content

RunAsManager replacement #11331

New issue
New issue
Open
Open
RunAsManager replacement#11331
Assignees
jzheaux
Labels
in: coreAn issue in spring-security-coretype: enhancementA general enhancement
Milestone
 
5.8.x
@jzheaux

Description

@jzheaux
jzheaux
opened on Jun 3, 2022

RunAsManager can add to or change the existing authentication for the duration of a message, a request, or a method call.

It overloads the authority string to include instructions to Spring Security as to what authorities to temporarily grant. It is primarily designed to work with the @Secured annotation and with the access XML attribute when not using expressions.

As a first step to supporting this with the authorization manager API, we should:

  • Improve AuthorizationFilterParser to support use-expressions="false"
  • Improve AuthorizationFilterParser to adapt the Supplier<Authentication> for RUN_AS attributes
  • Improve @Secured method handling to adapt the Supplier<Authentication> for RUN_AS attributes

UPDATE: Let's wait on these subtasks. This isn't the way that we want to do impersonation and privilege escalation going forward, and so I don't really want to support a legacy way in a new API. I'll leave this ticket open for investigating what this support should look like going forward.

It's worth considering whether a new contract is needed like Supplier<Authentication> adapt(Supplier<Authentication> authentication, T context) that can be supplied to alter how the adaptation is performed.

Metadata

Metadata

Assignees

Labels

in: coreAn issue in spring-security-coretype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions