New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Spring Security @Secured annotation #61
Comments
probably same as #41 ? |
Maybe related but there is also the need to translate the exception. An exception translator like Spring's |
Out of interest I've put together an example of Secured annotation (which just works) and a basic exception-to-status translation interceptor. I don't think that would be sufficient to cover a meaningful scenario though. Just curious, where the authentication will be coming from in the intended use case? |
I've also put together a standalone example of method-based security with gRPC (using pre-post-annotations instead of secured-annotations) with an exception-to-status translator, using Authorization metadata for Basic Auth credentials and JWT tokens. It works pretty well for our production use-case, though the default ThreadLocal security context storage is less than ideal. |
I guess I should try again because |
I've also had weird issues with the method security AOP interceptors not applying to the gRPC implementation class at times. In fact, in my standalone example, if I remove spring-jdbc from runtime dependencies, the AOP stops applying. |
@alexleigh I think you are hitting another flavour of the autoproxying issue. By default spring boot 1.x would use a a dynamic proxies, but with spring-jdbc and spring-tx pulled into the classpath the autoconfiguration kicks in and configures cglib proxies instead. I opened a PR which explicitly specifies |
That's really good to know. Thanks for the help! |
See also grpc/grpc-java#4970 EDIT WARNINGThe security examples linked above have security vulnerabilities and are dangerous to use. See below for more details. |
@ST-DDT I've seen your discussion on the grpc-java issue. Do you know how to proceed ? |
In order for SpringSecurity to work you need two things:
If you get an As an alternative you could avoid the security annotation and use another server interceptor to map the access checks yourself. Using something like similar to a
|
That example is somewhat better than the above mentioned, as it used an AuthenticationManager. But it also has a few drawbacks:
Don't get me wrong, it is good code, but puts some obstacle in your way to use and maintain it. EDIT: And its dangerous to use. |
WARNINGThe security demo by revinate and the security example by pagrus7 are vulnerable to concurrency issues. You might see the following issues:
You can avoid that issue by rewriting the authenticating interceptors to work similar to See also this SO question/answer That issue is not related to this repository. It's only related to the mentioned security demo and all variants that work in a similar way. |
THANK YOU SO MUCH!!! I just ran into the concurrency issue mentioned above and super lucky found your post. Also just in time for the release of net.devh:grpc-spring-boot-starter:2.2.0.RELEASE. |
Probably not interested anymore, but if so: I created a simple JWT Spring Boot Starter extending this library from LogNet: https://github.com/majusko/grpc-jwt-spring-boot-starter Already using it in few production projects so it will be definitely supported. Also, feel free to contribute ;) Simple usage showcase here: |
Thanks for sharing, @majusko. I'll definitely have a look |
Is there some plan on supporting spring security? Thanks. |
It's better later than never :-), implemented in |
Annotating a server implementation method with
@Secured
annotation currently doesn't have any effect.It would be nice if the
@Secured
annotation is supported and aStatus.PERMISSION_DENIED
error is sent if theAuthentication
doesn't contain the proper authority.then
stub.sayHello
should fail withStatus.PERMISSION_DENIED
The text was updated successfully, but these errors were encountered: