Skip to content

Revise Spring Integration security in favor of Spring Security Messaging #3897

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
artembilan opened this issue Sep 28, 2022 · 0 comments · Fixed by #3915
Closed

Revise Spring Integration security in favor of Spring Security Messaging #3897

artembilan opened this issue Sep 28, 2022 · 0 comments · Fixed by #3915
Labels
type: enhancement
Milestone
6.0.0-RC1

Comments

@artembilan
Copy link
Member

The AbstractSecurityInterceptor (and supporting API) is deprecated in Spring Security now.
Consider to deprecate ChannelSecurityInterceptor in favor of AuthorizationChannelInterceptor from Spring Security Messaging.
With that move we probably will deprecate a @SecuredChannel and all the AOP infrastructure we have in spring-integration-security.
The fix depends on the spring-projects/spring-security#11915 which will bring for us a postReceive() security contract.
The current receive() AOP interceptor does not make too much sense since there might be just no a static SecurityContext to auth against.
The postReceive() phase may be already populated from the received message via SecurityContextPropagationChannelInterceptor.postReceive() where an Authentication can be propagated from the producer side.

Also: the migration to the AuthorizationChannelInterceptor and its infrastructure we will have a long time ago requested SpEL support for security: https://jira.spring.io/projects/INT/issues/INT-1479
@artembilan artembilan added this to the 6.0.0-RC1 milestone Sep 28, 2022
artembilan added a commit to artembilan/spring-integration that referenced this issue Oct 14, 2022
@artembilan
spring-projectsGH-3897: Deprecate ChannelSecurityInterceptor
878760a 
Fixes spring-projects#3897

Spring Security has deprecated `AccessDecisionManager` and all its infrastructure
in favor of `AuthorizationManager`

* Deprecate and AOP `ChannelSecurityInterceptor` and all its infrastructure,
including `@SecuredChannel` and respective XML configuration.
The `AuthorizationChannelInterceptor` added to respective channels for security
or configured as a global channel interceptor fully covers the previous AOP configuration
* Fix deprecation warnings in other tests with security
@artembilan artembilan mentioned this issue Oct 14, 2022
Merged
artembilan added a commit to artembilan/spring-integration that referenced this issue Oct 17, 2022
@artembilan
spring-projectsGH-3897: Deprecate ChannelSecurityInterceptor
d93d524 
Fixes spring-projects#3897

Spring Security has deprecated `AccessDecisionManager` and all its infrastructure
in favor of `AuthorizationManager`

* Deprecate and AOP `ChannelSecurityInterceptor` and all its infrastructure,
including `@SecuredChannel` and respective XML configuration.
The `AuthorizationChannelInterceptor` added to respective channels for security
or configured as a global channel interceptor fully covers the previous AOP configuration
* Fix deprecation warnings in other tests with security
artembilan added a commit to artembilan/spring-integration that referenced this issue Oct 17, 2022
@artembilan
spring-projectsGH-3897: Deprecate ChannelSecurityInterceptor
4078623 
Fixes spring-projects#3897

Spring Security has deprecated `AccessDecisionManager` and all its infrastructure
in favor of `AuthorizationManager`

* Deprecate and AOP `ChannelSecurityInterceptor` and all its infrastructure,
including `@SecuredChannel` and respective XML configuration.
The `AuthorizationChannelInterceptor` added to respective channels for security
or configured as a global channel interceptor fully covers the previous AOP configuration
* Fix deprecation warnings in other tests with security
garyrussell added a commit to artembilan/spring-integration that referenced this issue Oct 17, 2022
@garyrussell
Merge branch 'main' into spring-projectsGH-3897
8697ebf
garyrussell added a commit that referenced this issue Oct 17, 2022
@artembilan @garyrussell
GH-3897: Deprecate ChannelSecurityInterceptor (#3915)
64f0e73 
* GH-3897: Deprecate `ChannelSecurityInterceptor`

Fixes #3897

Spring Security has deprecated `AccessDecisionManager` and all its infrastructure
in favor of `AuthorizationManager`

* Deprecate and AOP `ChannelSecurityInterceptor` and all its infrastructure,
including `@SecuredChannel` and respective XML configuration.
The `AuthorizationChannelInterceptor` added to respective channels for security
or configured as a global channel interceptor fully covers the previous AOP configuration
* Fix deprecation warnings in other tests with security

* Fix language in docs

Co-authored-by: Gary Russell <[email protected]>

* * Remove `forRemoval` attr from `@Deprecated` markers for Security classes:
looks like to mark `@Deprecated` and even `@SuppressWarnings("deprecation")`
don't silence warnings on compilation

Co-authored-by: Gary Russell <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: enhancement
Projects
None yet
Milestone
6.0.0-RC1
Development

Successfully merging a pull request may close this issue.

GH-3897: Deprecate ChannelSecurityInterceptor artembilan/spring-integration
1 participant
@artembilan