Skip to content

Add hasScope as a valid SpEL expression to PreAuthorize #18151

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add hasScope as a valid SpEL expression to PreAuthorize #18151

wants to merge 3 commits into from
+322 −0

Conversation

@ngocnhan-tran1996
Copy link
Contributor

@ngocnhan-tran1996 ngocnhan-tran1996 commented Nov 8, 2025
edited
Loading

Closes: gh-18013

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Nov 8, 2025
@jzheaux jzheaux self-assigned this Nov 21, 2025
@jzheaux
Copy link
Contributor

jzheaux commented Nov 21, 2025
edited
Loading

Hi, @ngocnhan-tran1996. We want to be careful about adding to the expression root, especially now that it has implications for AuthorizationManagerFactory. Alternatively, we could consider an interface OAuth2AuthorizationManagerFactory like this:

public interface OAuth2AuthorizationManagerFactory<T> {
    default AuthorizationManager<T> hasScope(String scope) {
        return OAuth2AuthorizationManagers.hasScope(scope);
    }

    // ...
}

And a default implementation:

@Bean 
OAuth2AuthorizationManagerFactory<Object> oauth2() {
    return new DefaultOAuth2AuthorizationManagerFactory();
}

That takes an AuthorizationManagerFactory as a parameter in support of MFA:

@Bean 
OAuth2AuthorizationManagerFactory<Object> oauth2(AuthorizationManagerFactory<Object> mfa) {
    return new OAuth2AuthorizationManagerFactory(mfa);
}

And then do:

@PreAuthorize("@oauth2.hasScope('message:read')")

I like this pattern since it allows for other modules to add their own expressions as well, without needing to change or extend SecurityExpressionRoot.

@ngocnhan-tran1996
Add hasScope and hasAnyScope
ffc9adf 
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
@ngocnhan-tran1996
Copy link
Contributor Author

ngocnhan-tran1996 commented Nov 22, 2025

@jzheaux

I’ve made the requested changes. Let me know if anything else is needed.

jzheaux
jzheaux requested changes Nov 24, 2025
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @ngocnhan-tran1996! I've left some feedback inline.

...ngframework/security/oauth2/core/authorization/DefaultOAuth2AuthorizationManagerFactory.java Outdated
*
* @param <T> the type of object that the authorization check is being done on
* @author Ngoc Nhan
* @since 7.0
Copy link
Contributor

@jzheaux jzheaux Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will you please update this to 7.1 since 7 is already released?

...rg/springframework/security/oauth2/core/authorization/OAuth2AuthorizationManagerFactory.java Outdated
*
* @param <T> the type of object that the authorization check is being done on
* @author Ngoc Nhan
* @since 7.0
Copy link
Contributor

@jzheaux jzheaux Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will you please update this to 7.1 since 7 is already released?

...ngframework/security/oauth2/core/authorization/DefaultOAuth2AuthorizationManagerFactory.java
}
return this.authorizationManagerFactory.hasAnyAuthority(mappedScopes);
}

Copy link
Contributor

@jzheaux jzheaux Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will you please add hasAllScopes? It can call AuthorizationManagerFactory#hasAllAuthorities

@ngocnhan-tran1996
Add hasAllScopes
7a57961 
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
@ngocnhan-tran1996
Update javadoc
170712c 
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jzheaux jzheaux jzheaux requested changes

Assignees

@jzheaux jzheaux

Labels

status: waiting-for-triage An issue we've not yet triaged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add hasScope as a valid SpEL expression to PreAuthorize, etc.

3 participants

@ngocnhan-tran1996 @jzheaux @spring-projects-issues