From b4b97e31736b5c349eac71097dc5c6c7768e097e Mon Sep 17 00:00:00 2001 From: rstoyanchev Date: Tue, 29 Oct 2024 10:17:17 +0000 Subject: [PATCH] Update security section of reference docs Closes gh-1806 --- src/docs/asciidoc/flow-security.adoc | 38 +++++++++++++++++++--------- 1 file changed, 26 insertions(+), 12 deletions(-) diff --git a/src/docs/asciidoc/flow-security.adoc b/src/docs/asciidoc/flow-security.adoc index 84ed9fc27..21d794997 100644 --- a/src/docs/asciidoc/flow-security.adoc +++ b/src/docs/asciidoc/flow-security.adoc @@ -53,7 +53,7 @@ The attributes are compared against the user's granted attributes by a Spring Se ---- ==== -By default, a role-based access-decision manager is used to determine if the user is allowed access. +By default, an authority-based `AuthorizationManager` is used to determine if the user is allowed access. This needs to be overridden if your application is not using authorization roles. [[_flow_security_secured_element_match]] @@ -100,24 +100,38 @@ This exception is later caught by Spring Security and used to prompt the user to It is important that this exception be allowed to travel up the execution stack uninhibited. Otherwise, the end user may not be prompted to authenticate. -[[_flow_security_listener_adm]] -==== Custom Access Decision Managers +[[_flow_security_listener_am]] +==== Custom Authorization Managers -If your application uses authorities that are not role-based, you need to configure a custom `AccessDecisionManager`. -You can override the default decision manager by setting the `accessDecisionManager` property on the security listener. -See the https://docs.spring.io/spring-security/site/docs/current/reference/html5/[Spring Security reference documentation] to learn more about decision managers. -The following example defines a custom access decision manager: +If your application uses authorities that are not role-based, you need to configure a custom `AuthorizaitonManager`. +You can override the `AuthorityAuthorizationManager` used by default through +the `authorizationManagerInitializer` property on the security listener. For example: ==== -[source,xml] +[source,java] ---- - - - +@Bean +SecurityFlowExecutionListener securityFlowExecutionListener() { + SecurityFlowExecutionListener listener = new SecurityFlowExecutionListener(); + listener.setAuthorizationManagerInitializer(securityRule -> { + // ... + }); + return listener; +} ---- ==== +[[_flow_security_listener_adm]] +==== Custom Access Decision Managers + +Spring Security's `AccessDecisionManager` is deprecated and will be removed in a future version. +Therefore, it is recommended to configure an `AuthorizationManager` instead. +However, if you must use an `AccessDecisionManager`, you can either set the `accessDecisionManager` property of the security listener, +or override the `createAccessDecisionManager(SecurityRule)` protected method. + +To learn more about Spring Security's `AuthorizationManager` API, see +https://docs.spring.io/spring-security/reference/servlet/authorization/architecture.html#_the_authorizationmanager[Spring Security reference documentation]. + [[_flow_security_configuration]] === Configuring Spring Security