Skip to content

Replace deprecated #check calls with #authorize #16965

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Replace deprecated #check calls with #authorize #16965

wants to merge 1 commit into from

Conversation

evgeniycheban
Copy link
Contributor

Closes gh-16936

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 18, 2025
franticticktick
franticticktick reviewed Apr 22, 2025
View reviewed changes
...rc/main/java/org/springframework/security/authorization/ObservationAuthorizationManager.java
@@ -67,20 +67,33 @@ public ObservationAuthorizationManager(ObservationRegistry registry, Authorizati
@Deprecated
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's better to leave the check method as is. There's no point in calling the authorize method from a deprecated method.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think if we are moving away from check method it's reasonable to stop calling user-defined check implementations in our code, instead it's good to indicate to the user that they should fully migrate to using authorize method if they have mix of both, the same approach is used in AuthorizationManagers#anyOf for example.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jzheaux what do you think?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good points from both of you.

Given that this is work that can be done in advance of the next major, I think that it is worthwhile. In this way, the only thing that remains to be done when the time comes is for check to be removed.

@franticticktick
Copy link
Contributor

Hey @evgeniycheban , It would be nice if the verify method of the AuthorizationManager interface also call authorize.

@evgeniycheban
Copy link
Contributor Author

Hey @evgeniycheban , It would be nice if the verify method of the AuthorizationManager interface also call authorize.

Yeah, good catch, I must have missed that one.

@jzheaux jzheaux self-assigned this Apr 22, 2025
@jzheaux jzheaux added in: core An issue in spring-security-core type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 22, 2025
jzheaux
jzheaux requested changes Apr 23, 2025
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @evgeniycheban! I've left some feedback inline.

...st/java/org/springframework/security/authorization/ObservationAuthorizationManagerTests.java
@@ -73,7 +73,7 @@ void setup() {
@Test
void verifyWhenDefaultsThenObserves() {
given(this.handler.supportsContext(any())).willReturn(true);
given(this.authorizationManager.check(any(), any())).willReturn(this.grant);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's leave unit tests as-is so that we know we are still backward compatible.

Copy link
Contributor Author

@evgeniycheban evgeniycheban Apr 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll change it to use willCallRealMethod instead.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

...rc/main/java/org/springframework/security/authorization/ObservationAuthorizationManager.java
@@ -67,20 +67,33 @@ public ObservationAuthorizationManager(ObservationRegistry registry, Authorizati
@Deprecated
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good points from both of you.

Given that this is work that can be done in advance of the next major, I think that it is worthwhile. In this way, the only thing that remains to be done when the time comes is for check to be removed.

@evgeniycheban
Copy link
Contributor Author

Hi, @jzheaux I've updated the PR.

@evgeniycheban evgeniycheban requested a review from jzheaux April 23, 2025 22:47
@franticticktick
Copy link
Contributor

It would be nice to make the same improvement for ReactiveAuthorizationManager as a separate commit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@franticticktick franticticktick franticticktick left review comments

@jzheaux jzheaux Awaiting requested review from jzheaux

Assignees

@jzheaux jzheaux

Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Projects
Spring Security Team
Status: No status
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Replace check calls with authorize
4 participants
@evgeniycheban @franticticktick @jzheaux @spring-projects-issues