Closed
Description
authorizeHttpRequests does not have direct expression support, this can create a slight issue when migrating expressions like the following:
.mvcMatchers("/resource/{id}").access("#id == authentication.name")While it can be migrated using WebExpressionAuthorizationManager like so:
.mvcMatchers("/resource/{id}").access(new WebExpressionAuthorizationManager("#id == authentication.name"))it would be nice to have something programmatic that does not require SpEL.
One way to do this already is a custom AuthorizationManager like this one:
.mvcMatchers("/resource/{id}").access((authentication, object) -> {
String value = object.getVariables().get("id");
return new AuthorizationDecision(authentication.get().getName().equals(value));
})But this isn't as idiomatic as other Spring Security expressions like hasAuthority.
A possible improvement is:
.mvcMatchers("/resource/{id}").access(variable("id").isEqualTo(Authentication::getName))Or another would be:
.mvcMatchers("/resource/{id}").hasVariable("id").equalTo(Authentication::getName)