How to preauthorize access to a Http.InboundGateway?

Question

I know its possible to add a @PreAuthorize annotation to a Rest Controller...

@RestController
public class WebController {
    @PreAuthorize("hasAuthority('Foo')")
    @GetMapping("/restricted")
    public ResponseEntity<String> restricted() {
        return ResponseEntity.ok("Restricted section");
    }
}

How can one preauthorize access to a Spring Integration Http.inbound gateway? I know I could add in a component to the Integration flow and add the annotation on a transformer or service activator method but I'd rather not have a separate object for that.

@Bean
//@PreAuthorize("hasAuthority('Foo')") ?
public HttpRequestHandlingMessagingGateway restrictedGateway() {
    return Http.inboundGateway("/restricted")
            ...
            .get();
}

@Bean
public IntegrationFlow myFlow(HttpRequestHandlingMessagingGateway restrictedGateway) {
    return IntegrationFlows
            .from(restrictedGateway)
            .transform(source -> "Restricted section")
            .get();
}

Would I need an intermediate "securedChannel" after the gateway in the flow to acheive this? — Kevvvvyp, Jul 22 '20 at 14:12

Kavithakaran Kanapathippillai · Accepted Answer · 2020-07-22T14:30:39.053

2

I think you are right by looking at https://docs.spring.io/spring-integration/reference/html/security.htm where it allows channel to be declared @Secured
Even if we think about spring security on a normal spring boot app without integration, it is at filter level so it seems to make sense as I consider HttpRequestHandlingMessagingGateway as a listener for http requests

Can you try

    @Bean
    @SecuredChannel(interceptor = "channelSecurityInterceptor", sendAccess = "ROLE_XXX")
    public SubscribableChannel secureChannel() {
        return new DirectChannel();
    }

    @Bean
    public IntegrationFlow myFlow(HttpRequestHandlingMessagingGateway 
                                  restrictedGateway) {
    return IntegrationFlows
            .from(restrictedGateway)
            .channel(secureChannel())
            .transform(source -> "Restricted section")
            .get();
}

edited Jul 22 '20 at 14:30

answered Jul 22 '20 at 14:23

Kavithakaran Kanapathippillai

7,883
1
11
29

Is it possible for sendAccess to be a hasAuthority? – Kevvvvyp Jul 22 '20 at 15:11
Sorry. I don't have a sample app to play with. But I was checking the code `sendAccess` param is gets passed to in the spring security source code. It is going as config attribute to `accessDecisionManager` which is the same thing used in when you have spring security without sprint integration. so I in my understanding, it should work for `hasAuthority` – Kavithakaran Kanapathippillai Jul 22 '20 at 15:33

How to preauthorize access to a Http.InboundGateway?

1 Answers1