I have a use case where I need to secure the endpoints of my application through ABAC Authorization. The code to perform ABAC Authorization is already present. I found several examples on How to create custom Authentication filter in Spring Security. One of them is here. Is there a similar standardized way to implement a custom AuthorizationFilter in Spring Security ?
Is there an object similar to Authentication that needs to be set in Spring's Security context?
In Spring Security 5.5, AuthorizationFilter and AuthorizationManager were introduced.
You can construct an AuthorizationManager, provide it in the DSL:
http
// ...
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().access(myAuthorizationManager())
)
// ..
and the DSL will construct an AuthorizationFilter with your custom manager.
If you are on an earlier version of Spring Security, you can instead wire an AccessDecisionManager.
