Propagate Authentication to SecurityContextHolder

[jvmlet]

See this discussion
@markbanierink, FYI

[jvmlet]

@markbanierink, would you please post a snippet here how you use @PreAuthorize annotation from grpc service

[markbanierink]

Sure!

Our gRPC service looks pretty much like this:

@GRpcService
public class EntityServiceImpl extends EntityServiceGrpc.EntityServiceImplBase {
	
	@Autowired
	private DomainService domainService;

	@Override
	public void doFromRemote(EntityProtos.EntityRequest request, StreamObserver<EntityProtos.EntityResponse> responseObserver) {
		var entityA = request.getEntityA();

		var valB = domainService.doSomething(entityA);

		EntityProtos.Entity respVal = EntityProtos.Entity.newBuilder().setValue(valB).build();
		var responseBuilder = EntityProtos.EntityResponse.newBuilder();
        	responseBuilder.addSomeValue(respVal);

        	responseObserver.onNext(responseBuilder.build());
        	responseObserver.onCompleted();
	}

}

And the domain service:

@Component
public class DomainService {

	@PreAuthorize("hasPermission(#entityA.id, somePermission)")
	public Object doSomething(EntityA entityA) {
		// do something after permission was checked
	}

}

[jvmlet]

Thanks @markbanierink. I've integrated your PR, had to refactor a bit because of merge conflicts. All tests are passing, I'll commit tomorrow. I'll also try to support @PreAuthorizeon grpc service /method. Currently it's working only for downstream services. I'll need to have special grpc method invoker to go through proxied grpc service bean in order to evaluate the annotation' s expression

[jvmlet]

@markbanierink , did you have to add @EnableGlobalMethodSecurity(prePostEnabled = true) somewhere in your app to enable the enforcement of @PreAuthorize ?

[markbanierink]

Yes, it has to be configured:

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration {
    // some beans
}

[jvmlet]

@markbanierink , as I understand, you don't use grpc security feature, right ? Only pure spring boot security infrastructure, right ?

[markbanierink]

Euhm.. I'm not sure what you mean, but we do have a configuration for the grpc security too:

@Configuration
public class CustomGrpcSecurityConfigurerAdapter extends GrpcSecurityConfigurerAdapter {

    @Override
    public void configure(GrpcSecurity builder) throws Exception {
        builder.authorizeRequests().anyMethod().authenticated();
    }

    // some more configuration
}

But yes, for the rest we only use spring security.
In the suggested solution I proposed a way to propagate the Authentication from the grpc security context to the spring security context. So we use a combination of both.

[jvmlet]

@markbanierink , I've committed the changes from your PR #233.
I'm talking about another issue I'm experiencing with @PreAuthorize support, lets continue at #175

[jvmlet]

@markbanierink , 4.5.6 is out