Skip to content

Add hasScope as a valid SpEL expression to PreAuthorize #18151

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add hasScope as a valid SpEL expression to PreAuthorize #18151

wants to merge 1 commit into from
+236 −0

Conversation

@ngocnhan-tran1996
Copy link
Contributor

@ngocnhan-tran1996 ngocnhan-tran1996 commented Nov 8, 2025
edited
Loading

Closes: gh-18013

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Nov 8, 2025
@jzheaux jzheaux self-assigned this Nov 21, 2025
@jzheaux
Copy link
Contributor

jzheaux commented Nov 21, 2025
edited
Loading

Hi, @ngocnhan-tran1996. We want to be careful about adding to the expression root, especially now that it has implications for AuthorizationManagerFactory. Alternatively, we could consider an interface OAuth2AuthorizationManagerFactory like this:

public interface OAuth2AuthorizationManagerFactory<T> {
    default AuthorizationManager<T> hasScope(String scope) {
        return OAuth2AuthorizationManagers.hasScope(scope);
    }

    // ...
}

And a default implementation:

@Bean 
OAuth2AuthorizationManagerFactory<Object> oauth2() {
    return new DefaultOAuth2AuthorizationManagerFactory();
}

That takes an AuthorizationManagerFactory as a parameter in support of MFA:

@Bean 
OAuth2AuthorizationManagerFactory<Object> oauth2(AuthorizationManagerFactory<Object> mfa) {
    return new OAuth2AuthorizationManagerFactory(mfa);
}

And then do:

@PreAuthorize("@oauth2.hasScope('message:read')")

I like this pattern since it allows for other modules to add their own expressions as well, without needing to change or extend SecurityExpressionRoot.

@ngocnhan-tran1996
Add hasScope and hasAnyScope
ffc9adf 
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
@ngocnhan-tran1996
Copy link
Contributor Author

ngocnhan-tran1996 commented Nov 22, 2025

@jzheaux

I’ve made the requested changes. Let me know if anything else is needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jzheaux jzheaux

Labels

status: waiting-for-triage An issue we've not yet triaged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add hasScope as a valid SpEL expression to PreAuthorize, etc.

3 participants

@ngocnhan-tran1996 @jzheaux @spring-projects-issues