Add SingleResultAuthorizationManager

[franticticktick]

Closes gh-16590

[franticticktick]

Hey @plll0123, we invite you to join the review so that your interest in contributions does not disappear :)

[jzheaux]

Thanks again, @franticticktick! I've left my feedback inline. Note that most if it is based on the premise that I think it class should hold an AuthorizationResult member variable, set in the constructor. This will give this class many more uses.

[jzheaux]

Spring Security conventionally uses camelCase for methods, even ones that return a constant; please change this to permitAll().

[jzheaux]

Spring Security conventionally uses camelCase for methods, even ones that return a constant; please change this to denyAll().

[jzheaux]

I think this should return the concrete type. Just like constructors emit the concrete type. Can you please change both method to return SingleResultAuthorizationManager?

[franticticktick]

No, we can't do this, java uses LambdaMetafactory for lambda creation. This factory creates CallSite object, which returns intenface implementation. Therefore these methods must return an interface.

[franticticktick]

Sorry, you can ignore this comment :)

[jzheaux]

While having this for permitAll and denyAll is great, we can expand it by taking an AuthorizationResult in the constructor and having it be public.

[jzheaux]

Instead of a lambda, consider returning a static final instance of SingleResultAuthorizationManager.

[jzheaux]

Let's still implement this. If the private member result isn't of type AuthenticationDecision, we can throw and exception.

[jzheaux]

Let's please implement authorize, returning whatever single result was set in the constructor.

[jzheaux]

Please add tests for the class.

[franticticktick]

Hi @jzheaux, thanks for your feedback. There are several points that need to be discussed. We can add a static method, for example denyAll, and return a static final instance:

public static <C> SingleResultAuthorizationManager<C> denyAll() {
   return DENY_MANAGER;
}

This is only possible if the SingleResultAuthorizationManager instance has a raw type:

private static final SingleResultAuthorizationManager DENY_MANAGER = new SingleResultAuthorizationManager<>(new AuthorizationDecision(false));

Generics are not available in a static context, which forces us to use a raw type. I'm not sure if this is the best pattern in this case, @jzheaux what do you think about it?

[jzheaux]

@franticticktick good questions. First, I think it's okay to construct a SingleResultAuthorizationManager each time denyAll() is called. This is conventionally the most type-safe and I'm fine going that route.

However, since the implementation knows that it won't use the type, then it can safely use <?>:

private static final SingleResultAuthorizationManager<?> DENY = new SingleResultAuthorizationManager<>(new AuthorizationDecision(false));

That does require a cast in the static method, but again in practice this isn't a concern since this implementation never uses the type at runtime:

public static <T> SingleResultAuthorizationManager<T> denyAll() {
    return (SingleResultAuthorizationManager<T>) DENY;
}