Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Improve error messaging when use-authorization-manager and access-decision-manager-ref conflict #16193

Closed
Spikhalskiy opened this issue Nov 30, 2024 · 3 comments · Fixed by #16194
Closed

Improve error messaging when use-authorization-manager and access-decision-manager-ref conflict #16193

Spikhalskiy opened this issue Nov 30, 2024 · 3 comments · Fixed by #16194
Assignees
@jzheaux
Labels
in: config An issue in spring-security-config type: enhancement A general enhancement

Comments

@Spikhalskiy
Copy link
Contributor

Spikhalskiy commented Nov 30, 2024
edited
Loading

Current Behavior

The user has a project with Spring Security utilizing Access Decision Manager classes.
They have the following in their security.xml:

<http use-expressions="true" access-decision-manager-ref="affirmativeBasedAccessDecisionManager">

The project is based on Spring 5.x and they migrate to Spring 6.x.
The user would get an error

org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: AuthorizationManager cannot be used in conjunction with `access-decision-manager-ref`

without having any AuthorizationManager beans configured.

This error message is confusing because it makes the user look for AuthorizationManager usages in the project.

Expected Behavior

If the error message pointed the user at the right attribute, it would save investigation time for users who perform the migration. It already gives a specific attribute name for access-decision-manager-ref. It should also give a reference to use-authorization-manager and highlight that it's true by default.

Context

The solution if the user doesn't want to migrate onto the new AuthorizationManager yet is to specify

<http use-expressions="true" access-decision-manager-ref="affirmativeBasedAccessDecisionManager" use-authorization-manager="false">
@Spikhalskiy Spikhalskiy added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Nov 30, 2024
Spikhalskiy added a commit to Spikhalskiy/spring-security that referenced this issue Nov 30, 2024
@Spikhalskiy
Improve AuthorizationManager configuration error messages (spring-pro…
5be9489 
…jects#16193)
@Spikhalskiy Spikhalskiy mentioned this issue Nov 30, 2024
Merged
@jzheaux
Copy link
Contributor

jzheaux commented Dec 4, 2024

Good idea, @Spikhalskiy. I think the message could be improved to suggest a remediation:

AuthorizationManager cannot be used in conjunction with `access-decision-manager-ref`; either remove the reference to AccessDecisionManager or add `use-authorization-manager="false"` to your `<http>` block

Are you able to submit a PR that imrpoves the message?

@jzheaux jzheaux added status: ideal-for-contribution An issue that we actively are looking for someone to help us with and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 4, 2024
@jzheaux jzheaux self-assigned this Dec 4, 2024
@jzheaux jzheaux changed the title Improve "Configuration problem: AuthorizationManager cannot be used in conjunction with access-decision-manager-ref" message Improve error messaging when use-authorization-manager and access-decision-manager-ref conflict Dec 4, 2024
@Spikhalskiy
Copy link
Contributor Author

Spikhalskiy commented Dec 4, 2024
edited
Loading

@jzheaux I definitely can adjust it this way. But I am concerned that this makes the message too focused on XML-based configuration, specifically "your <http> block" part. Without it, it's useful and relevant to both the annotation and XML-based configurations (as XML property names are close to setter names). Are you sure about this specific wording?

@jzheaux
Copy link
Contributor

jzheaux commented Dec 4, 2024

My apologies, I overlooked your existing PR. I'll add any additional comments over there.

Closing in favor of #16194

@jzheaux jzheaux closed this as completed Dec 4, 2024
@jzheaux jzheaux added in: config An issue in spring-security-config and removed status: ideal-for-contribution An issue that we actively are looking for someone to help us with labels Dec 4, 2024
Spikhalskiy added a commit to Spikhalskiy/spring-security that referenced this issue Dec 5, 2024
@Spikhalskiy
Improve AuthorizationManager configuration error messages (spring-pro…
d143e79 
…jects#16193)
jzheaux pushed a commit to Spikhalskiy/spring-security that referenced this issue Dec 5, 2024
@Spikhalskiy @jzheaux
Improve AuthorizationManager configuration error messages
784c02a 
Closes spring-projectsgh-16193
jzheaux added a commit to Spikhalskiy/spring-security that referenced this issue Dec 5, 2024
@jzheaux
Polish Error Messages
5ca64c1 
- aligned the grammar
- formatted using gradlew format
- updated copyright year

Issue spring-projectsgh-16193
jzheaux pushed a commit that referenced this issue Dec 6, 2024
@Spikhalskiy @jzheaux
Improve AuthorizationManager configuration error messages
32e1d4c 
Closes gh-16193
jzheaux added a commit that referenced this issue Dec 6, 2024
@jzheaux
Polish Error Messages
3e20f7b 
- aligned the grammar
- formatted using gradlew format
- updated copyright year

Issue gh-16193
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@jzheaux jzheaux

Labels
in: config An issue in spring-security-config type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Improve AuthorizationManager configuration error messages Spikhalskiy/spring-security
2 participants
@Spikhalskiy @jzheaux