Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request body is not present in SecurityRule #689

Closed
3 tasks done
tcrespog opened this issue Jun 17, 2021 · 4 comments
Closed
3 tasks done

Request body is not present in SecurityRule #689

tcrespog opened this issue Jun 17, 2021 · 4 comments
Assignees
@sdelamo

Comments

@tcrespog
Copy link

Task List

  • Steps to reproduce provided
  • Example that reproduces the problem uploaded to Github
  • Full description of the issue provided (see below)

Steps to Reproduce

  1. Download the example application.
  2. Run the PetControllerTest, which performs a request to an endpoint secured with a CustomSecurityRule.
  3. The CustomSecurityRule throws an exception because it expects the request body to be present (but it's not).

Expected Behaviour

The request body should be populated by the time the security rule is processed.

Actual Behaviour

The request body is not populated by the time the security rule is processed.

I have a custom SecurityRule which reads data from the request body. However, when upgrading the app to Micronaut 2.5.6, I've realized that the body is not present in the request by the time the security rule is executed.
Apparently, this is happening since Micronaut 2.5.0.

Environment Information

  • Micronaut Version: 2.5.6
  • JDK Version: 11

Example Application
@tcrespog
Copy link
Author

tcrespog commented Jul 7, 2021

I found this PR which explains the change of behavior: micronaut-projects/micronaut-core#5261.

Now I understand that the absence of body in filters is intentional, therefore it won't be present in security rules as they are executed in the SecurityFilter.

Alternatively to security rules, AOP Around Advice could be a way of handling the case described in this issue as suggested by this comment: #649 (comment).
Am I right?

Thanks.

@sdelamo
Copy link
Contributor

sdelamo commented Aug 11, 2021

Yes, the absence of body in filters is intentional.

@sdelamo sdelamo self-assigned this Aug 13, 2021
@sdelamo
Copy link
Contributor

sdelamo commented Aug 13, 2021

Alternatively to security rules, AOP Around Advice could be a way of handling the case described in this issue as suggested by this comment: #649 (comment).

Yes, I am going to write a documentation snippet. We should have clarified this.

sdelamo added a commit that referenced this issue Aug 13, 2021
@sdelamo
doc: since 2.5. security rule cannot access Body
55120b5 
see #689
@sdelamo sdelamo mentioned this issue Aug 13, 2021
Merged
sdelamo added a commit that referenced this issue Aug 13, 2021
@sdelamo
doc: since 2.5. security rule cannot access Body (#754)
4039d31 
see #689
sdelamo added a commit that referenced this issue Aug 13, 2021
@sdelamo
doc: example SecurityRule Body
c428795 
close #689
sdelamo added a commit that referenced this issue Aug 13, 2021
@sdelamo
doc: example SecurityRule Body
5ffe4a7 
close #689
@sdelamo sdelamo mentioned this issue Aug 13, 2021
Closed
@sdelamo
Copy link
Contributor

sdelamo commented Aug 18, 2021

I am closing this issue. I have added a documentation snippet which explains that you cannot read HTTP Body from a SecurityRule

@sdelamo sdelamo closed this as completed Aug 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sdelamo sdelamo

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sdelamo @tcrespog