Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix HeadersConfigurer#permissionsPolicy method with customizer #14839

Open
wants to merge 1 commit into
base: 5.8.x
Choose a base branch
from
Open

Fix HeadersConfigurer#permissionsPolicy method with customizer #14839

wants to merge 1 commit into from

Conversation

florianberthe
Copy link

Closes gh-14803

@florianberthe
Copy link
Author

@marcusdacoregio finally I recreate a new branch as I got some conflicts when rebasing to 5.8.x branch.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 3, 2024
jzheaux
jzheaux requested changes Apr 6, 2024
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@florianberthe thank you for the PR. Since there is a simple workaround and also no way to make this binary compatible, let's please make this change on main instead of 5.8.x. I've left more details in my inline comment.

UPDATE - I see that @marcusdacoregio advised something different on an earlier PR. Please wait on my suggestions until we are both aligned.

...n/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java
* @since 5.5
* @see PermissionsPolicyHeaderWriter
*/
public PermissionsPolicyConfig permissionsPolicy(Customizer<PermissionsPolicyConfig> permissionsPolicyCustomizer) {
public HeadersConfigurer<H> permissionsPolicy(Customizer<PermissionsPolicyConfig> permissionsPolicyCustomizer) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While certainly a bug, we cannot change the return type of a public method and remain binary compatible. And given that this has been in place for a few years now and that there is a simple workaround, I hesitate to make a change this aggressive.

Let's instead introduce a new method and deprecate this one. Perhaps permissionsPolicyHeader would be an appropriate name. We can remove permissionsPolicy in Spring Security 7.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand your point of view but permissionsPolicyHeader name doesn't seem to be coherent with other "DSL" methods remaining in Spring Security 7. Would you keep this incoherence in Spring Security 7 ? Unless you will rename other DSL methods with same convention.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will wait your thoughts 😄

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jzheaux have you seen my comments above?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @florianberthe. Yes, the method will be renamed from permissionsPolicyHeader to permissionsPolicy in Spring Security 7 when we remove the deprecated method.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, I will make this change later

Copy link

@codingtim codingtim Jun 3, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the plan is to add a permissionsPolicyHeader method in Spring 6.3 with a correct return type?
Then in 7 the old permissionsPolicy method with incorrect return type will be removed and permissionsPolicyHeader will be renamed?
That would mean that even if you now use the undeprecated permissionsPolicyHeader method in 6.3 you will have a breaking change when you upgrade to 7?
Or will the permissionsPolicyHeader method also exist in 7 and be deprecated then?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the plan is to add a permissionsPolicyHeader method in Spring 6.3 with a correct return type?

Yes, in Spring Security 6.4. As well as deprecating the current method with the wrong return type.

Then in 7 the old permissionsPolicy method with incorrect return type will be removed and permissionsPolicyHeader will be renamed?

That's right.

That would mean that even if you now use the undeprecated permissionsPolicyHeader method in 6.3 you will have a breaking change when you upgrade to 7?

Yes, a breaking change is fine since that will be a major version bump.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just my 2 cents but that does not seem entirely user friendly.

Yes in version 7 you can remove the deprecated method with incorrect return type.
But instead of renaming the temporary method of version 6.4, deprecate that method in version 7.
Instead of removing the deprecated method it gets replaced by one with the correct return.

That way users of 6.4 have no breaking changes but can upgrade by searching deprecation.

So 6.4:

@deprecated("Deprecated invalid return type, use temporary method below")
PermissionsPolicyConfig permissionsPolicy(..)

HeadersConfigurer<H> permissionsPolicyHeader(..)

And 7.0:

HeadersConfigurer<H> permissionsPolicy(..)

@deprecated("Use corrected method above")
HeadersConfigurer<H> permissionsPolicyHeader(..)

@jzheaux jzheaux self-assigned this Apr 6, 2024
@jzheaux jzheaux added in: config An issue in spring-security-config type: enhancement A general enhancement for: team-attention This ticket should be discussed as a team before proceeding and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 6, 2024
@codingtim
Copy link

codingtim commented Jun 3, 2024
edited

Hi, While upgrading spring-security to 6.2.4 we ran into this issue.
We try to remove deprecation warning of and() usage but because of the incorrect return type of permissionsPolicy(Customizer<PermissionsPolicyConfig> permissionsPolicyCustomizer) this is currently not possible.

@florianberthe
Copy link
Author

Hi, While upgrading spring-security to 6.2.4 we ran into this issue. We try to remove deprecation warning of and() usage but because of the incorrect return type of permissionsPolicy(Customizer<PermissionsPolicyConfig> permissionsPolicyCustomizer) this is currently not possible.

Personally, I moved call to this method at the end of the chaining as workaround. You could consider a little ugly but it avoids a deprecated warning.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@codingtim codingtim codingtim left review comments

@marcusdacoregio marcusdacoregio marcusdacoregio left review comments

@jzheaux jzheaux jzheaux requested changes

Assignees

@jzheaux jzheaux

@marcusdacoregio marcusdacoregio

Labels
for: team-attention This ticket should be discussed as a team before proceeding in: config An issue in spring-security-config type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@florianberthe @codingtim @jzheaux @marcusdacoregio @spring-projects-issues