DenyAllPermissionEvaluator Used As Silent Backup When Two PermissionEvaluator Beans Exist #44989
Labels
for: external-project
For an external project and not something we can fix
status: invalid
An issue that we don't feel is valid
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
Thanks for the report but this is out of Spring Boot's control. The default If you think this could be improved, please open a Spring Security issue. |
wilkinsona
added
status: invalid
|
Thanks. I'll open an issue over there. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When two or more PermissionEvaluator beans are present in an application, Spring seems to silently choose the DenyAllPermissionEvaluator instead of failing to startup due to having duplicate beans.
This feels like a bug, and could have dangerous consequences for enterprises by silently pushing out code to production that seems to build/run as expected, but once an endpoint is hit that calls hasPermission(), it is always denied.
I think Spring should be failing at startup if there are multiple PermissionsEvaluators similar to behavior for other duplicate beans, or otherwise clearly warn developers of the case.
The text was updated successfully, but these errors were encountered: