Decouple authorities from SecurityPrincipal

Description

SecurityPrincipal - and the default implementation in UserModule - directly has a getAuthorities method. Decouple it from the interface and migrate to an authoritybuilder approach.

The CurrentSecurityPrincipalProxy can keep all calls for authority checking. Afterwards the default implementation in UserModule should be refactored. User implementation should possibly be decoupled from UserDetails for more flexibility.

This will be a major refactoring breaking current implementation. Purpose is to improve performance and extensibility, while remaining consistent.

Limitations of the current implementation in UserModule (in part due to the baseline put by SpringSecurityModule):

  • performance of repeated getAuthorities() calls on a User with multiple granted authorities (roles with permissions, groups with roles with permissions etc)

  • serialization of authorities (eg in OAuth2Module)

  • not easy to have scoped authentication, limit on the set of authorities based on a super scope (eg. run as but with limited features)

Status

Assignee

Marc Vanbrabant

Reporter

Arne Vandamme

Labels

Priority

Critical
Configure