SEC-3011: AbstractUrlAuthorizationConfigurer postProcess default AccessDecisionManager

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java

@@ -156,7 +156,8 @@ abstract class AbstractInterceptUrlConfigurer<C extends AbstractInterceptUrlConf
 	 * @return the default {@code AccessDecisionManager}
 	 */
 	private AccessDecisionManager createDefaultAccessDecisionManager(H http) {
-		return new AffirmativeBased(getDecisionVoters(http));
+		AffirmativeBased result = new AffirmativeBased(getDecisionVoters(http));
+		return postProcess(result);
 	}
 
 	/**

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationsTests.groovy

@@ -19,9 +19,12 @@ import static org.springframework.security.config.annotation.web.configurers.Exp
 
 import javax.servlet.http.HttpServletResponse
 
+import org.springframework.beans.BeansException
 import org.springframework.beans.factory.BeanCreationException
+import org.springframework.beans.factory.config.BeanPostProcessor
 import org.springframework.context.ApplicationListener
-import org.springframework.context.annotation.Configuration
+import org.springframework.context.annotation.Bean
+import org.springframework.security.access.AccessDecisionManager;
 import org.springframework.security.access.event.AuthorizedEvent
 import org.springframework.security.access.vote.AffirmativeBased
 import org.springframework.security.authentication.RememberMeAuthenticationToken
@@ -31,7 +34,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
-import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurerConfigs.CustomExpressionRootConfig;
+import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurerConfigs.CustomExpressionRootConfig
 import org.springframework.security.core.authority.AuthorityUtils
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor
 
@@ -527,4 +530,48 @@ public class ExpressionUrlAuthorizationConfigurerTests extends BaseSpringSpec {
 		then: "custom bean expression denies access"
 			response.status == HttpServletResponse.SC_FORBIDDEN
 	}
+
+	def "SEC-3011: Default AccessDecisionManager postProcessed"() {
+		when:
+		loadConfig(Sec3011Config)
+		then:
+		context.getBean(MockBeanPostProcessor).beans.find { it instanceof AccessDecisionManager }
+	}
+
+	@EnableWebSecurity
+	static class Sec3011Config extends WebSecurityConfigurerAdapter {
+		protected void configure(HttpSecurity http) throws Exception {
+			http
+				.authorizeRequests()
+					.anyRequest().authenticated();
+		}
+
+		@Override
+		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+			auth
+				.inMemoryAuthentication();
+		}
+
+		@Bean
+		static MockBeanPostProcessor mbpp() {
+			return new MockBeanPostProcessor();
+		}
+	}
+
+	static class MockBeanPostProcessor implements BeanPostProcessor {
+		List<Object> beans = new ArrayList<Object>();
+
+		public Object postProcessBeforeInitialization(Object bean,
+				String beanName) throws BeansException {
+			beans.add(bean);
+			return bean;
+		}
+
+		public Object postProcessAfterInitialization(Object bean,
+				String beanName) throws BeansException {
+
+			return bean;
+		}
+
+	}
 }