Add Supplier Support

Issue gh-14597
2024-03-21 15:50:18 -06:00 · 2024-03-21 15:50:18 -06:00 · 12ea8a5738
parent 795e44d11f
commit 12ea8a5738
2 changed files with 21 additions and 1 deletions
--- a/core/src/main/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactory.java
+++ b/core/src/main/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactory.java
@ -254,7 +254,8 @@ public final class AuthorizationAdvisorProxyFactory
 		/**
 		 * The default {@link TargetVisitor}, which will proxy {@link Class} instances as
 		 * well as instances contained in reactive types (if reactor is present),
-		 * collection types, and other container types like {@link Optional}
+		 * collection types, and other container types like {@link Optional} and
+		 * {@link Supplier}
 		 */
 		static TargetVisitor defaults() {
 			return AuthorizationAdvisorProxyFactory.DEFAULT_VISITOR;
@ -351,6 +352,9 @@ public final class AuthorizationAdvisorProxyFactory
 			if (target instanceof Optional<?> optional) {
 				return proxyOptional(proxyFactory, optional);
 			}
+			if (target instanceof Supplier<?> supplier) {
+				return proxySupplier(proxyFactory, supplier);
+			}
 			return null;
 		}

@ -483,6 +487,10 @@ public final class AuthorizationAdvisorProxyFactory
 			return optional.map(proxyFactory::proxy);
 		}

+		private Supplier<?> proxySupplier(AuthorizationProxyFactory proxyFactory, Supplier<?> supplier) {
+			return () -> proxyFactory.proxy(supplier.get());
+		}
+
 	}

 	private static class ReactiveTypeVisitor implements TargetVisitor {
--- a/core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java
+++ b/core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java
@ -31,6 +31,7 @@ import java.util.SortedMap;
 import java.util.SortedSet;
 import java.util.TreeMap;
 import java.util.TreeSet;
+import java.util.function.Supplier;
 import java.util.stream.Stream;

 import org.jetbrains.annotations.NotNull;
@ -242,6 +243,17 @@ public class AuthorizationAdvisorProxyFactoryTests {
 		SecurityContextHolder.clearContext();
 	}

+	@Test
+	public void proxyWhenPreAuthorizeForSupplierThenHonors() {
+		SecurityContextHolder.getContext().setAuthentication(this.user);
+		AuthorizationAdvisorProxyFactory factory = AuthorizationAdvisorProxyFactory.withDefaults();
+		Supplier<Flight> flights = () -> this.flight;
+		assertThat(flights.get().getAltitude()).isEqualTo(35000d);
+		Supplier<Flight> secured = proxy(factory, flights);
+		assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(() -> secured.get().getAltitude());
+		SecurityContextHolder.clearContext();
+	}
+
 	@Test
 	public void proxyWhenPreAuthorizeForStreamThenHonors() {
 		SecurityContextHolder.getContext().setAuthentication(this.user);