#138 WebInvocationPrivilegeEvaluator has default value

config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java

@@ -88,6 +88,10 @@ public final class WebSecurity extends
 
     private SecurityExpressionHandler<FilterInvocation> expressionHandler = new DefaultWebSecurityExpressionHandler();
 
+    private Runnable postBuildAction = new Runnable() {
+        public void run() {}
+    };
+
     /**
      * Creates a new instance
      * @see WebSecurityConfiguration
@@ -198,7 +202,7 @@ public final class WebSecurity extends
     /**
      * Set the {@link WebInvocationPrivilegeEvaluator} to be used. If this is
      * null, then a {@link DefaultWebInvocationPrivilegeEvaluator} will be
-     * created when {@link #setSecurityInterceptor(FilterSecurityInterceptor)}
+     * created when {@link #securityInterceptor(FilterSecurityInterceptor)}
      * is non null.
      *
      * @param privilegeEvaluator
@@ -246,9 +250,22 @@ public final class WebSecurity extends
     /**
      * Sets the {@link FilterSecurityInterceptor}. This is typically invoked by {@link WebSecurityConfigurerAdapter}.
      * @param securityInterceptor the {@link FilterSecurityInterceptor} to use
+     * @return the {@link WebSecurity} for further customizations
      */
-    public void setSecurityInterceptor(FilterSecurityInterceptor securityInterceptor) {
+    public WebSecurity securityInterceptor(FilterSecurityInterceptor securityInterceptor) {
         this.filterSecurityInterceptor = securityInterceptor;
+        return this;
+    }
+
+    /**
+     * Executes the Runnable immediately after the build takes place
+     *
+     * @param postBuildAction
+     * @return the {@link WebSecurity} for further customizations
+     */
+    public WebSecurity postBuildAction(Runnable postBuildAction) {
+        this.postBuildAction = postBuildAction;
+        return this;
     }
 
     @Override
@@ -278,6 +295,7 @@ public final class WebSecurity extends
                     "********************************************************************\n\n");
             result = new DebugFilter(filterChainProxy);
         }
+        postBuildAction.run();
         return result;
     }
 

config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java

@@ -243,12 +243,17 @@ public abstract class WebSecurityConfigurerAdapter implements SecurityConfigurer
     }
 
     @Override
-    public void init(WebSecurity web) throws Exception {
+    public void init(final WebSecurity web) throws Exception {
-        HttpSecurity http = getHttp();
+        final HttpSecurity http = getHttp();
-        FilterSecurityInterceptor securityInterceptor = http.getSharedObject(FilterSecurityInterceptor.class);
         web
             .addSecurityFilterChainBuilder(http)
-            .setSecurityInterceptor(securityInterceptor);
+            .postBuildAction(new Runnable() {
+                @Override
+                public void run() {
+                    FilterSecurityInterceptor securityInterceptor = http.getSharedObject(FilterSecurityInterceptor.class);
+                    web.securityInterceptor(securityInterceptor);
+                }
+            });
     }
 
     /**
@@ -298,6 +303,7 @@ public abstract class WebSecurityConfigurerAdapter implements SecurityConfigurer
         this.objectPostProcessor = objectPostProcessor;
     }
 
+
     /**
      * Delays the use of the {@link AuthenticationManager} build from the
      * {@link AuthenticationManagerBuilder} to ensure that it has been fully

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java

@@ -106,6 +106,7 @@ abstract class AbstractInterceptUrlConfigurer<H extends HttpSecurityBuilder<H>,C
         if(filterSecurityInterceptorOncePerRequest != null) {
             securityInterceptor.setObserveOncePerRequest(filterSecurityInterceptorOncePerRequest);
         }
+        securityInterceptor = postProcess(securityInterceptor);
         http.addFilter(securityInterceptor);
         http.setSharedObject(FilterSecurityInterceptor.class, securityInterceptor);
     }

config/src/test/groovy/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.groovy

@@ -32,6 +32,7 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.builders.WebSecurity
 import org.springframework.security.web.FilterChainProxy
 import org.springframework.security.web.SecurityFilterChain
+import org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator;
 import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
 import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
 import org.springframework.security.web.access.expression.WebSecurityExpressionHandler;
@@ -235,4 +236,25 @@ class WebSecurityConfigurationTests extends BaseSpringSpec {
                     .anyRequest().authenticated()
         }
     }
+
+    def "#138 WebInvocationPrivilegeEvaluator defaults"() {
+        when:
+            loadConfig(WebInvocationPrivilegeEvaluatorDefaultsConfig)
+        then:
+            WebInvocationPrivilegeEvaluator wipe = context.getBean(WebInvocationPrivilegeEvaluator)
+            wipe instanceof DefaultWebInvocationPrivilegeEvaluator
+            wipe.securityInterceptor != null
+    }
+
+    @EnableWebSecurity
+    @Configuration
+    static class WebInvocationPrivilegeEvaluatorDefaultsConfig extends WebSecurityConfigurerAdapter {
+
+        @Override
+        protected void configure(HttpSecurity http) throws Exception {
+            http
+                .authorizeUrls()
+                    .anyRequest().authenticated()
+        }
+    }
 }