Use AuthorizationEventPublisher Bean

- For Jsr250MethodInterceptor and SecuredMethodInterceptor

Closes gh-14401

config/src/main/java/org/springframework/security/config/annotation/method/configuration/Jsr250MethodSecurityConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -30,6 +30,7 @@ import org.springframework.core.type.AnnotationMetadata;
 import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.authorization.AuthoritiesAuthorizationManager;
+import org.springframework.security.authorization.AuthorizationEventPublisher;
 import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor;
 import org.springframework.security.authorization.method.Jsr250AuthorizationManager;
@@ -56,6 +57,7 @@ final class Jsr250MethodSecurityConfiguration implements ImportAware {
 	static MethodInterceptor jsr250AuthorizationMethodInterceptor(
 			ObjectProvider<GrantedAuthorityDefaults> defaultsProvider,
 			ObjectProvider<SecurityContextHolderStrategy> strategyProvider,
+			ObjectProvider<AuthorizationEventPublisher> eventPublisherProvider,
 			ObjectProvider<ObservationRegistry> registryProvider, ObjectProvider<RoleHierarchy> roleHierarchyProvider,
 			Jsr250MethodSecurityConfiguration configuration) {
 		Jsr250AuthorizationManager jsr250 = new Jsr250AuthorizationManager();
@@ -72,6 +74,7 @@ final class Jsr250MethodSecurityConfiguration implements ImportAware {
 			.jsr250(manager);
 		interceptor.setOrder(interceptor.getOrder() + configuration.interceptorOrderOffset);
 		interceptor.setSecurityContextHolderStrategy(strategy);
+		eventPublisherProvider.ifAvailable(interceptor::setAuthorizationEventPublisher);
 		return interceptor;
 	}
 

config/src/main/java/org/springframework/security/config/annotation/method/configuration/SecuredMethodSecurityConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -31,6 +31,7 @@ import org.springframework.security.access.annotation.Secured;
 import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.authorization.AuthoritiesAuthorizationManager;
+import org.springframework.security.authorization.AuthorizationEventPublisher;
 import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor;
 import org.springframework.security.authorization.method.SecuredAuthorizationManager;
@@ -55,6 +56,7 @@ final class SecuredMethodSecurityConfiguration implements ImportAware {
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	static MethodInterceptor securedAuthorizationMethodInterceptor(
 			ObjectProvider<SecurityContextHolderStrategy> strategyProvider,
+			ObjectProvider<AuthorizationEventPublisher> eventPublisherProvider,
 			ObjectProvider<ObservationRegistry> registryProvider, ObjectProvider<RoleHierarchy> roleHierarchyProvider,
 			SecuredMethodSecurityConfiguration configuration) {
 		SecuredAuthorizationManager secured = new SecuredAuthorizationManager();
@@ -70,6 +72,7 @@ final class SecuredMethodSecurityConfiguration implements ImportAware {
 			.secured(manager);
 		interceptor.setOrder(interceptor.getOrder() + configuration.interceptorOrderOffset);
 		interceptor.setSecurityContextHolderStrategy(strategy);
+		eventPublisherProvider.ifAvailable(interceptor::setAuthorizationEventPublisher);
 		return interceptor;
 	}
 

config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -442,7 +442,6 @@ public class PrePostMethodSecurityConfigurationTests {
 		assertThat(this.spring.getContext().containsBean("annotationSecurityAspect$0")).isFalse();
 	}
 
-	// gh-13572
 	@Test
 	public void configureWhenBeanOverridingDisallowedThenWorks() {
 		this.spring.register(MethodSecurityServiceConfig.class, BusinessServiceConfig.class)
@@ -468,6 +467,30 @@ public class PrePostMethodSecurityConfigurationTests {
 		this.methodSecurityService.jsr250RolesAllowedUser();
 	}
 
+	@WithMockUser(roles = "ADMIN")
+	@Test
+	public void methodSecurityAdminWhenAuthorizationEventPublisherBeanAvailableThenUses() {
+		this.spring
+			.register(RoleHierarchyConfig.class, MethodSecurityServiceConfig.class,
+					AuthorizationEventPublisherConfig.class)
+			.autowire();
+		this.methodSecurityService.preAuthorizeUser();
+		this.methodSecurityService.securedUser();
+		this.methodSecurityService.jsr250RolesAllowedUser();
+	}
+
+	@WithMockUser
+	@Test
+	public void methodSecurityUserWhenAuthorizationEventPublisherBeanAvailableThenUses() {
+		this.spring
+			.register(RoleHierarchyConfig.class, MethodSecurityServiceConfig.class,
+					AuthorizationEventPublisherConfig.class)
+			.autowire();
+		this.methodSecurityService.preAuthorizeUser();
+		this.methodSecurityService.securedUser();
+		this.methodSecurityService.jsr250RolesAllowedUser();
+	}
+
 	@Test
 	public void allAnnotationsWhenAdviceBeforeOffsetPreFilterThenReturnsFilteredList() {
 		this.spring.register(ReturnBeforeOffsetPreFilterConfig.class).autowire();