From 3f65f600de0af3babc5367ba490dc1814f4c7b70 Mon Sep 17 00:00:00 2001 From: DingHao Date: Mon, 8 Jan 2024 17:55:21 +0800 Subject: [PATCH] Use AuthorizationEventPublisher Bean - For Jsr250MethodInterceptor and SecuredMethodInterceptor Closes gh-14401 --- .../Jsr250MethodSecurityConfiguration.java | 5 +++- .../SecuredMethodSecurityConfiguration.java | 5 +++- ...ePostMethodSecurityConfigurationTests.java | 27 +++++++++++++++++-- 3 files changed, 33 insertions(+), 4 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/Jsr250MethodSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/Jsr250MethodSecurityConfiguration.java index c7bee6a725..39567ddfdc 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/Jsr250MethodSecurityConfiguration.java +++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/Jsr250MethodSecurityConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -30,6 +30,7 @@ import org.springframework.core.type.AnnotationMetadata; import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy; import org.springframework.security.access.hierarchicalroles.RoleHierarchy; import org.springframework.security.authorization.AuthoritiesAuthorizationManager; +import org.springframework.security.authorization.AuthorizationEventPublisher; import org.springframework.security.authorization.AuthorizationManager; import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor; import org.springframework.security.authorization.method.Jsr250AuthorizationManager; @@ -56,6 +57,7 @@ final class Jsr250MethodSecurityConfiguration implements ImportAware { static MethodInterceptor jsr250AuthorizationMethodInterceptor( ObjectProvider defaultsProvider, ObjectProvider strategyProvider, + ObjectProvider eventPublisherProvider, ObjectProvider registryProvider, ObjectProvider roleHierarchyProvider, Jsr250MethodSecurityConfiguration configuration) { Jsr250AuthorizationManager jsr250 = new Jsr250AuthorizationManager(); @@ -72,6 +74,7 @@ final class Jsr250MethodSecurityConfiguration implements ImportAware { .jsr250(manager); interceptor.setOrder(interceptor.getOrder() + configuration.interceptorOrderOffset); interceptor.setSecurityContextHolderStrategy(strategy); + eventPublisherProvider.ifAvailable(interceptor::setAuthorizationEventPublisher); return interceptor; } diff --git a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/SecuredMethodSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/SecuredMethodSecurityConfiguration.java index 78ea66606c..a190938878 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/SecuredMethodSecurityConfiguration.java +++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/SecuredMethodSecurityConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -31,6 +31,7 @@ import org.springframework.security.access.annotation.Secured; import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy; import org.springframework.security.access.hierarchicalroles.RoleHierarchy; import org.springframework.security.authorization.AuthoritiesAuthorizationManager; +import org.springframework.security.authorization.AuthorizationEventPublisher; import org.springframework.security.authorization.AuthorizationManager; import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor; import org.springframework.security.authorization.method.SecuredAuthorizationManager; @@ -55,6 +56,7 @@ final class SecuredMethodSecurityConfiguration implements ImportAware { @Role(BeanDefinition.ROLE_INFRASTRUCTURE) static MethodInterceptor securedAuthorizationMethodInterceptor( ObjectProvider strategyProvider, + ObjectProvider eventPublisherProvider, ObjectProvider registryProvider, ObjectProvider roleHierarchyProvider, SecuredMethodSecurityConfiguration configuration) { SecuredAuthorizationManager secured = new SecuredAuthorizationManager(); @@ -70,6 +72,7 @@ final class SecuredMethodSecurityConfiguration implements ImportAware { .secured(manager); interceptor.setOrder(interceptor.getOrder() + configuration.interceptorOrderOffset); interceptor.setSecurityContextHolderStrategy(strategy); + eventPublisherProvider.ifAvailable(interceptor::setAuthorizationEventPublisher); return interceptor; } diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java index 746fb13785..77988ed102 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -442,7 +442,6 @@ public class PrePostMethodSecurityConfigurationTests { assertThat(this.spring.getContext().containsBean("annotationSecurityAspect$0")).isFalse(); } - // gh-13572 @Test public void configureWhenBeanOverridingDisallowedThenWorks() { this.spring.register(MethodSecurityServiceConfig.class, BusinessServiceConfig.class) @@ -468,6 +467,30 @@ public class PrePostMethodSecurityConfigurationTests { this.methodSecurityService.jsr250RolesAllowedUser(); } + @WithMockUser(roles = "ADMIN") + @Test + public void methodSecurityAdminWhenAuthorizationEventPublisherBeanAvailableThenUses() { + this.spring + .register(RoleHierarchyConfig.class, MethodSecurityServiceConfig.class, + AuthorizationEventPublisherConfig.class) + .autowire(); + this.methodSecurityService.preAuthorizeUser(); + this.methodSecurityService.securedUser(); + this.methodSecurityService.jsr250RolesAllowedUser(); + } + + @WithMockUser + @Test + public void methodSecurityUserWhenAuthorizationEventPublisherBeanAvailableThenUses() { + this.spring + .register(RoleHierarchyConfig.class, MethodSecurityServiceConfig.class, + AuthorizationEventPublisherConfig.class) + .autowire(); + this.methodSecurityService.preAuthorizeUser(); + this.methodSecurityService.securedUser(); + this.methodSecurityService.jsr250RolesAllowedUser(); + } + @Test public void allAnnotationsWhenAdviceBeforeOffsetPreFilterThenReturnsFilteredList() { this.spring.register(ReturnBeforeOffsetPreFilterConfig.class).autowire();