SEC-2479: Search parent context for AuthenticationManager

2025-06-23 12:32:13 +00:00 · 2014-02-11 21:59:23 -06:00 · 2014-02-11 21:59:23 -06:00 · 7a3da28987
commit 7a3da28987
parent e17adad878
2 changed files with 40 additions and 1 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java
@ -24,6 +24,7 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.aop.framework.ProxyFactoryBean;
 import org.springframework.aop.target.LazyInitTargetSource;
+import org.springframework.beans.factory.BeanFactoryUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
@ -104,7 +105,7 @@ public class AuthenticationConfiguration {
    @SuppressWarnings("unchecked")
    private <T> T lazyBean(Class<T> interfaceName) {
        LazyInitTargetSource lazyTargetSource = new LazyInitTargetSource();
-        String[] beanNamesForType = applicationContext.getBeanNamesForType(interfaceName);
+        String[] beanNamesForType = BeanFactoryUtils.beanNamesForTypeIncludingAncestors(applicationContext, interfaceName);
        if(beanNamesForType.length == 0) {
            return null;
        }
--- a/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.groovy
@ -22,6 +22,7 @@ import org.aopalliance.intercept.MethodInterceptor
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.context.ApplicationContext
 import org.springframework.context.ApplicationListener
+import org.springframework.context.annotation.AnnotationConfigApplicationContext
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.security.access.AccessDeniedException
@ -301,4 +302,41 @@ public class GlobalMethodSecurityConfigurationTests extends BaseSpringSpec {
            new MethodSecurityServiceImpl()
        }
    }
+
+    def "SEC-2479: Support AuthenticationManager in parent"() {
+        setup:
+            SecurityContextHolder.getContext().setAuthentication(
+                new TestingAuthenticationToken("user", "password","ROLE_USER"))
+            loadConfig(Sec2479ParentConfig)
+            def child = new AnnotationConfigApplicationContext()
+            child.register(Sec2479ChildConfig)
+            child.parent = context
+            child.refresh()
+            MethodSecurityService service = child.getBean(MethodSecurityService)
+        when:
+            service.preAuthorize()
+        then:
+            thrown(AccessDeniedException)
+        cleanup:
+            child?.close()
+    }
+
+    @Configuration
+    static class Sec2479ParentConfig {
+        static AuthenticationManager AM
+
+        @Bean
+        public AuthenticationManager am() {
+            AM
+        }
+    }
+
+    @Configuration
+    @EnableGlobalMethodSecurity(prePostEnabled = true)
+    static class Sec2479ChildConfig {
+        @Bean
+        public MethodSecurityService service() {
+            new MethodSecurityServiceImpl()
+        }
+    }
 }