SEC-2301: GlobalMethodSecurityConfiguration sets DefaultWebSecurityExpressionHandler BeanResolver

2013-09-20 15:53:58 -05:00 · 2013-09-20 15:53:58 -05:00 · a3d112979f
parent f294480e6b
commit a3d112979f
4 changed files with 65 additions and 6 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java
@ -64,6 +64,7 @@ import org.springframework.security.access.vote.RoleVoter;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
 import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
+import org.springframework.security.config.PostProcessedMockUserDetailsService;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.util.Assert;
@ -206,7 +207,7 @@ public class GlobalMethodSecurityConfiguration implements ImportAware {
     *
     * @return
     */
-    protected MethodSecurityExpressionHandler expressionHandler() {
+    protected MethodSecurityExpressionHandler createExpressionHandler() {
        return defaultMethodExpressionHandler;
    }

@ -217,7 +218,7 @@ public class GlobalMethodSecurityConfiguration implements ImportAware {
     */
    protected final MethodSecurityExpressionHandler getExpressionHandler() {
        if(expressionHandler == null) {
-            expressionHandler = expressionHandler();
+            expressionHandler = createExpressionHandler();
        }
        return expressionHandler;
    }
@ -358,6 +359,7 @@ public class GlobalMethodSecurityConfiguration implements ImportAware {
    @Autowired(required=false)
    public void setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor) {
        this.objectPostProcessor = objectPostProcessor;
+        this.defaultMethodExpressionHandler = objectPostProcessor.postProcess(defaultMethodExpressionHandler);
    }

    @SuppressWarnings("unchecked")
--- a/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.groovy
@ -23,18 +23,21 @@ import org.springframework.context.ApplicationContext
 import org.springframework.context.ApplicationListener
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
-import org.springframework.security.access.AccessDecisionManager
-import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler
+import org.springframework.security.access.AccessDeniedException
+import org.springframework.security.access.prepost.PreAuthorize
 import org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter
 import org.springframework.security.authentication.AuthenticationManager
 import org.springframework.security.authentication.AuthenticationTrustResolver
 import org.springframework.security.authentication.DefaultAuthenticationEventPublisher
+import org.springframework.security.authentication.TestingAuthenticationToken
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
 import org.springframework.security.authentication.event.AuthenticationSuccessEvent
+import org.springframework.security.config.MockAfterInvocationProvider;
 import org.springframework.security.config.annotation.BaseSpringSpec
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder
 import org.springframework.security.core.Authentication
 import org.springframework.security.core.authority.AuthorityUtils
+import org.springframework.security.core.context.SecurityContextHolder

 /**
 *
@ -109,4 +112,58 @@ public class GlobalMethodSecurityConfigurationTests extends BaseSpringSpec {
            return TR
        }
    }
+
+    def "SEC-2301: DefaultWebSecurityExpressionHandler has BeanResolver set"() {
+        setup:
+            SecurityContextHolder.getContext().setAuthentication(
+                new TestingAuthenticationToken("user", "password","ROLE_USER"))
+            loadConfig(ExpressionHandlerHasBeanResolverSetConfig)
+            def service = context.getBean(ServiceImpl)
+        when: "service with bean reference on PreAuthorize invoked"
+            service.message()
+        then: "properly throws AccessDeniedException"
+            thrown(AccessDeniedException)
+        when: "service with bean reference on PreAuthorize invoked"
+            context.getBean(CustomAuthzService).grantAccess = true
+            service.message()
+        then: "grants access too"
+            noExceptionThrown()
+    }
+
+    @Configuration
+    @EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
+    static class ExpressionHandlerHasBeanResolverSetConfig extends GlobalMethodSecurityConfiguration {
+
+        @Override
+        protected void registerAuthentication(AuthenticationManagerBuilder auth)
+                throws Exception {
+            auth
+                .inMemoryAuthentication()
+        }
+
+        @Bean
+        public ServiceImpl service() {
+            return new ServiceImpl()
+        }
+
+        @Bean
+        public CustomAuthzService authz() {
+            return new CustomAuthzService()
+        }
+    }
+
+    static class ServiceImpl {
+        @PreAuthorize("@authz.authorize()")
+        public String message() {
+            null
+        }
+    }
+
+    static class CustomAuthzService {
+        boolean grantAccess
+
+        public boolean authorize() {
+            grantAccess
+        }
+    }
 }
--- a/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/NamespaceGlobalMethodSecurityExpressionHandlerTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/NamespaceGlobalMethodSecurityExpressionHandlerTests.groovy
@ -77,7 +77,7 @@ public class NamespaceGlobalMethodSecurityExpressionHandlerTests extends BaseSpr
    @EnableGlobalMethodSecurity(prePostEnabled = true)
    public static class CustomAccessDecisionManagerConfig extends GlobalMethodSecurityConfiguration {
        @Override
-        protected MethodSecurityExpressionHandler expressionHandler() {
+        protected MethodSecurityExpressionHandler createExpressionHandler() {
            DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler()
            expressionHandler.permissionEvaluator = new PermissionEvaluator() {
                boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
--- a/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/SampleEnableGlobalMethodSecurityTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/SampleEnableGlobalMethodSecurityTests.groovy
@ -97,7 +97,7 @@ public class SampleEnableGlobalMethodSecurityTests extends BaseSpringSpec {
        }

        @Override
-        protected MethodSecurityExpressionHandler expressionHandler() {
+        protected MethodSecurityExpressionHandler createExpressionHandler() {
            DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
            expressionHandler.setPermissionEvaluator(new CustomPermissionEvaluator());
            return expressionHandler;