Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix Circular Dependency 

Closes gh-14674
This commit is contained in:
Josh Cummings 2024-03-01 13:17:25 -07:00
parent 07ac0b616b
commit bade66e588
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
1 changed files with 62 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
config/src/main/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.java
View File

@ -16,12 +16,19 @@
package org.springframework.security.config.annotation.method.configuration; package org.springframework.security.config.annotation.method.configuration;
import java.util.function.Consumer;
import java.util.function.Supplier; import java.util.function.Supplier;
import io.micrometer.observation.ObservationRegistry; import io.micrometer.observation.ObservationRegistry;
import org.aopalliance.aop.Advice;
import org.aopalliance.intercept.MethodInterceptor; import org.aopalliance.intercept.MethodInterceptor;
import org.aopalliance.intercept.MethodInvocation; import org.aopalliance.intercept.MethodInvocation;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.springframework.aop.Pointcut;
import org.springframework.aop.PointcutAdvisor;
import org.springframework.aop.framework.AopInfrastructureBean;
import org.springframework.beans.factory.ObjectProvider; import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.beans.factory.config.BeanDefinition;
import org.springframework.context.ApplicationContext; import org.springframework.context.ApplicationContext;
@ -29,10 +36,8 @@ import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.ImportAware; import org.springframework.context.annotation.ImportAware;
import org.springframework.context.annotation.Role; import org.springframework.context.annotation.Role;
import org.springframework.core.Ordered;
import org.springframework.core.type.AnnotationMetadata; import org.springframework.core.type.AnnotationMetadata;
import org.springframework.expression.EvaluationContext;
import org.springframework.expression.Expression;
import org.springframework.expression.ExpressionParser;
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy; import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy;
@ -47,7 +52,6 @@ import org.springframework.security.authorization.method.PreAuthorizeAuthorizati
import org.springframework.security.authorization.method.PreFilterAuthorizationMethodInterceptor; import org.springframework.security.authorization.method.PreFilterAuthorizationMethodInterceptor;
import org.springframework.security.authorization.method.PrePostTemplateDefaults; import org.springframework.security.authorization.method.PrePostTemplateDefaults;
import org.springframework.security.config.core.GrantedAuthorityDefaults; import org.springframework.security.config.core.GrantedAuthorityDefaults;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.util.function.SingletonSupplier; import org.springframework.util.function.SingletonSupplier;
@ -76,11 +80,12 @@ final class PrePostMethodSecurityConfiguration implements ImportAware {
ApplicationContext context) { ApplicationContext context) {
PreFilterAuthorizationMethodInterceptor preFilter = new PreFilterAuthorizationMethodInterceptor(); PreFilterAuthorizationMethodInterceptor preFilter = new PreFilterAuthorizationMethodInterceptor();
preFilter.setOrder(preFilter.getOrder() + configuration.interceptorOrderOffset); preFilter.setOrder(preFilter.getOrder() + configuration.interceptorOrderOffset);
strategyProvider.ifAvailable(preFilter::setSecurityContextHolderStrategy); return new DeferringMethodInterceptor<>(preFilter, (f) -> {
methodSecurityDefaultsProvider.ifAvailable(preFilter::setTemplateDefaults); methodSecurityDefaultsProvider.ifAvailable(f::setTemplateDefaults);
preFilter.setExpressionHandler(new DeferringMethodSecurityExpressionHandler(expressionHandlerProvider, f.setExpressionHandler(expressionHandlerProvider
defaultsProvider, roleHierarchyProvider, context)); .getIfAvailable(() -> defaultExpressionHandler(defaultsProvider, roleHierarchyProvider, context)));
return preFilter; strategyProvider.ifAvailable(f::setSecurityContextHolderStrategy);
});
} }
@Bean @Bean
@ -94,15 +99,16 @@ final class PrePostMethodSecurityConfiguration implements ImportAware {
ObjectProvider<ObservationRegistry> registryProvider, ObjectProvider<RoleHierarchy> roleHierarchyProvider, ObjectProvider<ObservationRegistry> registryProvider, ObjectProvider<RoleHierarchy> roleHierarchyProvider,
PrePostMethodSecurityConfiguration configuration, ApplicationContext context) { PrePostMethodSecurityConfiguration configuration, ApplicationContext context) {
PreAuthorizeAuthorizationManager manager = new PreAuthorizeAuthorizationManager(); PreAuthorizeAuthorizationManager manager = new PreAuthorizeAuthorizationManager();
methodSecurityDefaultsProvider.ifAvailable(manager::setTemplateDefaults);
manager.setExpressionHandler(new DeferringMethodSecurityExpressionHandler(expressionHandlerProvider,
defaultsProvider, roleHierarchyProvider, context));
AuthorizationManagerBeforeMethodInterceptor preAuthorize = AuthorizationManagerBeforeMethodInterceptor AuthorizationManagerBeforeMethodInterceptor preAuthorize = AuthorizationManagerBeforeMethodInterceptor
.preAuthorize(manager(manager, registryProvider)); .preAuthorize(manager(manager, registryProvider));
preAuthorize.setOrder(preAuthorize.getOrder() + configuration.interceptorOrderOffset); preAuthorize.setOrder(preAuthorize.getOrder() + configuration.interceptorOrderOffset);
strategyProvider.ifAvailable(preAuthorize::setSecurityContextHolderStrategy); return new DeferringMethodInterceptor<>(preAuthorize, (f) -> {
eventPublisherProvider.ifAvailable(preAuthorize::setAuthorizationEventPublisher); methodSecurityDefaultsProvider.ifAvailable(manager::setTemplateDefaults);
return preAuthorize; manager.setExpressionHandler(expressionHandlerProvider
.getIfAvailable(() -> defaultExpressionHandler(defaultsProvider, roleHierarchyProvider, context)));
strategyProvider.ifAvailable(f::setSecurityContextHolderStrategy);
eventPublisherProvider.ifAvailable(f::setAuthorizationEventPublisher);
});
} }
@Bean @Bean
@ -116,15 +122,16 @@ final class PrePostMethodSecurityConfiguration implements ImportAware {
ObjectProvider<ObservationRegistry> registryProvider, ObjectProvider<RoleHierarchy> roleHierarchyProvider, ObjectProvider<ObservationRegistry> registryProvider, ObjectProvider<RoleHierarchy> roleHierarchyProvider,
PrePostMethodSecurityConfiguration configuration, ApplicationContext context) { PrePostMethodSecurityConfiguration configuration, ApplicationContext context) {
PostAuthorizeAuthorizationManager manager = new PostAuthorizeAuthorizationManager(); PostAuthorizeAuthorizationManager manager = new PostAuthorizeAuthorizationManager();
methodSecurityDefaultsProvider.ifAvailable(manager::setTemplateDefaults);
manager.setExpressionHandler(new DeferringMethodSecurityExpressionHandler(expressionHandlerProvider,
defaultsProvider, roleHierarchyProvider, context));
AuthorizationManagerAfterMethodInterceptor postAuthorize = AuthorizationManagerAfterMethodInterceptor AuthorizationManagerAfterMethodInterceptor postAuthorize = AuthorizationManagerAfterMethodInterceptor
.postAuthorize(manager(manager, registryProvider)); .postAuthorize(manager(manager, registryProvider));
postAuthorize.setOrder(postAuthorize.getOrder() + configuration.interceptorOrderOffset); postAuthorize.setOrder(postAuthorize.getOrder() + configuration.interceptorOrderOffset);
strategyProvider.ifAvailable(postAuthorize::setSecurityContextHolderStrategy); return new DeferringMethodInterceptor<>(postAuthorize, (f) -> {
eventPublisherProvider.ifAvailable(postAuthorize::setAuthorizationEventPublisher); methodSecurityDefaultsProvider.ifAvailable(manager::setTemplateDefaults);
return postAuthorize; manager.setExpressionHandler(expressionHandlerProvider
.getIfAvailable(() -> defaultExpressionHandler(defaultsProvider, roleHierarchyProvider, context)));
strategyProvider.ifAvailable(f::setSecurityContextHolderStrategy);
eventPublisherProvider.ifAvailable(f::setAuthorizationEventPublisher);
});
} }
@Bean @Bean
@ -138,11 +145,12 @@ final class PrePostMethodSecurityConfiguration implements ImportAware {
ApplicationContext context) { ApplicationContext context) {
PostFilterAuthorizationMethodInterceptor postFilter = new PostFilterAuthorizationMethodInterceptor(); PostFilterAuthorizationMethodInterceptor postFilter = new PostFilterAuthorizationMethodInterceptor();
postFilter.setOrder(postFilter.getOrder() + configuration.interceptorOrderOffset); postFilter.setOrder(postFilter.getOrder() + configuration.interceptorOrderOffset);
strategyProvider.ifAvailable(postFilter::setSecurityContextHolderStrategy); return new DeferringMethodInterceptor<>(postFilter, (f) -> {
methodSecurityDefaultsProvider.ifAvailable(postFilter::setTemplateDefaults); methodSecurityDefaultsProvider.ifAvailable(f::setTemplateDefaults);
postFilter.setExpressionHandler(new DeferringMethodSecurityExpressionHandler(expressionHandlerProvider, f.setExpressionHandler(expressionHandlerProvider
defaultsProvider, roleHierarchyProvider, context)); .getIfAvailable(() -> defaultExpressionHandler(defaultsProvider, roleHierarchyProvider, context)));
return postFilter; strategyProvider.ifAvailable(f::setSecurityContextHolderStrategy);
});
} }
private static MethodSecurityExpressionHandler defaultExpressionHandler( private static MethodSecurityExpressionHandler defaultExpressionHandler(
@ -167,42 +175,48 @@ final class PrePostMethodSecurityConfiguration implements ImportAware {
this.interceptorOrderOffset = annotation.offset(); this.interceptorOrderOffset = annotation.offset();
} }
private static final class DeferringMethodSecurityExpressionHandler implements MethodSecurityExpressionHandler { private static final class DeferringMethodInterceptor<M extends Ordered & MethodInterceptor & PointcutAdvisor>
implements Ordered, MethodInterceptor, PointcutAdvisor, AopInfrastructureBean {
private final Supplier<MethodSecurityExpressionHandler> expressionHandler; private final Pointcut pointcut;
private DeferringMethodSecurityExpressionHandler( private final int order;
ObjectProvider<MethodSecurityExpressionHandler> expressionHandlerProvider,
ObjectProvider<GrantedAuthorityDefaults> defaultsProvider, private final Supplier<M> delegate;
ObjectProvider<RoleHierarchy> roleHierarchyProvider, ApplicationContext applicationContext) {
this.expressionHandler = SingletonSupplier.of(() -> expressionHandlerProvider.getIfAvailable( DeferringMethodInterceptor(M delegate, Consumer<M> supplier) {
() -> defaultExpressionHandler(defaultsProvider, roleHierarchyProvider, applicationContext))); this.pointcut = delegate.getPointcut();
this.order = delegate.getOrder();
this.delegate = SingletonSupplier.of(() -> {
supplier.accept(delegate);
return delegate;
});
}
@Nullable
@Override
public Object invoke(@NotNull MethodInvocation invocation) throws Throwable {
return this.delegate.get().invoke(invocation);
} }
@Override @Override
public ExpressionParser getExpressionParser() { public Pointcut getPointcut() {
return this.expressionHandler.get().getExpressionParser(); return this.pointcut;
} }
@Override @Override
public EvaluationContext createEvaluationContext(Authentication authentication, MethodInvocation invocation) { public Advice getAdvice() {
return this.expressionHandler.get().createEvaluationContext(authentication, invocation); return this;
} }
@Override @Override
public EvaluationContext createEvaluationContext(Supplier<Authentication> authentication, public int getOrder() {
MethodInvocation invocation) { return this.order;
return this.expressionHandler.get().createEvaluationContext(authentication, invocation);
} }
@Override @Override
public Object filter(Object filterTarget, Expression filterExpression, EvaluationContext ctx) { public boolean isPerInstance() {
return this.expressionHandler.get().filter(filterTarget, filterExpression, ctx); return true;
}
@Override
public void setReturnObject(Object returnObject, EvaluationContext ctx) {
this.expressionHandler.get().setReturnObject(returnObject, ctx);
} }
} }