SEC-1392: Mark PermissionEvaluator and MethodSecurityExpressionHandler as AopInfrastructure beans to prevent them being advised and causing premature use of MethodSecurityMetadataSource before it is initialized properly.

config/src/test/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParserTests.java

@@ -269,6 +269,20 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
         assertEquals("bob", result[0]);
     }
 
+    // SEC-1392
+    @Test
+    public void customPermissionEvaluatorIsSupported() throws Exception {
+        setContext(
+                "<global-method-security pre-post-annotations='enabled'>" +
+                "   <expression-handler ref='expressionHandler'/>" +
+                "</global-method-security>" +
+                "<b:bean id='expressionHandler' class='org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler'>" +
+                "   <b:property name='permissionEvaluator' ref='myPermissionEvaluator'/>" +
+                "</b:bean>" +
+                "<b:bean id='myPermissionEvaluator' class='org.springframework.security.config.method.TestPermissionEvaluator'/>" +
+                AUTH_PROVIDER_XML);
+    }
+
     @Test
     public void runAsManagerIsSetCorrectly() throws Exception {
         StaticApplicationContext parent = new StaticApplicationContext();

config/src/test/java/org/springframework/security/config/method/TestPermissionEvaluator.java

@@ -0,0 +1,19 @@
+package org.springframework.security.config.method;
+
+import java.io.Serializable;
+
+import org.springframework.security.access.PermissionEvaluator;
+import org.springframework.security.core.Authentication;
+
+public class TestPermissionEvaluator implements PermissionEvaluator {
+
+    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
+        return false;
+    }
+
+    public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType,
+            Object permission) {
+        return false;
+    }
+
+}

core/src/main/java/org/springframework/security/access/PermissionEvaluator.java

@@ -2,6 +2,7 @@ package org.springframework.security.access;
 
 import java.io.Serializable;
 
+import org.springframework.aop.framework.AopInfrastructureBean;
 import org.springframework.security.core.Authentication;
 
 /**
@@ -12,7 +13,7 @@ import org.springframework.security.core.Authentication;
  * @author Luke Taylor
  * @since 3.0
  */
-public interface PermissionEvaluator {
+public interface PermissionEvaluator extends AopInfrastructureBean {
     /**
      *
      * @param authentication represents the user in question. Should not be null.

core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityExpressionHandler.java

@@ -1,6 +1,7 @@
 package org.springframework.security.access.expression.method;
 
 import org.aopalliance.intercept.MethodInvocation;
+import org.springframework.aop.framework.AopInfrastructureBean;
 import org.springframework.expression.EvaluationContext;
 import org.springframework.expression.Expression;
 import org.springframework.expression.ExpressionParser;
@@ -13,7 +14,7 @@ import org.springframework.security.core.Authentication;
  * @author Luke Taylor
  * @since 3.0
  */
-public interface MethodSecurityExpressionHandler {
+public interface MethodSecurityExpressionHandler extends AopInfrastructureBean {
     /**
      * @return an expression parser for the expressions used by the implementation.
      */