From c4f061c63d3c96a5cdaa787f808607bedf429dfd Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Mon, 24 Jul 2023 11:24:03 -0600 Subject: [PATCH] Do Not Re-register Method Security Advisors Closes gh-13572 --- .../MethodSecurityAdvisorRegistrar.java | 4 ++++ .../PrePostMethodSecurityConfigurationTests.java | 16 +++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityAdvisorRegistrar.java b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityAdvisorRegistrar.java index 3735117cf3..409f6fa1ea 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityAdvisorRegistrar.java +++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityAdvisorRegistrar.java @@ -36,6 +36,10 @@ class MethodSecurityAdvisorRegistrar implements ImportBeanDefinitionRegistrar { } private void registerAsAdvisor(String prefix, BeanDefinitionRegistry registry) { + String advisorName = prefix + "Advisor"; + if (registry.containsBeanDefinition(advisorName)) { + return; + } String interceptorName = prefix + "MethodInterceptor"; if (!registry.containsBeanDefinition(interceptorName)) { return; diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java index 4459ea2c21..6dd01ace26 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,6 +20,7 @@ import java.io.Serializable; import java.util.ArrayList; import java.util.Arrays; import java.util.List; +import java.util.function.Consumer; import java.util.function.Supplier; import org.aopalliance.intercept.MethodInterceptor; @@ -64,6 +65,8 @@ import org.springframework.security.test.context.support.WithSecurityContextTest import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.TestExecutionListeners; import org.springframework.test.context.junit.jupiter.SpringExtension; +import org.springframework.web.context.ConfigurableWebApplicationContext; +import org.springframework.web.context.support.AnnotationConfigWebApplicationContext; import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatExceptionOfType; @@ -418,6 +421,17 @@ public class PrePostMethodSecurityConfigurationTests { assertThat(this.spring.getContext().containsBean("annotationSecurityAspect$0")).isFalse(); } + // gh-13572 + @Test + public void configureWhenBeanOverridingDisallowedThenWorks() { + this.spring.register(MethodSecurityServiceConfig.class, BusinessServiceConfig.class) + .postProcessor(disallowBeanOverriding()).autowire(); + } + + private static Consumer disallowBeanOverriding() { + return (context) -> ((AnnotationConfigWebApplicationContext) context).setAllowBeanDefinitionOverriding(false); + } + @EnableMethodSecurity static class MethodSecurityServiceConfig {