From c5461b17de56465aade70a8555f2fed831502105 Mon Sep 17 00:00:00 2001 From: Evgeniy Cheban Date: Tue, 2 May 2023 02:46:41 +0300 Subject: [PATCH] EnableMethodSecurity annotation does not get imported when defined as a meta-annotation Closes gh-12870 --- .../configuration/MethodSecuritySelector.java | 5 ++- .../EnableCustomMethodSecurity.java | 41 +++++++++++++++++++ ...ePostMethodSecurityConfigurationTests.java | 28 ++++++++++++- 3 files changed, 71 insertions(+), 3 deletions(-) create mode 100644 config/src/test/java/org/springframework/security/config/annotation/method/configuration/EnableCustomMethodSecurity.java diff --git a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecuritySelector.java b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecuritySelector.java index f0ee6d4630..a18578dc59 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecuritySelector.java +++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecuritySelector.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -41,7 +41,8 @@ final class MethodSecuritySelector implements ImportSelector { @Override public String[] selectImports(@NonNull AnnotationMetadata importMetadata) { - if (!importMetadata.hasAnnotation(EnableMethodSecurity.class.getName())) { + if (!importMetadata.hasAnnotation(EnableMethodSecurity.class.getName()) + && !importMetadata.hasMetaAnnotation(EnableMethodSecurity.class.getName())) { return new String[0]; } EnableMethodSecurity annotation = importMetadata.getAnnotations().get(EnableMethodSecurity.class).synthesize(); diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/EnableCustomMethodSecurity.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/EnableCustomMethodSecurity.java new file mode 100644 index 0000000000..3853c0ad08 --- /dev/null +++ b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/EnableCustomMethodSecurity.java @@ -0,0 +1,41 @@ +/* + * Copyright 2002-2023 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.config.annotation.method.configuration; + +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +import org.springframework.context.annotation.AdviceMode; +import org.springframework.core.annotation.AliasFor; + +/** + * @author Evgeniy Cheban + */ +@Retention(RetentionPolicy.RUNTIME) +@Target(ElementType.TYPE) +@EnableMethodSecurity +public @interface EnableCustomMethodSecurity { + + @AliasFor(annotation = EnableMethodSecurity.class, attribute = "proxyTargetClass") + boolean proxyTargetClass() default false; + + @AliasFor(annotation = EnableMethodSecurity.class, attribute = "mode") + AdviceMode mode() default AdviceMode.PROXY; + +} diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java index dc56480a09..4287fbf625 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -92,6 +92,21 @@ public class PrePostMethodSecurityConfigurationTests { @Autowired(required = false) BusinessService businessService; + @WithMockUser + @Test + public void customMethodSecurityPreAuthorizeAdminWhenRoleUserThenAccessDeniedException() { + this.spring.register(CustomMethodSecurityServiceConfig.class).autowire(); + assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(this.methodSecurityService::preAuthorizeAdmin) + .withMessage("Access Denied"); + } + + @WithMockUser(roles = "ADMIN") + @Test + public void customMethodSecurityPreAuthorizeAdminWhenRoleAdminThenPasses() { + this.spring.register(CustomMethodSecurityServiceConfig.class).autowire(); + this.methodSecurityService.preAuthorizeAdmin(); + } + @WithMockUser(roles = "ADMIN") @Test public void preAuthorizeWhenRoleAdminThenAccessDeniedException() { @@ -418,6 +433,17 @@ public class PrePostMethodSecurityConfigurationTests { assertThat(this.spring.getContext().containsBean("annotationSecurityAspect$0")).isFalse(); } + @Configuration + @EnableCustomMethodSecurity + static class CustomMethodSecurityServiceConfig { + + @Bean + MethodSecurityService methodSecurityService() { + return new MethodSecurityServiceImpl(); + } + + } + @Configuration @EnableMethodSecurity static class MethodSecurityServiceConfig {