SEC-2595: @EnableGlobalMethodSecurity AspectJ tweaks for Spring 3.2.x

2025-07-14 06:13:30 +00:00 · 2014-07-29 09:39:55 -05:00 · 2014-07-29 09:39:55 -05:00 · d85a0a20bc
commit d85a0a20bc
parent 0a45d3170c
4 changed files with 44 additions and 68 deletions
--- a/config/config.gradle
+++ b/config/config.gradle
@ -18,6 +18,7 @@ dependencies {
    optional project(':spring-security-web'),
             project(':spring-security-ldap'),
             project(':spring-security-openid'),
+             project(':spring-security-aspects'),
             "org.springframework:spring-web:$springVersion",
             "org.springframework:spring-webmvc:$springVersion",
             "org.aspectj:aspectjweaver:$aspectjVersion",
@ -28,7 +29,6 @@ dependencies {

    testCompile project(':spring-security-cas'),
                project(':spring-security-core').sourceSets.test.output,
-                project(':spring-security-aspects'),
                'javax.annotation:jsr250-api:1.0',
                "org.springframework.ldap:spring-ldap-core:$springLdapVersion",
                "org.springframework:spring-expression:$springVersion",
--- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityAspectJAutoProxyRegistrar.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityAspectJAutoProxyRegistrar.java
@ -1,66 +0,0 @@
-/*
- * Copyright 2002-2013 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.springframework.security.config.annotation.method.configuration;
-
-import java.util.Map;
-
-import org.springframework.aop.config.AopConfigUtils;
-import org.springframework.beans.factory.config.BeanDefinition;
-import org.springframework.beans.factory.support.BeanDefinitionBuilder;
-import org.springframework.beans.factory.support.BeanDefinitionRegistry;
-import org.springframework.context.annotation.ImportBeanDefinitionRegistrar;
-import org.springframework.core.annotation.AnnotationAttributes;
-import org.springframework.core.type.AnnotationMetadata;
-
-/**
- * Registers an
- * {@link org.springframework.aop.aspectj.annotation.AnnotationAwareAspectJAutoProxyCreator
- * AnnotationAwareAspectJAutoProxyCreator} against the current
- * {@link BeanDefinitionRegistry} as appropriate based on a given @
- * {@link EnableGlobalMethodSecurity} annotation.
- *
- * <p>
- * Note: This class is necessary because AspectJAutoProxyRegistrar only supports
- * EnableAspectJAutoProxy.
- * </p>
- *
- * @author Rob Winch
- * @since 3.2
- */
-class GlobalMethodSecurityAspectJAutoProxyRegistrar implements
-        ImportBeanDefinitionRegistrar {
-
-    /**
-     * Register, escalate, and configure the AspectJ auto proxy creator based on
-     * the value of the @{@link EnableGlobalMethodSecurity#proxyTargetClass()}
-     * attribute on the importing {@code @Configuration} class.
-     */
-    public void registerBeanDefinitions(
-            AnnotationMetadata importingClassMetadata,
-            BeanDefinitionRegistry registry) {
-
-        BeanDefinition interceptor = registry.getBeanDefinition("methodSecurityInterceptor");
-
-        BeanDefinitionBuilder aspect =
-                BeanDefinitionBuilder.rootBeanDefinition("org.springframework.security.access.intercept.aspectj.aspect.AnnotationSecurityAspect");
-        aspect.setFactoryMethod("aspectOf");
-        aspect.setRole(BeanDefinition.ROLE_INFRASTRUCTURE);
-        aspect.addPropertyValue("securityInterceptor", interceptor);
-
-        registry.registerBeanDefinition("annotationSecurityAspect$0", aspect.getBeanDefinition());
-    }
-
-}
--- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityAspectJConfiguration.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityAspectJConfiguration.java
@ -0,0 +1,42 @@
+/*
+ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.annotation.method.configuration;
+
+import org.aopalliance.intercept.MethodInterceptor;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.beans.factory.support.BeanDefinitionRegistry;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Role;
+import org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor;
+import org.springframework.security.access.intercept.aspectj.aspect.AnnotationSecurityAspect;
+
+/**
+ * Creates the AnnotationSecurityAspect for use with AspectJ based security.
+ *
+ * @author Rob Winch
+ * @since 3.2
+ */
+class GlobalMethodSecurityAspectJConfiguration {
+
+    @Role(BeanDefinition.ROLE_INFRASTRUCTURE)
+    @Bean
+    public AnnotationSecurityAspect annotationSecurityAspect(@Qualifier("methodSecurityInterceptor") MethodInterceptor methodSecurityInterceptor) {
+        AnnotationSecurityAspect result = AnnotationSecurityAspect.aspectOf();
+        result.setSecurityInterceptor((AspectJMethodSecurityInterceptor )methodSecurityInterceptor);
+        return result;
+    }
+}
--- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecuritySelector.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecuritySelector.java
@ -48,7 +48,7 @@ final class GlobalMethodSecuritySelector implements ImportSelector {

        AdviceMode mode = attributes.getEnum("mode");
        String autoProxyClassName = AdviceMode.PROXY == mode ? AutoProxyRegistrar.class.getName()
-                : GlobalMethodSecurityAspectJAutoProxyRegistrar.class.getName();
+                : GlobalMethodSecurityAspectJConfiguration.class.getName();
        if(skipMethodSecurityConfiguration) {
            return new String[] { autoProxyClassName };
        }