From e7644925f8a3b50db56b21fb60cb020797e8e0e9 Mon Sep 17 00:00:00 2001 From: Max Batischev Date: Fri, 11 Oct 2024 15:43:19 +0300 Subject: [PATCH] Add AuthorizationResult support for AuthorizationManager Closes gh-14843 --- .../http/DefaultFilterChainValidator.java | 10 +++--- .../DefaultFilterChainValidatorTests.java | 3 +- .../security/config/http/HttpConfigTests.java | 3 +- .../WebSocketMessageBrokerConfigTests.java | 1 + .../authorization/AuthorizationManager.java | 17 +++++++++- .../AuthorizationObservationContext.java | 32 +++++++++++++++++-- .../AuthorizationObservationConvention.java | 10 +++--- .../ObservationAuthorizationManager.java | 4 +-- ...servationReactiveAuthorizationManager.java | 4 +-- .../ReactiveAuthorizationManager.java | 15 ++++++++- ...rizationManagerAfterMethodInterceptor.java | 6 ++-- ...ManagerAfterReactiveMethodInterceptor.java | 2 +- ...izationManagerBeforeMethodInterceptor.java | 5 ++- ...anagerBeforeReactiveMethodInterceptor.java | 4 +-- .../NoOpAuthorizationEventPublisher.java | 1 + ...ionManagerAfterMethodInterceptorTests.java | 2 ++ ...erAfterReactiveMethodInterceptorTests.java | 10 ++++++ ...onManagerBeforeMethodInterceptorTests.java | 2 ++ ...rBeforeReactiveMethodInterceptorTests.java | 9 ++++++ .../AuthorizationChannelInterceptor.java | 2 +- .../AuthorizationChannelInterceptorTests.java | 3 ++ ...anagerWebInvocationPrivilegeEvaluator.java | 6 ++-- .../access/intercept/AuthorizationFilter.java | 2 +- ...rWebInvocationPrivilegeEvaluatorTests.java | 7 +++- .../intercept/AuthorizationFilterTests.java | 8 +++++ 25 files changed, 134 insertions(+), 34 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java b/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java index 1e89e78cb8..1c140c3edd 100644 --- a/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java +++ b/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,8 +32,8 @@ import org.springframework.security.access.AccessDeniedException; import org.springframework.security.access.ConfigAttribute; import org.springframework.security.authentication.AnonymousAuthenticationToken; import org.springframework.security.authentication.TestingAuthenticationToken; -import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.core.Authentication; import org.springframework.security.web.DefaultSecurityFilterChain; import org.springframework.security.web.FilterChainProxy; @@ -221,7 +221,8 @@ public class DefaultFilterChainValidator implements FilterChainProxy.FilterChain AuthorizationManager authorizationManager = authorizationFilter .getAuthorizationManager(); try { - AuthorizationDecision decision = authorizationManager.check(() -> TEST, loginRequest.getHttpRequest()); + AuthorizationResult decision = authorizationManager.authorize(() -> TEST, + loginRequest.getHttpRequest()); return decision != null && decision.isGranted(); } catch (Exception ex) { @@ -252,7 +253,8 @@ public class DefaultFilterChainValidator implements FilterChainProxy.FilterChain return () -> { AuthorizationManager authorizationManager = authorizationFilter .getAuthorizationManager(); - AuthorizationDecision decision = authorizationManager.check(() -> token, loginRequest.getHttpRequest()); + AuthorizationResult decision = authorizationManager.authorize(() -> token, + loginRequest.getHttpRequest()); return decision != null && decision.isGranted(); }; } diff --git a/config/src/test/java/org/springframework/security/config/http/DefaultFilterChainValidatorTests.java b/config/src/test/java/org/springframework/security/config/http/DefaultFilterChainValidatorTests.java index a20fe5397f..a5b899db48 100644 --- a/config/src/test/java/org/springframework/security/config/http/DefaultFilterChainValidatorTests.java +++ b/config/src/test/java/org/springframework/security/config/http/DefaultFilterChainValidatorTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -113,6 +113,7 @@ public class DefaultFilterChainValidatorTests { @Test public void validateCheckLoginPageAllowsAnonymous() { given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false)); + given(this.authorizationManager.authorize(any(), any())).willCallRealMethod(); this.validator.validate(this.chainAuthorizationFilter); verify(this.logger).warn("Anonymous access to the login page doesn't appear to be enabled. " + "This is almost certainly an error. Please check your configuration allows unauthenticated " diff --git a/config/src/test/java/org/springframework/security/config/http/HttpConfigTests.java b/config/src/test/java/org/springframework/security/config/http/HttpConfigTests.java index b8a86d2411..9a4e3b041e 100644 --- a/config/src/test/java/org/springframework/security/config/http/HttpConfigTests.java +++ b/config/src/test/java/org/springframework/security/config/http/HttpConfigTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -91,6 +91,7 @@ public class HttpConfigTests { AuthorizationManager authorizationManager = this.spring.getContext() .getBean(AuthorizationManager.class); given(authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false)); + given(authorizationManager.authorize(any(), any())).willCallRealMethod(); // @formatter:off this.mvc.perform(get("/")) .andExpect(status().isFound()) diff --git a/config/src/test/java/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.java b/config/src/test/java/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.java index 7a5e75e938..6e999933a2 100644 --- a/config/src/test/java/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.java +++ b/config/src/test/java/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.java @@ -514,6 +514,7 @@ public class WebSocketMessageBrokerConfigTests { AuthorizationManager> authorizationManager = this.spring.getContext() .getBean(AuthorizationManager.class); given(authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false)); + given(authorizationManager.authorize(any(), any())).willCallRealMethod(); Message message = message("/any"); assertThatExceptionOfType(Exception.class).isThrownBy(send(message)) .withCauseInstanceOf(AccessDeniedException.class); diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/AuthorizationManager.java index cb0ba782cb..758abce2c7 100644 --- a/core/src/main/java/org/springframework/security/authorization/AuthorizationManager.java +++ b/core/src/main/java/org/springframework/security/authorization/AuthorizationManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -50,8 +50,23 @@ public interface AuthorizationManager { * @param authentication the {@link Supplier} of the {@link Authentication} to check * @param object the {@link T} object to check * @return an {@link AuthorizationDecision} or null if no decision could be made + * @deprecated please use {@link #authorize(Supplier, Object)} instead */ @Nullable + @Deprecated AuthorizationDecision check(Supplier authentication, T object); + /** + * Determines if access is granted for a specific authentication and object. + * @param authentication the {@link Supplier} of the {@link Authentication} to + * authorize + * @param object the {@link T} object to authorize + * @return an {@link AuthorizationResult} + * @since 6.4 + */ + @Nullable + default AuthorizationResult authorize(Supplier authentication, T object) { + return check(authentication, object); + } + } diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorizationObservationContext.java b/core/src/main/java/org/springframework/security/authorization/AuthorizationObservationContext.java index 8e5692213c..8374bd6e34 100644 --- a/core/src/main/java/org/springframework/security/authorization/AuthorizationObservationContext.java +++ b/core/src/main/java/org/springframework/security/authorization/AuthorizationObservationContext.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -35,6 +35,8 @@ public class AuthorizationObservationContext extends Observation.Context { private AuthorizationDecision decision; + private AuthorizationResult authorizationResult; + public AuthorizationObservationContext(T object) { Assert.notNull(object, "object cannot be null"); this.object = object; @@ -71,17 +73,43 @@ public class AuthorizationObservationContext extends Observation.Context { /** * Get the observed {@link AuthorizationDecision} * @return the observed {@link AuthorizationDecision} + * @deprecated please use {@link #getAuthorizationResult()} instead */ + @Deprecated public AuthorizationDecision getDecision() { - return this.decision; + Assert.isInstanceOf(AuthorizationDecision.class, this.authorizationResult, + "Please call getAuthorizationResult instead. If you must call getDecision, please ensure that the result you provide is of type AuthorizationDecision"); + return (AuthorizationDecision) this.authorizationResult; } /** * Set the observed {@link AuthorizationDecision} * @param decision the observed {@link AuthorizationDecision} + * @deprecated please use {@link #setAuthorizationResult(AuthorizationResult)} instead */ + @Deprecated public void setDecision(AuthorizationDecision decision) { + Assert.isInstanceOf(AuthorizationDecision.class, decision, + "Please call setAuthorizationResult instead. If you must call getDecision, please ensure that the result you provide is of type AuthorizationDecision"); this.decision = decision; } + /** + * Get the observed {@link AuthorizationResult} + * @return the observed {@link AuthorizationResult} + * @since 6.4 + */ + public AuthorizationResult getAuthorizationResult() { + return this.authorizationResult; + } + + /** + * Set the observed {@link AuthorizationResult} + * @param authorizationResult the observed {@link AuthorizationResult} + * @since 6.4 + */ + public void setAuthorizationResult(AuthorizationResult authorizationResult) { + this.authorizationResult = authorizationResult; + } + } diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorizationObservationConvention.java b/core/src/main/java/org/springframework/security/authorization/AuthorizationObservationConvention.java index 1fb819cd49..9797c1c800 100644 --- a/core/src/main/java/org/springframework/security/authorization/AuthorizationObservationConvention.java +++ b/core/src/main/java/org/springframework/security/authorization/AuthorizationObservationConvention.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -100,10 +100,10 @@ public final class AuthorizationObservationConvention } private String getAuthorizationDecision(AuthorizationObservationContext context) { - if (context.getDecision() == null) { + if (context.getAuthorizationResult() == null) { return "unknown"; } - return String.valueOf(context.getDecision().isGranted()); + return String.valueOf(context.getAuthorizationResult().isGranted()); } private String getAuthorities(AuthorizationObservationContext context) { @@ -114,10 +114,10 @@ public final class AuthorizationObservationConvention } private String getDecisionDetails(AuthorizationObservationContext context) { - if (context.getDecision() == null) { + if (context.getAuthorizationResult() == null) { return "unknown"; } - AuthorizationDecision decision = context.getDecision(); + AuthorizationResult decision = context.getAuthorizationResult(); return String.valueOf(decision); } diff --git a/core/src/main/java/org/springframework/security/authorization/ObservationAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/ObservationAuthorizationManager.java index 00deb1c035..3ee6a1f0e8 100644 --- a/core/src/main/java/org/springframework/security/authorization/ObservationAuthorizationManager.java +++ b/core/src/main/java/org/springframework/security/authorization/ObservationAuthorizationManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -71,7 +71,7 @@ public final class ObservationAuthorizationManager Observation observation = Observation.createNotStarted(this.convention, () -> context, this.registry).start(); try (Observation.Scope scope = observation.openScope()) { AuthorizationDecision decision = this.delegate.check(wrapped, object); - context.setDecision(decision); + context.setAuthorizationResult(decision); if (decision != null && !decision.isGranted()) { observation.error(new AccessDeniedException( this.messages.getMessage("AbstractAccessDecisionManager.accessDenied", "Access Denied"))); diff --git a/core/src/main/java/org/springframework/security/authorization/ObservationReactiveAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/ObservationReactiveAuthorizationManager.java index d6e7a2b2c6..75e395f227 100644 --- a/core/src/main/java/org/springframework/security/authorization/ObservationReactiveAuthorizationManager.java +++ b/core/src/main/java/org/springframework/security/authorization/ObservationReactiveAuthorizationManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -68,7 +68,7 @@ public final class ObservationReactiveAuthorizationManager .parentObservation(contextView.getOrDefault(ObservationThreadLocalAccessor.KEY, null)) .start(); return this.delegate.check(wrapped, object).doOnSuccess((decision) -> { - context.setDecision(decision); + context.setAuthorizationResult(decision); if (decision == null || !decision.isGranted()) { observation.error(new AccessDeniedException("Access Denied")); } diff --git a/core/src/main/java/org/springframework/security/authorization/ReactiveAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/ReactiveAuthorizationManager.java index 97a7c3489b..05662737d1 100644 --- a/core/src/main/java/org/springframework/security/authorization/ReactiveAuthorizationManager.java +++ b/core/src/main/java/org/springframework/security/authorization/ReactiveAuthorizationManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -36,7 +36,9 @@ public interface ReactiveAuthorizationManager { * @param authentication the Authentication to check * @param object the object to check * @return an decision or empty Mono if no decision could be made. + * @deprecated please use {@link #authorize(Mono, Object)} instead */ + @Deprecated Mono check(Mono authentication, T object); /** @@ -55,4 +57,15 @@ public interface ReactiveAuthorizationManager { // @formatter:on } + /** + * Determines if access is granted for a specific authentication and object. + * @param authentication the Authentication to authorize + * @param object the object to check + * @return an decision or empty Mono if no decision could be made. + * @since 6.4 + */ + default Mono authorize(Mono authentication, T object) { + return check(authentication, object).cast(AuthorizationResult.class); + } + } diff --git a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptor.java b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptor.java index 0be0d776c6..fdd8a039c7 100644 --- a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptor.java +++ b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptor.java @@ -29,10 +29,10 @@ import org.springframework.core.log.LogMessage; import org.springframework.security.access.AccessDeniedException; import org.springframework.security.access.prepost.PostAuthorize; import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException; -import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationDeniedException; import org.springframework.security.authorization.AuthorizationEventPublisher; import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolderStrategy; @@ -182,7 +182,7 @@ public final class AuthorizationManagerAfterMethodInterceptor implements Authori private Object attemptAuthorization(MethodInvocation mi, Object result) { this.logger.debug(LogMessage.of(() -> "Authorizing method invocation " + mi)); MethodInvocationResult object = new MethodInvocationResult(mi, result); - AuthorizationDecision decision = this.authorizationManager.check(this::getAuthentication, object); + AuthorizationResult decision = this.authorizationManager.authorize(this::getAuthentication, object); this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, object, decision); if (decision != null && !decision.isGranted()) { this.logger.debug(LogMessage.of(() -> "Failed to authorize " + mi + " with authorization manager " @@ -193,7 +193,7 @@ public final class AuthorizationManagerAfterMethodInterceptor implements Authori return result; } - private Object handlePostInvocationDenied(MethodInvocationResult mi, AuthorizationDecision decision) { + private Object handlePostInvocationDenied(MethodInvocationResult mi, AuthorizationResult decision) { if (this.authorizationManager instanceof MethodAuthorizationDeniedHandler deniedHandler) { return deniedHandler.handleDeniedInvocationResult(mi, decision); } diff --git a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterReactiveMethodInterceptor.java b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterReactiveMethodInterceptor.java index fa53945a69..8ac5a70661 100644 --- a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterReactiveMethodInterceptor.java +++ b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterReactiveMethodInterceptor.java @@ -164,7 +164,7 @@ public final class AuthorizationManagerAfterReactiveMethodInterceptor implements private Mono postAuthorize(Mono authentication, MethodInvocation mi, Object result) { MethodInvocationResult invocationResult = new MethodInvocationResult(mi, result); - return this.authorizationManager.check(authentication, invocationResult) + return this.authorizationManager.authorize(authentication, invocationResult) .switchIfEmpty(Mono.just(new AuthorizationDecision(false))) .flatMap((decision) -> postProcess(decision, invocationResult)); } diff --git a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java index 421b55dad7..689938ffaa 100644 --- a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java +++ b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java @@ -33,7 +33,6 @@ import org.springframework.security.access.AccessDeniedException; import org.springframework.security.access.annotation.Secured; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException; -import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationDeniedException; import org.springframework.security.authorization.AuthorizationEventPublisher; import org.springframework.security.authorization.AuthorizationManager; @@ -247,9 +246,9 @@ public final class AuthorizationManagerBeforeMethodInterceptor implements Author private Object attemptAuthorization(MethodInvocation mi) throws Throwable { this.logger.debug(LogMessage.of(() -> "Authorizing method invocation " + mi)); - AuthorizationDecision decision; + AuthorizationResult decision; try { - decision = this.authorizationManager.check(this::getAuthentication, mi); + decision = this.authorizationManager.authorize(this::getAuthentication, mi); } catch (AuthorizationDeniedException denied) { return handle(mi, denied); diff --git a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeReactiveMethodInterceptor.java b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeReactiveMethodInterceptor.java index ce9f94ae71..50e1883e72 100644 --- a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeReactiveMethodInterceptor.java +++ b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeReactiveMethodInterceptor.java @@ -140,7 +140,7 @@ public final class AuthorizationManagerBeforeReactiveMethodInterceptor implement private Flux preAuthorized(MethodInvocation mi, Flux mapping) { Mono authentication = ReactiveAuthenticationUtils.getAuthentication(); - return this.authorizationManager.check(authentication, mi) + return this.authorizationManager.authorize(authentication, mi) .switchIfEmpty(Mono.just(new AuthorizationDecision(false))) .flatMapMany((decision) -> { if (decision.isGranted()) { @@ -153,7 +153,7 @@ public final class AuthorizationManagerBeforeReactiveMethodInterceptor implement private Mono preAuthorized(MethodInvocation mi, Mono mapping) { Mono authentication = ReactiveAuthenticationUtils.getAuthentication(); - return this.authorizationManager.check(authentication, mi) + return this.authorizationManager.authorize(authentication, mi) .switchIfEmpty(Mono.just(new AuthorizationDecision(false))) .flatMap((decision) -> { if (decision.isGranted()) { diff --git a/core/src/main/java/org/springframework/security/authorization/method/NoOpAuthorizationEventPublisher.java b/core/src/main/java/org/springframework/security/authorization/method/NoOpAuthorizationEventPublisher.java index fff9b0255e..298fbd8dc2 100644 --- a/core/src/main/java/org/springframework/security/authorization/method/NoOpAuthorizationEventPublisher.java +++ b/core/src/main/java/org/springframework/security/authorization/method/NoOpAuthorizationEventPublisher.java @@ -39,6 +39,7 @@ final class NoOpAuthorizationEventPublisher implements AuthorizationEventPublish @Override public void publishAuthorizationEvent(Supplier authentication, T object, AuthorizationResult result) { + } } diff --git a/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptorTests.java b/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptorTests.java index 950911ffc5..d59b550f19 100644 --- a/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptorTests.java +++ b/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptorTests.java @@ -74,6 +74,7 @@ public class AuthorizationManagerAfterMethodInterceptorTests { MethodInvocationResult result = new MethodInvocationResult(mockMethodInvocation, new Object()); given(mockMethodInvocation.proceed()).willReturn(result.getResult()); AuthorizationManager mockAuthorizationManager = mock(AuthorizationManager.class); + given(mockAuthorizationManager.authorize(any(), any())).willCallRealMethod(); AuthorizationManagerAfterMethodInterceptor advice = new AuthorizationManagerAfterMethodInterceptor( Pointcut.TRUE, mockAuthorizationManager); Object returnedObject = advice.invoke(mockMethodInvocation); @@ -152,6 +153,7 @@ public class AuthorizationManagerAfterMethodInterceptorTests { AuthorizationManager manager = mock(AuthorizationManager.class); given(manager.check(any(), any())) .willThrow(new MyAuthzDeniedException("denied", new AuthorizationDecision(false))); + given(manager.authorize(any(), any())).willCallRealMethod(); AuthorizationManagerAfterMethodInterceptor advice = new AuthorizationManagerAfterMethodInterceptor( Pointcut.TRUE, manager); assertThatExceptionOfType(MyAuthzDeniedException.class).isThrownBy(() -> advice.invoke(mi)); diff --git a/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerAfterReactiveMethodInterceptorTests.java b/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerAfterReactiveMethodInterceptorTests.java index b18fb4fee6..218d63bfb4 100644 --- a/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerAfterReactiveMethodInterceptorTests.java +++ b/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerAfterReactiveMethodInterceptorTests.java @@ -72,6 +72,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests { ReactiveAuthorizationManager.class); given(mockReactiveAuthorizationManager.check(any(), any())) .willReturn(Mono.just(new AuthorizationDecision(true))); + given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod(); AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor( Pointcut.TRUE, mockReactiveAuthorizationManager); Object result = interceptor.invoke(mockMethodInvocation); @@ -90,6 +91,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests { ReactiveAuthorizationManager.class); given(mockReactiveAuthorizationManager.check(any(), any())) .willReturn(Mono.just(new AuthorizationDecision(true))); + given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod(); AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor( Pointcut.TRUE, mockReactiveAuthorizationManager); Object result = interceptor.invoke(mockMethodInvocation); @@ -109,6 +111,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests { ReactiveAuthorizationManager.class); given(mockReactiveAuthorizationManager.check(any(), any())) .willReturn(Mono.just(new AuthorizationDecision(false))); + given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod(); AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor( Pointcut.TRUE, mockReactiveAuthorizationManager); Object result = interceptor.invoke(mockMethodInvocation); @@ -130,6 +133,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests { given(mockReactiveAuthorizationManager.handleDeniedInvocationResult(any(), any(AuthorizationResult.class))) .willAnswer(this::masking); given(mockReactiveAuthorizationManager.check(any(), any())).willReturn(Mono.empty()); + given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod(); AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor( Pointcut.TRUE, mockReactiveAuthorizationManager); Object result = interceptor.invoke(mockMethodInvocation); @@ -156,6 +160,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests { return Mono.just(argument.getResult()); }); given(mockReactiveAuthorizationManager.check(any(), any())).willReturn(Mono.empty()); + given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod(); AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor( Pointcut.TRUE, mockReactiveAuthorizationManager); Object result = interceptor.invoke(mockMethodInvocation); @@ -176,6 +181,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests { given(mockReactiveAuthorizationManager.handleDeniedInvocationResult(any(), any(AuthorizationResult.class))) .willAnswer(this::masking); given(mockReactiveAuthorizationManager.check(any(), any())).willReturn(Mono.empty()); + given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod(); AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor( Pointcut.TRUE, mockReactiveAuthorizationManager); Object result = interceptor.invoke(mockMethodInvocation); @@ -195,6 +201,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests { given(mockReactiveAuthorizationManager.handleDeniedInvocationResult(any(), any(AuthorizationResult.class))) .willAnswer(this::monoMasking); given(mockReactiveAuthorizationManager.check(any(), any())).willReturn(Mono.empty()); + given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod(); AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor( Pointcut.TRUE, mockReactiveAuthorizationManager); Object result = interceptor.invoke(mockMethodInvocation); @@ -214,6 +221,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests { given(mockReactiveAuthorizationManager.handleDeniedInvocationResult(any(), any(AuthorizationResult.class))) .willReturn(null); given(mockReactiveAuthorizationManager.check(any(), any())).willReturn(Mono.empty()); + given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod(); AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor( Pointcut.TRUE, mockReactiveAuthorizationManager); Object result = interceptor.invoke(mockMethodInvocation); @@ -231,6 +239,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests { ReactiveAuthorizationManager mockReactiveAuthorizationManager = mock( ReactiveAuthorizationManager.class); given(mockReactiveAuthorizationManager.check(any(), any())).willReturn(Mono.empty()); + given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod(); AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor( Pointcut.TRUE, mockReactiveAuthorizationManager); Object result = interceptor.invoke(mockMethodInvocation); @@ -249,6 +258,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests { ReactiveAuthorizationManager manager = mock(ReactiveAuthorizationManager.class); given(manager.check(any(), any())) .willReturn(Mono.error(new MyAuthzDeniedException("denied", new AuthorizationDecision(false)))); + given(manager.authorize(any(), any())).willCallRealMethod(); AuthorizationManagerAfterReactiveMethodInterceptor advice = new AuthorizationManagerAfterReactiveMethodInterceptor( Pointcut.TRUE, manager); assertThatExceptionOfType(MyAuthzDeniedException.class) diff --git a/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptorTests.java b/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptorTests.java index 5f6d5fc70b..eb0d1207b4 100644 --- a/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptorTests.java +++ b/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptorTests.java @@ -70,6 +70,7 @@ public class AuthorizationManagerBeforeMethodInterceptorTests { public void beforeWhenMockAuthorizationManagerThenCheck() throws Throwable { MethodInvocation mockMethodInvocation = mock(MethodInvocation.class); AuthorizationManager mockAuthorizationManager = mock(AuthorizationManager.class); + given(mockAuthorizationManager.authorize(any(), any())).willCallRealMethod(); AuthorizationManagerBeforeMethodInterceptor advice = new AuthorizationManagerBeforeMethodInterceptor( Pointcut.TRUE, mockAuthorizationManager); advice.invoke(mockMethodInvocation); @@ -143,6 +144,7 @@ public class AuthorizationManagerBeforeMethodInterceptorTests { AuthorizationManager manager = mock(AuthorizationManager.class); given(manager.check(any(), any())) .willThrow(new MyAuthzDeniedException("denied", new AuthorizationDecision(false))); + given(manager.authorize(any(), any())).willCallRealMethod(); AuthorizationManagerBeforeMethodInterceptor advice = new AuthorizationManagerBeforeMethodInterceptor( Pointcut.TRUE, manager); assertThatExceptionOfType(MyAuthzDeniedException.class).isThrownBy(() -> advice.invoke(null)); diff --git a/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeReactiveMethodInterceptorTests.java b/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeReactiveMethodInterceptorTests.java index 400992eec6..468e1bb3e5 100644 --- a/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeReactiveMethodInterceptorTests.java +++ b/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeReactiveMethodInterceptorTests.java @@ -72,6 +72,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests { ReactiveAuthorizationManager.class); given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation))) .willReturn(Mono.just(new AuthorizationDecision(true))); + given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod(); AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor( Pointcut.TRUE, mockReactiveAuthorizationManager); Object result = interceptor.invoke(mockMethodInvocation); @@ -90,6 +91,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests { ReactiveAuthorizationManager.class); given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation))) .willReturn(Mono.just(new AuthorizationDecision((true)))); + given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod(); AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor( Pointcut.TRUE, mockReactiveAuthorizationManager); Object result = interceptor.invoke(mockMethodInvocation); @@ -109,6 +111,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests { ReactiveAuthorizationManager.class); given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation))) .willReturn(Mono.just(new AuthorizationDecision(false))); + given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod(); AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor( Pointcut.TRUE, mockReactiveAuthorizationManager); Object result = interceptor.invoke(mockMethodInvocation); @@ -127,6 +130,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests { HandlingReactiveAuthorizationManager mockReactiveAuthorizationManager = mock( HandlingReactiveAuthorizationManager.class); given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation))).willReturn(Mono.empty()); + given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod(); given(mockReactiveAuthorizationManager.handleDeniedInvocation(any(), any(AuthorizationResult.class))) .willReturn("***"); AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor( @@ -146,6 +150,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests { HandlingReactiveAuthorizationManager mockReactiveAuthorizationManager = mock( HandlingReactiveAuthorizationManager.class); given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation))).willReturn(Mono.empty()); + given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod(); given(mockReactiveAuthorizationManager.handleDeniedInvocation(any(), any(AuthorizationResult.class))) .willReturn(Mono.just("***")); AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor( @@ -165,6 +170,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests { HandlingReactiveAuthorizationManager mockReactiveAuthorizationManager = mock( HandlingReactiveAuthorizationManager.class); given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation))).willReturn(Mono.empty()); + given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod(); given(mockReactiveAuthorizationManager.handleDeniedInvocation(any(), any(AuthorizationResult.class))) .willReturn(Mono.just("***")); AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor( @@ -185,6 +191,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests { ReactiveAuthorizationManager mockReactiveAuthorizationManager = mock( ReactiveAuthorizationManager.class); given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation))).willReturn(Mono.empty()); + given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod(); AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor( Pointcut.TRUE, mockReactiveAuthorizationManager); Object result = interceptor.invoke(mockMethodInvocation); @@ -203,6 +210,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests { ReactiveAuthorizationManager mockReactiveAuthorizationManager = mock( ReactiveAuthorizationManager.class); given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation))).willReturn(Mono.empty()); + given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod(); AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor( Pointcut.TRUE, mockReactiveAuthorizationManager); Object result = interceptor.invoke(mockMethodInvocation); @@ -220,6 +228,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests { ReactiveAuthorizationManager manager = mock(ReactiveAuthorizationManager.class); given(manager.check(any(), any())) .willThrow(new MyAuthzDeniedException("denied", new AuthorizationDecision(false))); + given(manager.authorize(any(), any())).willCallRealMethod(); AuthorizationManagerBeforeReactiveMethodInterceptor advice = new AuthorizationManagerBeforeReactiveMethodInterceptor( Pointcut.TRUE, manager); assertThatExceptionOfType(MyAuthzDeniedException.class) diff --git a/messaging/src/main/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptor.java b/messaging/src/main/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptor.java index 2af2b1cc56..91f68118f5 100644 --- a/messaging/src/main/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptor.java +++ b/messaging/src/main/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptor.java @@ -67,7 +67,7 @@ public final class AuthorizationChannelInterceptor implements ChannelInterceptor @Override public Message preSend(Message message, MessageChannel channel) { this.logger.debug(LogMessage.of(() -> "Authorizing message send")); - AuthorizationDecision decision = this.preSendAuthorizationManager.check(this.authentication, message); + AuthorizationResult decision = this.preSendAuthorizationManager.authorize(this.authentication, message); this.eventPublisher.publishAuthorizationEvent(this.authentication, message, decision); if (decision == null || !decision.isGranted()) { // default deny this.logger.debug(LogMessage.of(() -> "Failed to authorize message with authorization manager " diff --git a/messaging/src/test/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptorTests.java b/messaging/src/test/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptorTests.java index f31c9065a0..debb21b762 100644 --- a/messaging/src/test/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptorTests.java +++ b/messaging/src/test/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptorTests.java @@ -84,12 +84,14 @@ public class AuthorizationChannelInterceptorTests { @Test public void preSendWhenAllowThenSameMessage() { given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(true)); + given(this.authorizationManager.authorize(any(), any())).willCallRealMethod(); assertThat(this.interceptor.preSend(this.message, this.channel)).isSameAs(this.message); } @Test public void preSendWhenDenyThenException() { given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false)); + given(this.authorizationManager.authorize(any(), any())).willCallRealMethod(); assertThatExceptionOfType(AccessDeniedException.class) .isThrownBy(() -> this.interceptor.preSend(this.message, this.channel)); } @@ -104,6 +106,7 @@ public class AuthorizationChannelInterceptorTests { public void preSendWhenAuthorizationEventPublisherThenPublishes() { this.interceptor.setAuthorizationEventPublisher(this.eventPublisher); given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(true)); + given(this.authorizationManager.authorize(any(), any())).willCallRealMethod(); lenient().doCallRealMethod() .when(this.eventPublisher) .publishAuthorizationEvent(any(), any(), any(AuthorizationResult.class)); diff --git a/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java b/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java index e36a54fda6..d60f0e1965 100644 --- a/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java +++ b/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -19,8 +19,8 @@ package org.springframework.security.web.access; import jakarta.servlet.ServletContext; import jakarta.servlet.http.HttpServletRequest; -import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.core.Authentication; import org.springframework.security.web.FilterInvocation; import org.springframework.util.Assert; @@ -57,7 +57,7 @@ public final class AuthorizationManagerWebInvocationPrivilegeEvaluator public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) { FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext); HttpServletRequest httpRequest = this.requestTransformer.transform(filterInvocation.getHttpRequest()); - AuthorizationDecision decision = this.authorizationManager.check(() -> authentication, httpRequest); + AuthorizationResult decision = this.authorizationManager.authorize(() -> authentication, httpRequest); return decision == null || decision.isGranted(); } diff --git a/web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java b/web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java index cfc2f00140..3e8f628198 100644 --- a/web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java +++ b/web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java @@ -93,7 +93,7 @@ public class AuthorizationFilter extends GenericFilterBean { String alreadyFilteredAttributeName = getAlreadyFilteredAttributeName(); request.setAttribute(alreadyFilteredAttributeName, Boolean.TRUE); try { - AuthorizationDecision decision = this.authorizationManager.check(this::getAuthentication, request); + AuthorizationResult decision = this.authorizationManager.authorize(this::getAuthentication, request); this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, request, decision); if (decision != null && !decision.isGranted()) { throw new AuthorizationDeniedException("Access Denied", decision); diff --git a/web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java b/web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java index c5cb7669c1..afb5ad9e97 100644 --- a/web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java +++ b/web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -61,6 +61,7 @@ class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests { @Test void isAllowedWhenAuthorizationManagerAllowsThenAllowedTrue() { given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(true)); + given(this.authorizationManager.authorize(any(), any())).willCallRealMethod(); boolean allowed = this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser()); assertThat(allowed).isTrue(); verify(this.authorizationManager).check(any(), any()); @@ -69,6 +70,7 @@ class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests { @Test void isAllowedWhenAuthorizationManagerDeniesAllowedFalse() { given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false)); + given(this.authorizationManager.authorize(any(), any())).willCallRealMethod(); boolean allowed = this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser()); assertThat(allowed).isFalse(); } @@ -76,6 +78,7 @@ class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests { @Test void isAllowedWhenAuthorizationManagerAbstainsThenAllowedTrue() { given(this.authorizationManager.check(any(), any())).willReturn(null); + given(this.authorizationManager.authorize(any(), any())).willCallRealMethod(); boolean allowed = this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser()); assertThat(allowed).isTrue(); } @@ -83,6 +86,7 @@ class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests { @Test void isAllowedWhenServletContextExistsThenFilterInvocationHasServletContext() { ServletContext servletContext = new MockServletContext(); + given(this.authorizationManager.authorize(any(), any())).willCallRealMethod(); this.privilegeEvaluator.setServletContext(servletContext); this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser()); ArgumentCaptor captor = ArgumentCaptor.forClass(HttpServletRequest.class); @@ -99,6 +103,7 @@ class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests { void isAllowedWhenRequestTransformerThenUsesRequestTransformerResult() { HttpServletRequest request = new MockHttpServletRequest(); given(this.requestTransformer.transform(any())).willReturn(request); + given(this.authorizationManager.authorize(any(), any())).willCallRealMethod(); this.privilegeEvaluator.setRequestTransformer(this.requestTransformer); this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser()); diff --git a/web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java b/web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java index 28f0a75f7f..ba4825d784 100644 --- a/web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java @@ -93,6 +93,7 @@ public class AuthorizationFilterTests { @Test public void filterWhenAuthorizationManagerVerifyPassesThenNextFilter() throws Exception { AuthorizationManager mockAuthorizationManager = mock(AuthorizationManager.class); + given(mockAuthorizationManager.authorize(any(), any())).willCallRealMethod(); given(mockAuthorizationManager.check(any(Supplier.class), any(HttpServletRequest.class))) .willReturn(new AuthorizationDecision(true)); AuthorizationFilter filter = new AuthorizationFilter(mockAuthorizationManager); @@ -120,6 +121,7 @@ public class AuthorizationFilterTests { @Test public void filterWhenAuthorizationManagerVerifyThrowsAccessDeniedExceptionThenStopFilterChain() { AuthorizationManager mockAuthorizationManager = mock(AuthorizationManager.class); + given(mockAuthorizationManager.authorize(any(), any())).willCallRealMethod(); AuthorizationFilter filter = new AuthorizationFilter(mockAuthorizationManager); TestingAuthenticationToken authenticationToken = new TestingAuthenticationToken("user", "password"); @@ -198,6 +200,7 @@ public class AuthorizationFilterTests { @Test public void doFilterWhenErrorThenDoFilter() throws Exception { AuthorizationManager authorizationManager = mock(AuthorizationManager.class); + given(authorizationManager.authorize(any(), any())).willCallRealMethod(); AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager); MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path"); mockRequest.setDispatcherType(DispatcherType.ERROR); @@ -234,6 +237,7 @@ public class AuthorizationFilterTests { @Test public void doFilterWhenObserveOncePerRequestTrueAndNotAppliedThenInvoked() throws ServletException, IOException { + given(this.authorizationManager.authorize(any(), any())).willCallRealMethod(); this.filter.setObserveOncePerRequest(true); this.filter.doFilter(this.request, this.response, this.chain); verify(this.authorizationManager).check(any(), any()); @@ -242,6 +246,7 @@ public class AuthorizationFilterTests { @Test public void doFilterWhenObserveOncePerRequestFalseAndIsAppliedThenInvoked() throws ServletException, IOException { setIsAppliedTrue(); + given(this.authorizationManager.authorize(any(), any())).willCallRealMethod(); this.filter.setObserveOncePerRequest(false); this.filter.doFilter(this.request, this.response, this.chain); verify(this.authorizationManager).check(any(), any()); @@ -249,6 +254,7 @@ public class AuthorizationFilterTests { @Test public void doFilterWhenObserveOncePerRequestFalseAndNotAppliedThenInvoked() throws ServletException, IOException { + given(this.authorizationManager.authorize(any(), any())).willCallRealMethod(); this.filter.setObserveOncePerRequest(false); this.filter.doFilter(this.request, this.response, this.chain); verify(this.authorizationManager).check(any(), any()); @@ -264,6 +270,7 @@ public class AuthorizationFilterTests { @Test public void doFilterWhenFilterErrorDispatchTrueAndIsErrorThenInvoked() throws ServletException, IOException { + given(this.authorizationManager.authorize(any(), any())).willCallRealMethod(); this.request.setDispatcherType(DispatcherType.ERROR); this.filter.setFilterErrorDispatch(true); this.filter.doFilter(this.request, this.response, this.chain); @@ -287,6 +294,7 @@ public class AuthorizationFilterTests { @Test public void doFilterWhenFilterAsyncDispatchTrueAndIsAsyncThenInvoked() throws ServletException, IOException { + given(this.authorizationManager.authorize(any(), any())).willCallRealMethod(); this.request.setDispatcherType(DispatcherType.ASYNC); this.filter.setFilterAsyncDispatch(true); this.filter.doFilter(this.request, this.response, this.chain);