Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-05-31 17:22:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '6.0.x' into 6.1.x

Browse Source 
Closes gh-14111
This commit is contained in:
Josh Cummings 2023-11-07 13:09:20 -07:00
commit f295e9d28f
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
8 changed files with 131 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptor.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2022 the original author or authors. * Copyright 2002-2023 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -51,8 +51,7 @@ import org.springframework.util.Assert;
public final class AuthorizationManagerAfterMethodInterceptor public final class AuthorizationManagerAfterMethodInterceptor
implements Ordered, MethodInterceptor, PointcutAdvisor, AopInfrastructureBean { implements Ordered, MethodInterceptor, PointcutAdvisor, AopInfrastructureBean {
private Supplier<Authentication> authentication = getAuthentication( private Supplier<SecurityContextHolderStrategy> securityContextHolderStrategy = SecurityContextHolder::getContextHolderStrategy;
SecurityContextHolder.getContextHolderStrategy());
private final Log logger = LogFactory.getLog(this.getClass()); private final Log logger = LogFactory.getLog(this.getClass());
@ -170,14 +169,14 @@ public final class AuthorizationManagerAfterMethodInterceptor
* @since 5.8 * @since 5.8
*/ */
public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy strategy) { public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy strategy) {
this.authentication = getAuthentication(strategy); this.securityContextHolderStrategy = () -> strategy;
} }
private void attemptAuthorization(MethodInvocation mi, Object result) { private void attemptAuthorization(MethodInvocation mi, Object result) {
this.logger.debug(LogMessage.of(() -> "Authorizing method invocation " + mi)); this.logger.debug(LogMessage.of(() -> "Authorizing method invocation " + mi));
MethodInvocationResult object = new MethodInvocationResult(mi, result); MethodInvocationResult object = new MethodInvocationResult(mi, result);
AuthorizationDecision decision = this.authorizationManager.check(this.authentication, object); AuthorizationDecision decision = this.authorizationManager.check(this::getAuthentication, object);
this.eventPublisher.publishAuthorizationEvent(this.authentication, object, decision); this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, object, decision);
if (decision != null && !decision.isGranted()) { if (decision != null && !decision.isGranted()) {
this.logger.debug(LogMessage.of(() -> "Failed to authorize " + mi + " with authorization manager " this.logger.debug(LogMessage.of(() -> "Failed to authorize " + mi + " with authorization manager "
+ this.authorizationManager + " and decision " + decision)); + this.authorizationManager + " and decision " + decision));
@ -186,15 +185,13 @@ public final class AuthorizationManagerAfterMethodInterceptor
this.logger.debug(LogMessage.of(() -> "Authorized method invocation " + mi)); this.logger.debug(LogMessage.of(() -> "Authorized method invocation " + mi));
} }
private Supplier<Authentication> getAuthentication(SecurityContextHolderStrategy strategy) { private Authentication getAuthentication() {
return () -> { Authentication authentication = this.securityContextHolderStrategy.get().getContext().getAuthentication();
Authentication authentication = strategy.getContext().getAuthentication(); if (authentication == null) {
if (authentication == null) { throw new AuthenticationCredentialsNotFoundException(
throw new AuthenticationCredentialsNotFoundException( "An Authentication object was not found in the SecurityContext");
"An Authentication object was not found in the SecurityContext"); }
} return authentication;
return authentication;
};
} }
private static <T> void noPublish(Supplier<Authentication> authentication, T object, private static <T> void noPublish(Supplier<Authentication> authentication, T object,

27
core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2022 the original author or authors. * Copyright 2002-2023 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -55,8 +55,7 @@ import org.springframework.util.Assert;
public final class AuthorizationManagerBeforeMethodInterceptor public final class AuthorizationManagerBeforeMethodInterceptor
implements Ordered, MethodInterceptor, PointcutAdvisor, AopInfrastructureBean { implements Ordered, MethodInterceptor, PointcutAdvisor, AopInfrastructureBean {
private Supplier<Authentication> authentication = getAuthentication( private Supplier<SecurityContextHolderStrategy> securityContextHolderStrategy = SecurityContextHolder::getContextHolderStrategy;
SecurityContextHolder.getContextHolderStrategy());
private final Log logger = LogFactory.getLog(this.getClass()); private final Log logger = LogFactory.getLog(this.getClass());
@ -244,13 +243,13 @@ public final class AuthorizationManagerBeforeMethodInterceptor
* @since 5.8 * @since 5.8
*/ */
public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) { public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
this.authentication = getAuthentication(securityContextHolderStrategy); this.securityContextHolderStrategy = () -> securityContextHolderStrategy;
} }
private void attemptAuthorization(MethodInvocation mi) { private void attemptAuthorization(MethodInvocation mi) {
this.logger.debug(LogMessage.of(() -> "Authorizing method invocation " + mi)); this.logger.debug(LogMessage.of(() -> "Authorizing method invocation " + mi));
AuthorizationDecision decision = this.authorizationManager.check(this.authentication, mi); AuthorizationDecision decision = this.authorizationManager.check(this::getAuthentication, mi);
this.eventPublisher.publishAuthorizationEvent(this.authentication, mi, decision); this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, mi, decision);
if (decision != null && !decision.isGranted()) { if (decision != null && !decision.isGranted()) {
this.logger.debug(LogMessage.of(() -> "Failed to authorize " + mi + " with authorization manager " this.logger.debug(LogMessage.of(() -> "Failed to authorize " + mi + " with authorization manager "
+ this.authorizationManager + " and decision " + decision)); + this.authorizationManager + " and decision " + decision));
@ -259,15 +258,13 @@ public final class AuthorizationManagerBeforeMethodInterceptor
this.logger.debug(LogMessage.of(() -> "Authorized method invocation " + mi)); this.logger.debug(LogMessage.of(() -> "Authorized method invocation " + mi));
} }
private Supplier<Authentication> getAuthentication(SecurityContextHolderStrategy strategy) { private Authentication getAuthentication() {
return () -> { Authentication authentication = this.securityContextHolderStrategy.get().getContext().getAuthentication();
Authentication authentication = strategy.getContext().getAuthentication(); if (authentication == null) {
if (authentication == null) { throw new AuthenticationCredentialsNotFoundException(
throw new AuthenticationCredentialsNotFoundException( "An Authentication object was not found in the SecurityContext");
"An Authentication object was not found in the SecurityContext"); }
} return authentication;
return authentication;
};
} }
private static <T> void noPublish(Supplier<Authentication> authentication, T object, private static <T> void noPublish(Supplier<Authentication> authentication, T object,

25
core/src/main/java/org/springframework/security/authorization/method/PostFilterAuthorizationMethodInterceptor.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2022 the original author or authors. * Copyright 2002-2023 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -46,8 +46,7 @@ import org.springframework.security.core.context.SecurityContextHolderStrategy;
public final class PostFilterAuthorizationMethodInterceptor public final class PostFilterAuthorizationMethodInterceptor
implements Ordered, MethodInterceptor, PointcutAdvisor, AopInfrastructureBean { implements Ordered, MethodInterceptor, PointcutAdvisor, AopInfrastructureBean {
private Supplier<Authentication> authentication = getAuthentication( private Supplier<SecurityContextHolderStrategy> securityContextHolderStrategy = SecurityContextHolder::getContextHolderStrategy;
SecurityContextHolder.getContextHolderStrategy());
private PostFilterExpressionAttributeRegistry registry = new PostFilterExpressionAttributeRegistry(); private PostFilterExpressionAttributeRegistry registry = new PostFilterExpressionAttributeRegistry();
@ -108,7 +107,7 @@ public final class PostFilterAuthorizationMethodInterceptor
* @since 5.8 * @since 5.8
*/ */
public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy strategy) { public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy strategy) {
this.authentication = getAuthentication(strategy); this.securityContextHolderStrategy = () -> strategy;
} }
/** /**
@ -125,19 +124,17 @@ public final class PostFilterAuthorizationMethodInterceptor
return returnedObject; return returnedObject;
} }
MethodSecurityExpressionHandler expressionHandler = this.registry.getExpressionHandler(); MethodSecurityExpressionHandler expressionHandler = this.registry.getExpressionHandler();
EvaluationContext ctx = expressionHandler.createEvaluationContext(this.authentication, mi); EvaluationContext ctx = expressionHandler.createEvaluationContext(this::getAuthentication, mi);
return expressionHandler.filter(returnedObject, attribute.getExpression(), ctx); return expressionHandler.filter(returnedObject, attribute.getExpression(), ctx);
} }
private Supplier<Authentication> getAuthentication(SecurityContextHolderStrategy strategy) { private Authentication getAuthentication() {
return () -> { Authentication authentication = this.securityContextHolderStrategy.get().getContext().getAuthentication();
Authentication authentication = strategy.getContext().getAuthentication(); if (authentication == null) {
if (authentication == null) { throw new AuthenticationCredentialsNotFoundException(
throw new AuthenticationCredentialsNotFoundException( "An Authentication object was not found in the SecurityContext");
"An Authentication object was not found in the SecurityContext"); }
} return authentication;
return authentication;
};
} }
} }

25
core/src/main/java/org/springframework/security/authorization/method/PreFilterAuthorizationMethodInterceptor.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2022 the original author or authors. * Copyright 2002-2023 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -47,8 +47,7 @@ import org.springframework.util.StringUtils;
public final class PreFilterAuthorizationMethodInterceptor public final class PreFilterAuthorizationMethodInterceptor
implements Ordered, MethodInterceptor, PointcutAdvisor, AopInfrastructureBean { implements Ordered, MethodInterceptor, PointcutAdvisor, AopInfrastructureBean {
private Supplier<Authentication> authentication = getAuthentication( private Supplier<SecurityContextHolderStrategy> securityContextHolderStrategy = SecurityContextHolder::getContextHolderStrategy;
SecurityContextHolder.getContextHolderStrategy());
private PreFilterExpressionAttributeRegistry registry = new PreFilterExpressionAttributeRegistry(); private PreFilterExpressionAttributeRegistry registry = new PreFilterExpressionAttributeRegistry();
@ -109,7 +108,7 @@ public final class PreFilterAuthorizationMethodInterceptor
* @since 5.8 * @since 5.8
*/ */
public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy strategy) { public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy strategy) {
this.authentication = getAuthentication(strategy); this.securityContextHolderStrategy = () -> strategy;
} }
/** /**
@ -124,7 +123,7 @@ public final class PreFilterAuthorizationMethodInterceptor
return mi.proceed(); return mi.proceed();
} }
MethodSecurityExpressionHandler expressionHandler = this.registry.getExpressionHandler(); MethodSecurityExpressionHandler expressionHandler = this.registry.getExpressionHandler();
EvaluationContext ctx = expressionHandler.createEvaluationContext(this.authentication, mi); EvaluationContext ctx = expressionHandler.createEvaluationContext(this::getAuthentication, mi);
Object filterTarget = findFilterTarget(attribute.getFilterTarget(), ctx, mi); Object filterTarget = findFilterTarget(attribute.getFilterTarget(), ctx, mi);
expressionHandler.filter(filterTarget, attribute.getExpression(), ctx); expressionHandler.filter(filterTarget, attribute.getExpression(), ctx);
return mi.proceed(); return mi.proceed();
@ -150,15 +149,13 @@ public final class PreFilterAuthorizationMethodInterceptor
return filterTarget; return filterTarget;
} }
private Supplier<Authentication> getAuthentication(SecurityContextHolderStrategy strategy) { private Authentication getAuthentication() {
return () -> { Authentication authentication = this.securityContextHolderStrategy.get().getContext().getAuthentication();
Authentication authentication = strategy.getContext().getAuthentication(); if (authentication == null) {
if (authentication == null) { throw new AuthenticationCredentialsNotFoundException(
throw new AuthenticationCredentialsNotFoundException( "An Authentication object was not found in the SecurityContext");
"An Authentication object was not found in the SecurityContext"); }
} return authentication;
return authentication;
};
} }
} }

22
core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptorTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2022 the original author or authors. * Copyright 2002-2023 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -29,6 +29,7 @@ import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationEventPublisher; import org.springframework.security.authorization.AuthorizationEventPublisher;
import org.springframework.security.authorization.AuthorizationManager; import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.core.context.SecurityContextHolderStrategy;
@ -91,6 +92,25 @@ public class AuthorizationManagerAfterMethodInterceptorTests {
verify(strategy).getContext(); verify(strategy).getContext();
} }
// gh-12877
@Test
public void afterWhenStaticSecurityContextHolderStrategyAfterConstructorThenUses() throws Throwable {
SecurityContextHolderStrategy strategy = mock(SecurityContextHolderStrategy.class);
Authentication authentication = new TestingAuthenticationToken("john", "password",
AuthorityUtils.createAuthorityList("authority"));
given(strategy.getContext()).willReturn(new SecurityContextImpl(authentication));
MethodInvocation invocation = mock(MethodInvocation.class);
AuthorizationManager<MethodInvocationResult> authorizationManager = AuthenticatedAuthorizationManager
.authenticated();
AuthorizationManagerAfterMethodInterceptor advice = new AuthorizationManagerAfterMethodInterceptor(
Pointcut.TRUE, authorizationManager);
SecurityContextHolderStrategy saved = SecurityContextHolder.getContextHolderStrategy();
SecurityContextHolder.setContextHolderStrategy(strategy);
advice.invoke(invocation);
verify(strategy).getContext();
SecurityContextHolder.setContextHolderStrategy(saved);
}
@Test @Test
public void configureWhenAuthorizationEventPublisherIsNullThenIllegalArgument() { public void configureWhenAuthorizationEventPublisherIsNullThenIllegalArgument() {
AuthorizationManagerAfterMethodInterceptor advice = new AuthorizationManagerAfterMethodInterceptor( AuthorizationManagerAfterMethodInterceptor advice = new AuthorizationManagerAfterMethodInterceptor(

20
core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptorTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2022 the original author or authors. * Copyright 2002-2023 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -87,6 +87,24 @@ public class AuthorizationManagerBeforeMethodInterceptorTests {
verify(strategy).getContext(); verify(strategy).getContext();
} }
// gh-12877
@Test
public void beforeWhenStaticSecurityContextHolderStrategyAfterConstructorThenUses() throws Throwable {
SecurityContextHolderStrategy strategy = mock(SecurityContextHolderStrategy.class);
Authentication authentication = new TestingAuthenticationToken("john", "password",
AuthorityUtils.createAuthorityList("authority"));
given(strategy.getContext()).willReturn(new SecurityContextImpl(authentication));
MethodInvocation invocation = mock(MethodInvocation.class);
AuthorizationManager<MethodInvocation> authorizationManager = AuthenticatedAuthorizationManager.authenticated();
AuthorizationManagerBeforeMethodInterceptor advice = new AuthorizationManagerBeforeMethodInterceptor(
Pointcut.TRUE, authorizationManager);
SecurityContextHolderStrategy saved = SecurityContextHolder.getContextHolderStrategy();
SecurityContextHolder.setContextHolderStrategy(strategy);
advice.invoke(invocation);
verify(strategy).getContext();
SecurityContextHolder.setContextHolderStrategy(saved);
}
@Test @Test
public void configureWhenAuthorizationEventPublisherIsNullThenIllegalArgument() { public void configureWhenAuthorizationEventPublisherIsNullThenIllegalArgument() {
AuthorizationManagerBeforeMethodInterceptor advice = new AuthorizationManagerBeforeMethodInterceptor( AuthorizationManagerBeforeMethodInterceptor advice = new AuthorizationManagerBeforeMethodInterceptor(

25
core/src/test/java/org/springframework/security/authorization/method/PostFilterAuthorizationMethodInterceptorTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2022 the original author or authors. * Copyright 2002-2023 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -147,6 +147,29 @@ public class PostFilterAuthorizationMethodInterceptorTests {
verify(strategy).getContext(); verify(strategy).getContext();
} }
// gh-12877
@Test
public void postFilterWhenStaticSecurityContextHolderStrategyAfterConstructorThenUses() throws Throwable {
SecurityContextHolderStrategy strategy = mock(SecurityContextHolderStrategy.class);
Authentication authentication = new TestingAuthenticationToken("john", "password",
AuthorityUtils.createAuthorityList("authority"));
given(strategy.getContext()).willReturn(new SecurityContextImpl(authentication));
String[] array = { "john", "bob" };
MockMethodInvocation invocation = new MockMethodInvocation(new TestClass(), TestClass.class,
"doSomethingArrayAuthentication", new Class[] { String[].class }, new Object[] { array }) {
@Override
public Object proceed() {
return array;
}
};
PostFilterAuthorizationMethodInterceptor advice = new PostFilterAuthorizationMethodInterceptor();
SecurityContextHolderStrategy saved = SecurityContextHolder.getContextHolderStrategy();
SecurityContextHolder.setContextHolderStrategy(strategy);
advice.invoke(invocation);
verify(strategy).getContext();
SecurityContextHolder.setContextHolderStrategy(saved);
}
@PostFilter("filterObject == 'john'") @PostFilter("filterObject == 'john'")
public static class TestClass implements InterfaceAnnotationsOne, InterfaceAnnotationsTwo { public static class TestClass implements InterfaceAnnotationsOne, InterfaceAnnotationsTwo {

22
core/src/test/java/org/springframework/security/authorization/method/PreFilterAuthorizationMethodInterceptorTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2022 the original author or authors. * Copyright 2002-2023 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -204,6 +204,26 @@ public class PreFilterAuthorizationMethodInterceptorTests {
verify(strategy).getContext(); verify(strategy).getContext();
} }
// gh-12877
@Test
public void preFilterWhenStaticSecurityContextHolderStrategyAfterConstructorThenUses() throws Throwable {
SecurityContextHolderStrategy strategy = mock(SecurityContextHolderStrategy.class);
Authentication authentication = new TestingAuthenticationToken("john", "password",
AuthorityUtils.createAuthorityList("authority"));
given(strategy.getContext()).willReturn(new SecurityContextImpl(authentication));
List<String> list = new ArrayList<>();
list.add("john");
list.add("bob");
MockMethodInvocation invocation = new MockMethodInvocation(new TestClass(), TestClass.class,
"doSomethingArrayFilterAuthentication", new Class[] { List.class }, new Object[] { list });
PreFilterAuthorizationMethodInterceptor advice = new PreFilterAuthorizationMethodInterceptor();
SecurityContextHolderStrategy saved = SecurityContextHolder.getContextHolderStrategy();
SecurityContextHolder.setContextHolderStrategy(strategy);
advice.invoke(invocation);
verify(strategy).getContext();
SecurityContextHolder.setContextHolderStrategy(saved);
}
@PreFilter("filterObject == 'john'") @PreFilter("filterObject == 'john'")
public static class TestClass implements InterfaceAnnotationsOne, InterfaceAnnotationsTwo { public static class TestClass implements InterfaceAnnotationsOne, InterfaceAnnotationsTwo {