Skip to content

Commit 4d5397f

Browse files
jzheauxjzheaux
committed
Polish AuthorizationManager Method Security
- Removed consolidated pointcut advisor in favor of each interceptor being an advisor. This allows Spring AOP to do more of the heavy lifting of selecting the set of interceptors that applies - Created new method context for after interceptors instead of modifying existing one - Added documentation - Added XML support - Added AuthorizationInterceptorsOrder to simplify interceptor ordering - Adjusted annotation lookup to comply with JSR-250 spec - Adjusted annotation lookup to exhaustively search for duplicate annotations - Separated into three @configuration classes, one for each set of authorization annotations Issue gh-9289
1 parent 94e049d commit 4d5397f

File tree

72 files changed

+4510
-2342
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

72 files changed

+4510
-2342
lines changed

config/src/main/java/org/springframework/security/config/Elements.java

+2
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,8 @@ public abstract class Elements {
8787

8888
public static final String GLOBAL_METHOD_SECURITY = "global-method-security";
8989

90+
public static final String METHOD_SECURITY = "method-security";
91+
9092
public static final String PASSWORD_ENCODER = "password-encoder";
9193

9294
public static final String PORT_MAPPINGS = "port-mappings";

config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java

+2
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,7 @@
4444
import org.springframework.security.config.ldap.LdapUserServiceBeanDefinitionParser;
4545
import org.springframework.security.config.method.GlobalMethodSecurityBeanDefinitionParser;
4646
import org.springframework.security.config.method.InterceptMethodsBeanDefinitionDecorator;
47+
import org.springframework.security.config.method.MethodSecurityBeanDefinitionParser;
4748
import org.springframework.security.config.method.MethodSecurityMetadataSourceBeanDefinitionParser;
4849
import org.springframework.security.config.oauth2.client.ClientRegistrationsBeanDefinitionParser;
4950
import org.springframework.security.config.websocket.WebSocketMessageBrokerSecurityBeanDefinitionParser;
@@ -169,6 +170,7 @@ private void loadParsers() {
169170
this.parsers.put(Elements.JDBC_USER_SERVICE, new JdbcUserServiceBeanDefinitionParser());
170171
this.parsers.put(Elements.AUTHENTICATION_PROVIDER, new AuthenticationProviderBeanDefinitionParser());
171172
this.parsers.put(Elements.GLOBAL_METHOD_SECURITY, new GlobalMethodSecurityBeanDefinitionParser());
173+
this.parsers.put(Elements.METHOD_SECURITY, new MethodSecurityBeanDefinitionParser());
172174
this.parsers.put(Elements.AUTHENTICATION_MANAGER, new AuthenticationManagerBeanDefinitionParser());
173175
this.parsers.put(Elements.METHOD_SECURITY_METADATA_SOURCE,
174176
new MethodSecurityMetadataSourceBeanDefinitionParser());

config/src/main/java/org/springframework/security/config/annotation/method/configuration/EnableMethodSecurity.java

+14-10
Original file line numberDiff line numberDiff line change
@@ -25,13 +25,17 @@
2525
import org.springframework.context.annotation.AdviceMode;
2626
import org.springframework.context.annotation.Configuration;
2727
import org.springframework.context.annotation.Import;
28-
import org.springframework.core.Ordered;
2928
import org.springframework.security.access.annotation.Secured;
29+
import org.springframework.security.access.prepost.PostAuthorize;
30+
import org.springframework.security.access.prepost.PostFilter;
31+
import org.springframework.security.access.prepost.PreAuthorize;
32+
import org.springframework.security.access.prepost.PreFilter;
3033

3134
/**
3235
* Enables Spring Security Method Security.
3336
* @author Evgeniy Cheban
34-
* @since 5.5
37+
* @author Josh Cummings
38+
* @since 5.6
3539
*/
3640
@Retention(RetentionPolicy.RUNTIME)
3741
@Target(ElementType.TYPE)
@@ -40,6 +44,14 @@
4044
@Configuration
4145
public @interface EnableMethodSecurity {
4246

47+
/**
48+
* Determines if Spring Security's {@link PreAuthorize}, {@link PostAuthorize},
49+
* {@link PreFilter}, and {@link PostFilter} annotations should be enabled. Default is
50+
* true.
51+
* @return true if pre/post annotations should be enabled false otherwise
52+
*/
53+
boolean prePostEnabled() default true;
54+
4355
/**
4456
* Determines if Spring Security's {@link Secured} annotation should be enabled.
4557
* Default is false.
@@ -76,12 +88,4 @@
7688
*/
7789
AdviceMode mode() default AdviceMode.PROXY;
7890

79-
/**
80-
* Indicate the ordering of the execution of the security advisor when multiple
81-
* advices are applied at a specific joinpoint. The default is
82-
* {@link Ordered#LOWEST_PRECEDENCE}.
83-
* @return the order the security advisor should be applied
84-
*/
85-
int order() default Ordered.LOWEST_PRECEDENCE;
86-
8791
}

config/src/main/java/org/springframework/security/config/annotation/method/configuration/Jsr250MethodSecurityConfiguration.java

+54
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
/*
2+
* Copyright 2002-2021 the original author or authors.
3+
*
4+
* Licensed under the Apache License, Version 2.0 (the "License");
5+
* you may not use this file except in compliance with the License.
6+
* You may obtain a copy of the License at
7+
*
8+
* https://www.apache.org/licenses/LICENSE-2.0
9+
*
10+
* Unless required by applicable law or agreed to in writing, software
11+
* distributed under the License is distributed on an "AS IS" BASIS,
12+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
* See the License for the specific language governing permissions and
14+
* limitations under the License.
15+
*/
16+
17+
package org.springframework.security.config.annotation.method.configuration;
18+
19+
import org.springframework.aop.Advisor;
20+
import org.springframework.beans.factory.annotation.Autowired;
21+
import org.springframework.beans.factory.config.BeanDefinition;
22+
import org.springframework.context.annotation.Bean;
23+
import org.springframework.context.annotation.Configuration;
24+
import org.springframework.context.annotation.Role;
25+
import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor;
26+
import org.springframework.security.authorization.method.Jsr250AuthorizationManager;
27+
import org.springframework.security.config.core.GrantedAuthorityDefaults;
28+
29+
/**
30+
* {@link Configuration} for enabling JSR-250 Spring Security Method Security.
31+
*
32+
* @author Evgeniy Cheban
33+
* @author Josh Cummings
34+
* @see EnableMethodSecurity
35+
* @since 5.6
36+
*/
37+
@Configuration(proxyBeanMethods = false)
38+
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
39+
final class Jsr250MethodSecurityConfiguration {
40+
41+
private final Jsr250AuthorizationManager jsr250AuthorizationManager = new Jsr250AuthorizationManager();
42+
43+
@Bean
44+
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
45+
Advisor jsr250AuthorizationMethodInterceptor() {
46+
return AuthorizationManagerBeforeMethodInterceptor.jsr250(this.jsr250AuthorizationManager);
47+
}
48+
49+
@Autowired(required = false)
50+
void setGrantedAuthorityDefaults(GrantedAuthorityDefaults grantedAuthorityDefaults) {
51+
this.jsr250AuthorizationManager.setRolePrefix(grantedAuthorityDefaults.getRolePrefix());
52+
}
53+
54+
}

config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityConfiguration.java

-252
This file was deleted.

0 commit comments

Comments
 (0)