Skip to content

Commit

Permalink
Add AuthorizationResult support for AuthorizationManager
Browse files Browse the repository at this point in the history
  • Loading branch information
franticticktick committed Oct 11, 2024
1 parent 567933d commit e006507
Show file tree
Hide file tree
Showing 21 changed files with 208 additions and 46 deletions.
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -32,8 +32,8 @@
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.FilterChainProxy;
Expand Down Expand Up @@ -221,7 +221,8 @@ private boolean checkLoginPageIsPublic(List<Filter> filters, FilterInvocation lo
AuthorizationManager<HttpServletRequest> authorizationManager = authorizationFilter
.getAuthorizationManager();
try {
AuthorizationDecision decision = authorizationManager.check(() -> TEST, loginRequest.getHttpRequest());
AuthorizationResult decision = authorizationManager.authorize(() -> TEST,
loginRequest.getHttpRequest());
return decision != null && decision.isGranted();
}
catch (Exception ex) {
Expand Down Expand Up @@ -252,7 +253,8 @@ private Supplier<Boolean> deriveAnonymousCheck(List<Filter> filters, FilterInvoc
return () -> {
AuthorizationManager<HttpServletRequest> authorizationManager = authorizationFilter
.getAuthorizationManager();
AuthorizationDecision decision = authorizationManager.check(() -> token, loginRequest.getHttpRequest());
AuthorizationResult decision = authorizationManager.authorize(() -> token,
loginRequest.getHttpRequest());
return decision != null && decision.isGranted();
};
}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -91,6 +91,7 @@ public void getWhenUsingAuthorizationManagerThenRedirectsToLogin() throws Except
AuthorizationManager<HttpServletRequest> authorizationManager = this.spring.getContext()
.getBean(AuthorizationManager.class);
given(authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false));
given(authorizationManager.authorize(any(), any())).willCallRealMethod();
// @formatter:off
this.mvc.perform(get("/"))
.andExpect(status().isFound())
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -42,8 +42,35 @@ public interface AuthorizationEventPublisher {
* @param object the secured object
* @param decision the decision about whether the user may access the secured object
* @param <T> the secured object's type
* @deprecated use
* {@link #publishAuthorizationEvent(Supplier, Object, AuthorizationResult)} instead
*/
@Deprecated
<T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T object,
AuthorizationDecision decision);

/**
* Publish the given details in the form of an event, typically
* {@link AuthorizationGrantedEvent} or {@link AuthorizationDeniedEvent}.
*
* Note that success events can be very noisy if enabled by default. Because of this
* implementations may choose to drop success events by default.
* @param authentication a {@link Supplier} for the current user
* @param object the secured object
* @param decision {@link AuthorizationResult} the decision about whether the user may
* access the secured object
* @param <T> the secured object's type
* @since 6.4
*/
default <T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T object,
AuthorizationResult decision) {
if (decision == null) {
return;
}
if (!(decision instanceof AuthorizationDecision result)) {
throw new UnsupportedOperationException("Decision must be of type AuthorizationDecision");
}
publishAuthorizationEvent(authentication, object, result);
}

}
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2020 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -50,8 +50,23 @@ default void verify(Supplier<Authentication> authentication, T object) {
* @param authentication the {@link Supplier} of the {@link Authentication} to check
* @param object the {@link T} object to check
* @return an {@link AuthorizationDecision} or null if no decision could be made
* @deprecated please use {@link #authorize(Supplier, Object)} instead
*/
@Nullable
@Deprecated
AuthorizationDecision check(Supplier<Authentication> authentication, T object);

/**
* Determines if access is granted for a specific authentication and object.
* @param authentication the {@link Supplier} of the {@link Authentication} to
* authorize
* @param object the {@link T} object to authorize
* @return an {@link AuthorizationResult}
* @since 6.4
*/
@Nullable
default AuthorizationResult authorize(Supplier<Authentication> authentication, T object) {
return check(authentication, object);
}

}
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -35,6 +35,8 @@ public class AuthorizationObservationContext<T> extends Observation.Context {

private AuthorizationDecision decision;

private AuthorizationResult authorizationResult;

public AuthorizationObservationContext(T object) {
Assert.notNull(object, "object cannot be null");
this.object = object;
Expand Down Expand Up @@ -73,15 +75,37 @@ public T getObject() {
* @return the observed {@link AuthorizationDecision}
*/
public AuthorizationDecision getDecision() {
return this.decision;
Assert.isInstanceOf(AuthorizationDecision.class,
"Please call getAuthorizationResult instead. If you must call getDecision, please ensure that the result you provide is of type AuthorizationDecision");
return (AuthorizationDecision) this.authorizationResult;
}

/**
* Set the observed {@link AuthorizationDecision}
* @param decision the observed {@link AuthorizationDecision}
* @deprecated
*/
@Deprecated
public void setDecision(AuthorizationDecision decision) {
this.decision = decision;
}

/**
* Get the observed {@link AuthorizationResult}
* @return the observed {@link AuthorizationResult}
* @since 6.4
*/
public AuthorizationResult getAuthorizationResult() {
return this.authorizationResult;
}

/**
* Set the observed {@link AuthorizationResult}
* @param authorizationResult the observed {@link AuthorizationResult}
* @since 6.4
*/
public void setAuthorizationResult(AuthorizationResult authorizationResult) {
this.authorizationResult = authorizationResult;
}

}
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -100,10 +100,10 @@ private String getObjectType(AuthorizationObservationContext<?> context) {
}

private String getAuthorizationDecision(AuthorizationObservationContext<?> context) {
if (context.getDecision() == null) {
if (context.getAuthorizationResult() == null) {
return "unknown";
}
return String.valueOf(context.getDecision().isGranted());
return String.valueOf(context.getAuthorizationResult().isGranted());
}

private String getAuthorities(AuthorizationObservationContext<?> context) {
Expand All @@ -114,10 +114,10 @@ private String getAuthorities(AuthorizationObservationContext<?> context) {
}

private String getDecisionDetails(AuthorizationObservationContext<?> context) {
if (context.getDecision() == null) {
if (context.getAuthorizationResult() == null) {
return "unknown";
}
AuthorizationDecision decision = context.getDecision();
AuthorizationResult decision = context.getAuthorizationResult();
return String.valueOf(decision);
}

Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2017 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -36,7 +36,9 @@ public interface ReactiveAuthorizationManager<T> {
* @param authentication the Authentication to check
* @param object the object to check
* @return an decision or empty Mono if no decision could be made.
* @deprecated please use {@link #authorize(Mono, Object)} instead
*/
@Deprecated
Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object);

/**
Expand All @@ -55,4 +57,15 @@ default Mono<Void> verify(Mono<Authentication> authentication, T object) {
// @formatter:on
}

/**
* Determines if access is granted for a specific authentication and object.
* @param authentication the Authentication to authorize
* @param object the object to check
* @return an decision or empty Mono if no decision could be made.
* @since 6.4
*/
default Mono<AuthorizationResult> authorize(Mono<Authentication> authentication, T object) {
return check(authentication, object).cast(AuthorizationResult.class);
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -29,10 +29,10 @@
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.prepost.PostAuthorize;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationDeniedException;
import org.springframework.security.authorization.AuthorizationEventPublisher;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
Expand Down Expand Up @@ -60,7 +60,7 @@ public final class AuthorizationManagerAfterMethodInterceptor implements Authori

private int order;

private AuthorizationEventPublisher eventPublisher = AuthorizationManagerAfterMethodInterceptor::noPublish;
private AuthorizationEventPublisher eventPublisher = new NoOpAuthorizationEventPublisher();

/**
* Creates an instance.
Expand Down Expand Up @@ -182,7 +182,7 @@ public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy strat
private Object attemptAuthorization(MethodInvocation mi, Object result) {
this.logger.debug(LogMessage.of(() -> "Authorizing method invocation " + mi));
MethodInvocationResult object = new MethodInvocationResult(mi, result);
AuthorizationDecision decision = this.authorizationManager.check(this::getAuthentication, object);
AuthorizationResult decision = this.authorizationManager.authorize(this::getAuthentication, object);
this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, object, decision);
if (decision != null && !decision.isGranted()) {
this.logger.debug(LogMessage.of(() -> "Failed to authorize " + mi + " with authorization manager "
Expand All @@ -193,7 +193,7 @@ private Object attemptAuthorization(MethodInvocation mi, Object result) {
return result;
}

private Object handlePostInvocationDenied(MethodInvocationResult mi, AuthorizationDecision decision) {
private Object handlePostInvocationDenied(MethodInvocationResult mi, AuthorizationResult decision) {
if (this.authorizationManager instanceof MethodAuthorizationDeniedHandler deniedHandler) {
return deniedHandler.handleDeniedInvocationResult(mi, decision);
}
Expand All @@ -209,9 +209,4 @@ private Authentication getAuthentication() {
return authentication;
}

private static <T> void noPublish(Supplier<Authentication> authentication, T object,
AuthorizationDecision decision) {

}

}
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@ private boolean isMultiValue(Class<?> returnType, ReactiveAdapter adapter) {

private Mono<Object> postAuthorize(Mono<Authentication> authentication, MethodInvocation mi, Object result) {
MethodInvocationResult invocationResult = new MethodInvocationResult(mi, result);
return this.authorizationManager.check(authentication, invocationResult)
return this.authorizationManager.authorize(authentication, invocationResult)
.switchIfEmpty(Mono.just(new AuthorizationDecision(false)))
.flatMap((decision) -> postProcess(decision, invocationResult));
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@
import org.springframework.security.access.annotation.Secured;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationDeniedException;
import org.springframework.security.authorization.AuthorizationEventPublisher;
import org.springframework.security.authorization.AuthorizationManager;
Expand Down Expand Up @@ -65,7 +64,7 @@ public final class AuthorizationManagerBeforeMethodInterceptor implements Author

private int order = AuthorizationInterceptorsOrder.FIRST.getOrder();

private AuthorizationEventPublisher eventPublisher = AuthorizationManagerBeforeMethodInterceptor::noPublish;
private AuthorizationEventPublisher eventPublisher = new NoOpAuthorizationEventPublisher();

/**
* Creates an instance.
Expand Down Expand Up @@ -247,9 +246,9 @@ public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy secur

private Object attemptAuthorization(MethodInvocation mi) throws Throwable {
this.logger.debug(LogMessage.of(() -> "Authorizing method invocation " + mi));
AuthorizationDecision decision;
AuthorizationResult decision;
try {
decision = this.authorizationManager.check(this::getAuthentication, mi);
decision = this.authorizationManager.authorize(this::getAuthentication, mi);
}
catch (AuthorizationDeniedException denied) {
return handle(mi, denied);
Expand Down Expand Up @@ -299,9 +298,4 @@ private Authentication getAuthentication() {
return authentication;
}

private static <T> void noPublish(Supplier<Authentication> authentication, T object,
AuthorizationDecision decision) {

}

}
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,7 @@ public Object invoke(MethodInvocation mi) throws Throwable {

private Flux<Object> preAuthorized(MethodInvocation mi, Flux<Object> mapping) {
Mono<Authentication> authentication = ReactiveAuthenticationUtils.getAuthentication();
return this.authorizationManager.check(authentication, mi)
return this.authorizationManager.authorize(authentication, mi)
.switchIfEmpty(Mono.just(new AuthorizationDecision(false)))
.flatMapMany((decision) -> {
if (decision.isGranted()) {
Expand All @@ -153,7 +153,7 @@ private Flux<Object> preAuthorized(MethodInvocation mi, Flux<Object> mapping) {

private Mono<Object> preAuthorized(MethodInvocation mi, Mono<Object> mapping) {
Mono<Authentication> authentication = ReactiveAuthenticationUtils.getAuthentication();
return this.authorizationManager.check(authentication, mi)
return this.authorizationManager.authorize(authentication, mi)
.switchIfEmpty(Mono.just(new AuthorizationDecision(false)))
.flatMap((decision) -> {
if (decision.isGranted()) {
Expand Down
Loading

0 comments on commit e006507

Please sign in to comment.