SEC-3011: AbstractUrlAuthorizationConfigurer postProcess default AccessDecisionManager

11 years ago · 07fb2af74b
2 changed files with 51 additions and 3 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java
@ -156,7 +156,8 @@ abstract class AbstractInterceptUrlConfigurer<C extends AbstractInterceptUrlConf
 	 * @return the default {@code AccessDecisionManager}
 	 */
 	private AccessDecisionManager createDefaultAccessDecisionManager(H http) {
-		return new AffirmativeBased(getDecisionVoters(http));
+		AffirmativeBased result = new AffirmativeBased(getDecisionVoters(http));
 		return postProcess(result);
 	}
 	/**
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationsTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationsTests.groovy
@ -19,9 +19,12 @@ import static org.springframework.security.config.annotation.web.configurers.Exp
 import javax.servlet.http.HttpServletResponse
 import org.springframework.beans.BeansException
 import org.springframework.beans.factory.BeanCreationException
 import org.springframework.beans.factory.config.BeanPostProcessor
 import org.springframework.context.ApplicationListener
-import org.springframework.context.annotation.Configuration
+import org.springframework.context.annotation.Bean
 import org.springframework.security.access.AccessDecisionManager;
 import org.springframework.security.access.event.AuthorizedEvent
 import org.springframework.security.access.vote.AffirmativeBased
 import org.springframework.security.authentication.RememberMeAuthenticationToken
@ -31,7 +34,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
-import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurerConfigs.CustomExpressionRootConfig;
+import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurerConfigs.CustomExpressionRootConfig
 import org.springframework.security.core.authority.AuthorityUtils
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor
@ -527,4 +530,48 @@ public class ExpressionUrlAuthorizationConfigurerTests extends BaseSpringSpec {
 		then: "custom bean expression denies access"
 			response.status == HttpServletResponse.SC_FORBIDDEN
 	}
 	def "SEC-3011: Default AccessDecisionManager postProcessed"() {
 		when:
 		loadConfig(Sec3011Config)
 		then:
 		context.getBean(MockBeanPostProcessor).beans.find { it instanceof AccessDecisionManager }
 	}
 	@EnableWebSecurity
 	static class Sec3011Config extends WebSecurityConfigurerAdapter {
 		protected void configure(HttpSecurity http) throws Exception {
 			http
 				.authorizeRequests()
 					.anyRequest().authenticated();
 		}
 		@Override
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication();
 		}
 		@Bean
 		static MockBeanPostProcessor mbpp() {
 			return new MockBeanPostProcessor();
 		}
 	}
 	static class MockBeanPostProcessor implements BeanPostProcessor {
 		List<Object> beans = new ArrayList<Object>();
 		public Object postProcessBeforeInitialization(Object bean,
 				String beanName) throws BeansException {
 			beans.add(bean);
 			return bean;
 		}
 		public Object postProcessAfterInitialization(Object bean,
 				String beanName) throws BeansException {
 			return bean;
 		}
 	}
 }