SEC-1216: Replacement of custom-after-invocation-provider with after-invocation-provider element. Some changes to help prevent proxying of aop infrastructure classes (use of AopInfrastructureBean marker interface)

config/src/main/java/org/springframework/security/config/Elements.java

@@ -10,6 +10,7 @@ public abstract class Elements {
 
     public static final String ACCESS_DENIED_HANDLER = "access-denied-handler";
     public static final String AUTHENTICATION_MANAGER = "authentication-manager";
+    public static final String AFTER_INVOCATION_PROVIDER = "after-invocation-provider";
     public static final String USER_SERVICE = "user-service";
     public static final String JDBC_USER_SERVICE = "jdbc-user-service";
     public static final String FILTER_CHAIN_MAP = "filter-chain-map";
@@ -43,6 +44,7 @@ public abstract class Elements {
     public static final String CUSTOM_FILTER = "custom-filter";
     @Deprecated
     public static final String CUSTOM_AUTH_PROVIDER = "custom-authentication-provider";
+    @Deprecated
     public static final String CUSTOM_AFTER_INVOCATION_PROVIDER = "custom-after-invocation-provider";
     public static final String X509 = "x509";
     public static final String FILTER_SECURITY_METADATA_SOURCE = "filter-security-metadata-source";

config/src/main/java/org/springframework/security/config/method/CustomAfterInvocationProviderBeanDefinitionDecorator.java

@@ -15,9 +15,10 @@ import org.w3c.dom.Node;
  */
 public class CustomAfterInvocationProviderBeanDefinitionDecorator implements BeanDefinitionDecorator {
 
-    @SuppressWarnings("unchecked")
     public BeanDefinitionHolder decorate(Node node, BeanDefinitionHolder holder, ParserContext parserContext) {
-        MethodConfigUtils.getRegisteredAfterInvocationProviders(parserContext).add(holder.getBeanDefinition());
+        parserContext.getReaderContext().warning("In Spring Security 3.0, this element is not supported and" +
+                " has no effect", parserContext.extractSource(node));
+//        MethodConfigUtils.getRegisteredAfterInvocationProviders(parserContext).add(holder.getBeanDefinition());
 
         return holder;
     }

config/src/main/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParser.java

@@ -10,10 +10,12 @@ import java.util.Map;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.aop.config.AopNamespaceUtils;
+import org.springframework.beans.BeanMetadataElement;
 import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.BeanFactory;
 import org.springframework.beans.factory.BeanFactoryAware;
 import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.beans.factory.config.BeanReference;
 import org.springframework.beans.factory.config.RuntimeBeanReference;
 import org.springframework.beans.factory.parsing.BeanComponentDefinition;
 import org.springframework.beans.factory.parsing.CompositeComponentDefinition;
@@ -31,6 +33,7 @@ import org.springframework.security.access.expression.method.DefaultMethodSecuri
 import org.springframework.security.access.expression.method.ExpressionBasedAnnotationAttributeFactory;
 import org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice;
 import org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice;
+import org.springframework.security.access.intercept.AfterInvocationProviderManager;
 import org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor;
 import org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor;
 import org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource;
@@ -44,6 +47,7 @@ import org.springframework.security.access.vote.RoleVoter;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.config.BeanIds;
+import org.springframework.security.config.Elements;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.util.Assert;
@@ -66,9 +70,9 @@ public class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionP
     /*
      * Internal Bean IDs which are only used within this class
      */
-    static final String SECURITY_INTERCEPTOR_ID = "_globalMethodSecurityInterceptor";
+//    static final String SECURITY_INTERCEPTOR_ID = "_globalMethodSecurityInterceptor";
     static final String ACCESS_MANAGER_ID = "_globalMethodSecurityAccessManager";
-    private static final String DELEGATING_METHOD_DEFINITION_SOURCE_ID = "_delegatingMethodSecurityMetadataSource";
+//    private static final String DELEGATING_METHOD_DEFINITION_SOURCE_ID = "_delegatingMethodSecurityMetadataSource";
     private static final String EXPRESSION_HANDLER_ID = "_methodExpressionHandler";
 
     private static final String ATT_ACCESS = "access";
@@ -78,6 +82,7 @@ public class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionP
     private static final String ATT_USE_JSR250 = "jsr250-annotations";
     private static final String ATT_USE_SECURED = "secured-annotations";
     private static final String ATT_USE_PREPOST = "pre-post-annotations";
+    private static final String ATT_REF = "ref";
 
     @SuppressWarnings("unchecked")
     public BeanDefinition parse(Element element, ParserContext pc) {
@@ -93,6 +98,7 @@ public class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionP
         boolean useSecured = "enabled".equals(element.getAttribute(ATT_USE_SECURED));
         boolean prePostAnnotationsEnabled = "enabled".equals(element.getAttribute(ATT_USE_PREPOST));
         BeanDefinition preInvocationVoter = null;
+        ManagedList<BeanMetadataElement> afterInvocationProviders = new ManagedList<BeanMetadataElement>();
 
         if (prePostAnnotationsEnabled) {
             Element prePostElt = DomUtils.getChildElementByTagName(element, INVOCATION_HANDLING);
@@ -148,7 +154,7 @@ public class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionP
             }
 
             preInvocationVoter = preInvocationVoterBldr.getBeanDefinition();
-            MethodConfigUtils.getRegisteredAfterInvocationProviders(pc).add(afterInvocationBldr.getBeanDefinition());
+            afterInvocationProviders.add(afterInvocationBldr.getBeanDefinition());
             delegates.add(mds.getBeanDefinition());
         }
 
@@ -171,7 +177,14 @@ public class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionP
             registerProtectPointcutPostProcessor(pc, pointcutMap, mapBasedMethodSecurityMetadataSource, source);
         }
 
-        registerDelegatingMethodSecurityMetadataSource(pc, delegates, source);
+        BeanReference metadataSource = registerDelegatingMethodSecurityMetadataSource(pc, delegates, source);
+
+        // Check for additional after-invocation-providers..
+        List<Element> afterInvocationElts = DomUtils.getChildElementsByTagName(element, Elements.AFTER_INVOCATION_PROVIDER);
+
+        for (Element elt : afterInvocationElts) {
+            afterInvocationProviders.add(new RuntimeBeanReference(elt.getAttribute(ATT_REF)));
+        }
 
         String accessManagerId = element.getAttribute(ATT_ACCESS_MGR);
 
@@ -182,9 +195,10 @@ public class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionP
 
         String runAsManagerId = element.getAttribute(ATT_RUN_AS_MGR);
 
-        registerMethodSecurityInterceptor(pc, accessManagerId, runAsManagerId, source);
+        BeanReference interceptor = registerMethodSecurityInterceptor(pc, accessManagerId, runAsManagerId,
+                metadataSource, afterInvocationProviders, source);
 
-        registerAdvisor(pc, source);
+        registerAdvisor(pc, interceptor, metadataSource, source);
 
         AopNamespaceUtils.registerAutoProxyCreatorIfNecessary(pc, element);
         pc.popAndRegisterContainingComponent();
@@ -217,14 +231,15 @@ public class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionP
     }
 
     @SuppressWarnings("unchecked")
-    private void registerDelegatingMethodSecurityMetadataSource(ParserContext parserContext, ManagedList delegates, Object source) {
-        if (parserContext.getRegistry().containsBeanDefinition(DELEGATING_METHOD_DEFINITION_SOURCE_ID)) {
-            parserContext.getReaderContext().error("Duplicate <global-method-security> detected.", source);
-        }
+    private BeanReference registerDelegatingMethodSecurityMetadataSource(ParserContext pc, ManagedList delegates, Object source) {
         RootBeanDefinition delegatingMethodSecurityMetadataSource = new RootBeanDefinition(DelegatingMethodSecurityMetadataSource.class);
         delegatingMethodSecurityMetadataSource.setSource(source);
         delegatingMethodSecurityMetadataSource.getPropertyValues().addPropertyValue("methodSecurityMetadataSources", delegates);
-        parserContext.getRegistry().registerBeanDefinition(DELEGATING_METHOD_DEFINITION_SOURCE_ID, delegatingMethodSecurityMetadataSource);
+
+        String id = pc.getReaderContext().registerWithGeneratedName(delegatingMethodSecurityMetadataSource);
+        pc.registerBeanComponent(new BeanComponentDefinition(delegatingMethodSecurityMetadataSource, id));
+
+        return new RuntimeBeanReference(id);
     }
 
     private void registerProtectPointcutPostProcessor(ParserContext parserContext,
@@ -266,31 +281,43 @@ public class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionP
         return pointcutMap;
     }
 
-    private void registerMethodSecurityInterceptor(ParserContext pc, String accessManagerId, String runAsManagerId, Object source) {
+    private BeanReference registerMethodSecurityInterceptor(ParserContext pc, String accessManagerId,
+            String runAsManagerId, BeanReference metadataSource, List<BeanMetadataElement> afterInvocationProviders, Object source) {
         BeanDefinitionBuilder bldr = BeanDefinitionBuilder.rootBeanDefinition(MethodSecurityInterceptor.class);
-        bldr.setRole(BeanDefinition.ROLE_INFRASTRUCTURE);
         bldr.getRawBeanDefinition().setSource(source);
 
         bldr.addPropertyReference("accessDecisionManager", accessManagerId);
         bldr.addPropertyValue("authenticationManager", new RootBeanDefinition(AuthenticationManagerDelegator.class));
-        bldr.addPropertyReference("securityMetadataSource", DELEGATING_METHOD_DEFINITION_SOURCE_ID);
+        bldr.addPropertyValue("securityMetadataSource", metadataSource);
         if (StringUtils.hasText(runAsManagerId)) {
             bldr.addPropertyReference("runAsManager", runAsManagerId);
         }
 
-        BeanDefinition interceptor = bldr.getBeanDefinition();
-        pc.getRegistry().registerBeanDefinition(SECURITY_INTERCEPTOR_ID, interceptor);
-        pc.registerComponent(new BeanComponentDefinition(interceptor, SECURITY_INTERCEPTOR_ID));
+        if (!afterInvocationProviders.isEmpty()) {
+            BeanDefinition afterInvocationManager = null;
+            afterInvocationManager = new RootBeanDefinition(AfterInvocationProviderManager.class);
+            afterInvocationManager.getPropertyValues().addPropertyValue("providers", afterInvocationProviders);
+            bldr.addPropertyValue("afterInvocationManager", afterInvocationManager);
+        }
+
+        BeanDefinition bean = bldr.getBeanDefinition();
+        String id = pc.getReaderContext().registerWithGeneratedName(bean);
+        pc.registerBeanComponent(new BeanComponentDefinition(bean, id));
 
-        pc.getReaderContext().registerWithGeneratedName(new RootBeanDefinition(MethodSecurityInterceptorPostProcessor.class));
+        return new RuntimeBeanReference(id);
     }
 
-    private void registerAdvisor(ParserContext parserContext, Object source) {
+    private void registerAdvisor(ParserContext parserContext, BeanReference interceptor, BeanReference metadataSource, Object source) {
+        if (parserContext.getRegistry().containsBeanDefinition(BeanIds.METHOD_SECURITY_METADATA_SOURCE_ADVISOR)) {
+            parserContext.getReaderContext().error("Duplicate <global-method-security> detected.", source);
+        }
         RootBeanDefinition advisor = new RootBeanDefinition(MethodSecurityMetadataSourceAdvisor.class);
+        // advisor must be an infrastructure bean as Spring's InfrastructureAdvisorAutoProxyCreator will ignore it
+        // otherwise
         advisor.setRole(BeanDefinition.ROLE_INFRASTRUCTURE);
         advisor.setSource(source);
-        advisor.getConstructorArgumentValues().addGenericArgumentValue(SECURITY_INTERCEPTOR_ID);
-        advisor.getConstructorArgumentValues().addGenericArgumentValue(new RuntimeBeanReference(DELEGATING_METHOD_DEFINITION_SOURCE_ID));
+        advisor.getConstructorArgumentValues().addGenericArgumentValue(interceptor.getBeanName());
+        advisor.getConstructorArgumentValues().addGenericArgumentValue(metadataSource);
 
         parserContext.getRegistry().registerBeanDefinition(BeanIds.METHOD_SECURITY_METADATA_SOURCE_ADVISOR, advisor);
     }

config/src/main/java/org/springframework/security/config/method/MethodSecurityInterceptorPostProcessor.java

@@ -1,49 +0,0 @@
-package org.springframework.security.config.method;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.springframework.beans.BeansException;
-import org.springframework.beans.factory.BeanFactory;
-import org.springframework.beans.factory.BeanFactoryAware;
-import org.springframework.beans.factory.config.BeanPostProcessor;
-import org.springframework.security.access.intercept.AfterInvocationManager;
-import org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor;
-import org.springframework.security.config.BeanIds;
-
-/**
- * BeanPostProcessor which sets the AfterInvocationManager on the global MethodSecurityInterceptor,
- * if one has been configured.
- *
- * @author Luke Taylor
- * @version $Id$
- *
- */
-class MethodSecurityInterceptorPostProcessor implements BeanPostProcessor, BeanFactoryAware{
-    private Log logger = LogFactory.getLog(getClass());
-
-    private BeanFactory beanFactory;
-
-    public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException {
-        if(!GlobalMethodSecurityBeanDefinitionParser.SECURITY_INTERCEPTOR_ID.equals(beanName)) {
-            return bean;
-        }
-
-        MethodSecurityInterceptor interceptor = (MethodSecurityInterceptor) bean;
-
-        if (beanFactory.containsBean(BeanIds.AFTER_INVOCATION_MANAGER)) {
-            logger.debug("Setting AfterInvocationManaer on MethodSecurityInterceptor");
-            interceptor.setAfterInvocationManager((AfterInvocationManager)
-                    beanFactory.getBean(BeanIds.AFTER_INVOCATION_MANAGER));
-        }
-
-        return bean;
-    }
-
-    public Object postProcessAfterInitialization(Object bean, String beanName) {
-        return bean;
-    }
-
-    public void setBeanFactory(BeanFactory beanFactory) throws BeansException {
-        this.beanFactory = beanFactory;
-    }
-}

config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc

@@ -187,7 +187,7 @@ protect.attlist &=
 
 global-method-security =
     ## Provides method security for all beans registered in the Spring application context. Specifically, beans will be scanned for matches with the ordered list of "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there is a match, the beans will automatically be proxied and security authorization applied to the methods accordingly. If you use and enable all four sources of method security metadata (ie "protect-pointcut" declarations, expression annotations, @Secured and also JSR250 security annotations), the metadata sources will be queried in that order. In practical terms, this enables you to use XML to override method security metadata expressed in annotations. If using annotations, the order of precedence is EL-based (@PreAuthorize etc.), @Secured and finally JSR-250.
-	element global-method-security {global-method-security.attlist, (pre-post-annotation-handling | expression-handler)?, protect-pointcut*}
+	element global-method-security {global-method-security.attlist, (pre-post-annotation-handling | expression-handler)?, protect-pointcut*, after-invocation-provider*}
 global-method-security.attlist &=
     ## Specifies whether the use of Spring Security's pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be enabled for this application context. Defaults to "disabled".
     attribute pre-post-annotations {"disabled" | "enabled" }?
@@ -203,6 +203,10 @@ global-method-security.attlist &=
 global-method-security.attlist &=
     ## Optional RunAsmanager implementation which will be used by the configured MethodSecurityInterceptor
     attribute run-as-manager-ref {xsd:token}?
+    
+after-invocation-provider =
+    ## Allows addition of extra AfterInvocationProvider beans which should be called by the MethodSecurityInterceptor created by global-method-security.
+    element after-invocation-provider {ref} 
 
 pre-post-annotation-handling =
     ## Allows the default expression-based mechanism for handling Spring Security's pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) to be replace entirely. Only applies if these annotations are enabled. 

config/src/main/resources/org/springframework/security/config/spring-security.xsl

@@ -10,7 +10,7 @@
     <xsl:output method="xml" indent="yes"/>
 
     <xsl:variable name="elts-to-inline">
-        <xsl:text>,access-denied-handler,anonymous,concurrent-session-control,user,port-mapping,openid-login,expression-handler,filter-chain,form-login,http-basic,intercept-url,logout,password-encoder,port-mappings,port-mapper,password-compare,protect,protect-pointcut,pre-post-annotation-handling,pre-invocation-advice,post-invocation-advice,invocation-attribute-factory,remember-me,salt-source,x509,</xsl:text>
+        <xsl:text>,access-denied-handler,anonymous,concurrent-session-control,after-invocation-provider,authentication-provider,ldap-authentication-provider,user,port-mapping,openid-login,expression-handler,filter-chain,form-login,http-basic,intercept-url,logout,password-encoder,port-mappings,port-mapper,password-compare,protect,protect-pointcut,pre-post-annotation-handling,pre-invocation-advice,post-invocation-advice,invocation-attribute-factory,remember-me,salt-source,x509,</xsl:text>
     </xsl:variable>
 
     <xsl:template match="xs:element">

config/src/test/java/org/springframework/security/config/ldap/LdapProviderBeanDefinitionParserTests.java

@@ -57,10 +57,12 @@ public class LdapProviderBeanDefinitionParserTests {
 
     @Test(expected = ApplicationContextException.class)
     public void missingServerEltCausesConfigException() {
-        setContext("<ldap-authentication-provider />");
+        setContext(
+                "<authentication-manager>" +
+                "   <ldap-authentication-provider />" +
+                "</authentication-manager>");
     }
 
-
     @Test
     public void supportsPasswordComparisonAuthentication() {
         setContext("<ldap-server /> " +

config/src/test/java/org/springframework/security/config/ldap/LdapUserServiceBeanDefinitionParserTests.java

@@ -117,9 +117,11 @@ public class LdapUserServiceBeanDefinitionParserTests {
     public void isSupportedByAuthenticationProviderElement() {
         setContext(
                 "<ldap-server url='ldap://127.0.0.1:343/dc=springframework,dc=org'/>" +
-                "<authentication-provider>" +
+                "<authentication-manager>" +
+                "  <authentication-provider>" +
                 "    <ldap-user-service user-search-filter='(uid={0})' />" +
-                "</authentication-provider>");
+                "  </authentication-provider>" +
+                "</authentication-manager>");
     }
 
     @Test

config/src/test/java/org/springframework/security/config/method/CustomAfterInvocationProviderBeanDefinitionDecoratorTests.java

@@ -1,15 +1,8 @@
 package org.springframework.security.config.method;
 
-import static org.junit.Assert.*;
-
 import org.junit.After;
 import org.junit.Test;
 import org.springframework.context.support.AbstractXmlApplicationContext;
-import org.springframework.security.access.intercept.AfterInvocationProviderManager;
-import org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor;
-import org.springframework.security.config.ConfigTestUtils;
-import org.springframework.security.config.MockAfterInvocationProvider;
-import org.springframework.security.config.method.GlobalMethodSecurityBeanDefinitionParser;
 import org.springframework.security.config.util.InMemoryXmlApplicationContext;
 
 public class CustomAfterInvocationProviderBeanDefinitionDecoratorTests {
@@ -24,23 +17,10 @@ public class CustomAfterInvocationProviderBeanDefinitionDecoratorTests {
     }
 
     @Test
-    public void customAfterInvocationProviderIsAddedToInterceptor() {
-        setContext(
-                "<global-method-security />" +
+    public void customAfterInvocationProviderIsSupportedIn20Schema() {
+        appContext = new InMemoryXmlApplicationContext(
                 "<b:bean id='aip' class='org.springframework.security.config.MockAfterInvocationProvider'>" +
                 "    <custom-after-invocation-provider />" +
-                "</b:bean>" +
-                ConfigTestUtils.AUTH_PROVIDER_XML
-        );
-
-        MethodSecurityInterceptor msi = (MethodSecurityInterceptor) appContext.getBean(GlobalMethodSecurityBeanDefinitionParser.SECURITY_INTERCEPTOR_ID);
-        AfterInvocationProviderManager apm = (AfterInvocationProviderManager) msi.getAfterInvocationManager();
-        assertNotNull(apm);
-        assertEquals(1, apm.getProviders().size());
-        assertTrue(apm.getProviders().get(0) instanceof MockAfterInvocationProvider);
-    }
-
-    private void setContext(String context) {
-        appContext = new InMemoryXmlApplicationContext(context);
+                "</b:bean>", "2.0.4", null);
     }
 }

config/src/test/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParserTests.java

@@ -17,16 +17,16 @@ import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.annotation.BusinessService;
 import org.springframework.security.access.intercept.AfterInvocationProviderManager;
 import org.springframework.security.access.intercept.RunAsManagerImpl;
+import org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor;
+import org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor;
 import org.springframework.security.access.prepost.PostInvocationAdviceProvider;
 import org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter;
 import org.springframework.security.access.vote.AffirmativeBased;
 import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.config.BeanIds;
 import org.springframework.security.config.ConfigTestUtils;
 import org.springframework.security.config.PostProcessedMockUserDetailsService;
-import org.springframework.security.config.method.GlobalMethodSecurityBeanDefinitionParser;
 import org.springframework.security.config.util.InMemoryXmlApplicationContext;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -184,6 +184,7 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
         );
     }
 
+    // SEC-936
     @Test(expected=AccessDeniedException.class)
     public void worksWithoutTargetOrClass() {
         setContext(
@@ -210,7 +211,9 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
         AffirmativeBased adm = (AffirmativeBased) appContext.getBean(GlobalMethodSecurityBeanDefinitionParser.ACCESS_MANAGER_ID);
         List voters = (List) FieldUtils.getFieldValue(adm, "decisionVoters");
         PreInvocationAuthorizationAdviceVoter mev = (PreInvocationAuthorizationAdviceVoter) voters.get(0);
-        AfterInvocationProviderManager pm = (AfterInvocationProviderManager) appContext.getBean(BeanIds.AFTER_INVOCATION_MANAGER);
+        MethodSecurityMetadataSourceAdvisor msi = (MethodSecurityMetadataSourceAdvisor)
+            appContext.getBeansOfType(MethodSecurityMetadataSourceAdvisor.class).values().toArray()[0];
+        AfterInvocationProviderManager pm = (AfterInvocationProviderManager) ((MethodSecurityInterceptor)msi.getAdvice()).getAfterInvocationManager();
         PostInvocationAdviceProvider aip = (PostInvocationAdviceProvider) pm.getProviders().get(0);
         assertTrue(FieldUtils.getFieldValue(mev, "preAdvice.expressionHandler") == FieldUtils.getFieldValue(aip, "postAdvice.expressionHandler"));
     }
@@ -269,7 +272,9 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
 
         setContext("<global-method-security run-as-manager-ref='runAsMgr'/>" + AUTH_PROVIDER_XML, parent);
         RunAsManagerImpl ram = (RunAsManagerImpl) appContext.getBean("runAsMgr");
-        assertSame(ram, FieldUtils.getFieldValue(appContext.getBean(GlobalMethodSecurityBeanDefinitionParser.SECURITY_INTERCEPTOR_ID), "runAsManager"));
+        MethodSecurityMetadataSourceAdvisor msi = (MethodSecurityMetadataSourceAdvisor)
+            appContext.getBeansOfType(MethodSecurityMetadataSourceAdvisor.class).values().toArray()[0];
+        assertSame(ram, FieldUtils.getFieldValue(msi.getAdvice(), "runAsManager"));
     }
 
     private void setContext(String context) {

core/src/main/java/org/springframework/security/access/SecurityMetadataSource.java

@@ -18,6 +18,7 @@ package org.springframework.security.access;
 import java.util.Collection;
 import java.util.List;
 
+import org.springframework.aop.framework.AopInfrastructureBean;
 import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
 
 
@@ -28,7 +29,7 @@ import org.springframework.security.access.intercept.AbstractSecurityInterceptor
  * @author Ben Alex
  * @version $Id$
  */
-public interface SecurityMetadataSource {
+public interface SecurityMetadataSource extends AopInfrastructureBean {
     //~ Methods ========================================================================================================
 
     /**

core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityInterceptor.java

@@ -25,11 +25,13 @@ import org.aopalliance.intercept.MethodInvocation;
 
 
 /**
- * Provides security interception of AOP Alliance based method invocations.<p>The
- * <code>SecurityMetadataSource</code> required by this security interceptor is of type {@link
+ * Provides security interception of AOP Alliance based method invocations.
+ * <p>
+ * The <code>SecurityMetadataSource</code> required by this security interceptor is of type {@link
  * MethodSecurityMetadataSource}. This is shared with the AspectJ based security interceptor
- * (<code>AspectJSecurityInterceptor</code>), since both work with Java <code>Method</code>s.</p>
- *  <P>Refer to {@link AbstractSecurityInterceptor} for details on the workflow.</p>
+ * (<code>AspectJSecurityInterceptor</code>), since both work with Java <code>Method</code>s.
+ * <p>
+ * Refer to {@link AbstractSecurityInterceptor} for details on the workflow.
  *
  * @author Ben Alex
  * @version $Id$

core/src/main/java/org/springframework/security/access/prepost/PostInvocationAttribute.java

@@ -11,6 +11,6 @@ import org.springframework.security.access.ConfigAttribute;
  * @version $Id$
  * @since 3.0
  */
-public interface PostInvocationAttribute extends ConfigAttribute{
+public interface PostInvocationAttribute extends ConfigAttribute {
 
 }

core/src/main/java/org/springframework/security/access/prepost/PostInvocationAuthorizationAdvice.java

@@ -1,6 +1,7 @@
 package org.springframework.security.access.prepost;
 
 import org.aopalliance.intercept.MethodInvocation;
+import org.springframework.aop.framework.AopInfrastructureBean;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.core.Authentication;
 
@@ -11,7 +12,7 @@ import org.springframework.security.core.Authentication;
  * @version $Id$
  * @since 3.0
  */
-public interface PostInvocationAuthorizationAdvice {
+public interface PostInvocationAuthorizationAdvice extends AopInfrastructureBean {
 
     Object after(Authentication authentication, MethodInvocation mi,
             PostInvocationAttribute pia, Object returnedObject) throws AccessDeniedException;

core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdvice.java

@@ -1,6 +1,7 @@
 package org.springframework.security.access.prepost;
 
 import org.aopalliance.intercept.MethodInvocation;
+import org.springframework.aop.framework.AopInfrastructureBean;
 import org.springframework.security.core.Authentication;
 
 /**
@@ -10,7 +11,7 @@ import org.springframework.security.core.Authentication;
  * @version $Id$
  * @since 3.0
  */
-public interface PreInvocationAuthorizationAdvice {
+public interface PreInvocationAuthorizationAdvice extends AopInfrastructureBean {
 
     /**
      * The "before" advice which should be executed to perform any filtering necessary and to decide whether
@@ -18,7 +19,7 @@ public interface PreInvocationAuthorizationAdvice {
      *
      * @param authentication the information on the principal on whose account the decision should be made
      * @param mi the method invocation being attempted
-     * @param preInvocationAttribute the attribute built from the @PreFilte and @PostFilter annotations.
+     * @param preInvocationAttribute the attribute built from the @PreFilter and @PostFilter annotations.
      * @return true if authorised, false otherwise
      */
     boolean before(Authentication authentication, MethodInvocation mi, PreInvocationAttribute preInvocationAttribute);

core/src/main/java/org/springframework/security/access/prepost/PrePostInvocationAttributeFactory.java

@@ -1,12 +1,14 @@
 package org.springframework.security.access.prepost;
 
+import org.springframework.aop.framework.AopInfrastructureBean;
+
 /**
  *
  * @author Luke Taylor
  * @version $Id$
  * @since 3.0
  */
-public interface PrePostInvocationAttributeFactory {
+public interface PrePostInvocationAttributeFactory extends AopInfrastructureBean {
 
     PreInvocationAttribute createPreInvocationAttribute(PreFilter preFilter, PreAuthorize preAuthorize);
 

core/src/test/java/org/springframework/security/authentication/concurrent/SessionInformationTests.java

@@ -41,7 +41,7 @@ public class SessionInformationTests extends TestCase {
         assertEquals(sessionId, info.getSessionId());
         assertEquals(currentDate, info.getLastRequest());
 
-        Thread.sleep(1000);
+        Thread.sleep(10);
 
         info.refreshLastRequest();