From 1e864ad7645fcf6d66edd714cb4faf32f76c0716 Mon Sep 17 00:00:00 2001 From: artsiom Date: Tue, 24 Jul 2018 13:56:06 +0300 Subject: [PATCH] Validate @EnableGlobalMethodSecurity usage Fixes: gh-5341 --- .../GlobalMethodSecurityConfiguration.java | 16 +++++++++++++--- .../GlobalMethodSecurityConfigurationTests.java | 17 +++++++++++++++++ 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java index 3442519caa..56d6f2a674 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java +++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java @@ -358,13 +358,23 @@ public class GlobalMethodSecurityConfiguration if (customMethodSecurityMetadataSource != null) { sources.add(customMethodSecurityMetadataSource); } - if (prePostEnabled()) { + + boolean isPrePostEnabled = prePostEnabled(); + boolean isSecureEnabled = securedEnabled(); + boolean isJsr250Enabled = jsr250Enabled(); + + if (!isPrePostEnabled && !isSecureEnabled && !isJsr250Enabled) { + throw new IllegalStateException("In the composition of all global method configuration, " + + "no annotation support was actually activated"); + } + + if (isPrePostEnabled) { sources.add(new PrePostAnnotationSecurityMetadataSource(attributeFactory)); } - if (securedEnabled()) { + if (isSecureEnabled) { sources.add(new SecuredAnnotationSecurityMetadataSource()); } - if (jsr250Enabled()) { + if (isJsr250Enabled) { GrantedAuthorityDefaults grantedAuthorityDefaults = getSingleBeanOrNull(GrantedAuthorityDefaults.class); Jsr250MethodSecurityMetadataSource jsr250MethodSecurityMetadataSource = this.context.getBean(Jsr250MethodSecurityMetadataSource.class); diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.java index 0ec5662dcb..63b30c1d48 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.java @@ -17,8 +17,10 @@ package org.springframework.security.config.annotation.method.configuration; import org.junit.Rule; import org.junit.Test; +import org.junit.rules.ExpectedException; import org.junit.runner.RunWith; import org.springframework.beans.BeansException; +import org.springframework.beans.factory.UnsatisfiedDependencyException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.config.BeanPostProcessor; import org.springframework.context.annotation.AdviceMode; @@ -64,6 +66,7 @@ import static org.mockito.Mockito.when; /** * * @author Rob Winch + * @author Artsiom Yudovin */ @RunWith(SpringJUnit4ClassRunner.class) @SecurityTestExecutionListeners @@ -71,6 +74,9 @@ public class GlobalMethodSecurityConfigurationTests { @Rule public final SpringTestRule spring = new SpringTestRule(); + @Rule + public ExpectedException thrown = ExpectedException.none(); + @Autowired(required = false) private MethodSecurityService service; @@ -84,6 +90,17 @@ public class GlobalMethodSecurityConfigurationTests { @Autowired(required = false) MockEventListener events; + @Test + public void illegalStateGlobalMethodSecurity() { + this.thrown.expect(UnsatisfiedDependencyException.class); + this.spring.register(IllegalStateGlobalMethodSecurityConfig.class).autowire(); + } + + @EnableGlobalMethodSecurity + public static class IllegalStateGlobalMethodSecurityConfig extends GlobalMethodSecurityConfiguration { + + } + @Test public void methodSecurityAuthenticationManagerPublishesEvent() { this.spring.register(InMemoryAuthWithGlobalMethodSecurityConfig.class).autowire();