From 61ee4e5a763f53b1f3fde6f1b04ae03f4379612f Mon Sep 17 00:00:00 2001 From: Stephane Nicoll Date: Wed, 14 Jul 2021 16:26:28 +0200 Subject: [PATCH] Avoid using SpEL to change the meaning of the injection point This commit removes the use of SpEL expression and replaces it with an explicit call to the underlying method. --- .../configuration/WebSecurityConfiguration.java | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java index 45bf5e5f1e..a608d0110b 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2021 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -24,7 +24,6 @@ import javax.servlet.Filter; import org.springframework.beans.factory.BeanClassLoaderAware; import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.config.BeanFactoryPostProcessor; import org.springframework.beans.factory.config.ConfigurableListableBeanFactory; import org.springframework.context.annotation.Bean; @@ -143,19 +142,20 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa * instances used to create the web configuration. * @param objectPostProcessor the {@link ObjectPostProcessor} used to create a * {@link WebSecurity} instance - * @param webSecurityConfigurers the + * @param beanFactory the bean factory to use to retrieve the relevant * {@code } instances used to * create the web configuration * @throws Exception */ @Autowired(required = false) public void setFilterChainProxySecurityConfigurer(ObjectPostProcessor objectPostProcessor, - @Value("#{@autowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers()}") List> webSecurityConfigurers) - throws Exception { + ConfigurableListableBeanFactory beanFactory) throws Exception { this.webSecurity = objectPostProcessor.postProcess(new WebSecurity(objectPostProcessor)); if (this.debugEnabled != null) { this.webSecurity.debug(this.debugEnabled); } + List> webSecurityConfigurers = new AutowiredWebSecurityConfigurersIgnoreParents( + beanFactory).getWebSecurityConfigurers(); webSecurityConfigurers.sort(AnnotationAwareOrderComparator.INSTANCE); Integer previousOrder = null; Object previousConfig = null; @@ -189,12 +189,6 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa return new RsaKeyConversionServicePostProcessor(); } - @Bean - public static AutowiredWebSecurityConfigurersIgnoreParents autowiredWebSecurityConfigurersIgnoreParents( - ConfigurableListableBeanFactory beanFactory) { - return new AutowiredWebSecurityConfigurersIgnoreParents(beanFactory); - } - @Override public void setImportMetadata(AnnotationMetadata importMetadata) { Map enableWebSecurityAttrMap = importMetadata