GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Polish AuthorizationManager#authorize 

Issue gh-14843
pull/15918/head
Josh Cummings 1 year ago
parent
e7644925f8
commit
9ce5a76e8c
20 changed files with 160 additions and 73 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 10
      config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java
  2. 16
      config/src/main/java/org/springframework/security/config/method/PointcutDelegatingAuthorizationManager.java
  3. 1
      config/src/test/java/org/springframework/security/config/method/InterceptMethodsBeanDefinitionDecoratorTests.java
  4. 2
      core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java
  5. 82
      core/src/main/java/org/springframework/security/authorization/AuthorizationManagers.java
  6. 15
      core/src/main/java/org/springframework/security/authorization/AuthorizationObservationContext.java
  7. 4
      core/src/main/java/org/springframework/security/authorization/ObservationAuthorizationManager.java
  8. 4
      core/src/main/java/org/springframework/security/authorization/ObservationReactiveAuthorizationManager.java
  9. 16
      core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptor.java
  10. 18
      core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java
  11. 27
      core/src/main/java/org/springframework/security/authorization/method/Jsr250AuthorizationManager.java
  12. 2
      core/src/main/java/org/springframework/security/authorization/method/SecuredAuthorizationManager.java
  13. 3
      core/src/test/java/org/springframework/security/authorization/method/Jsr250AuthorizationManagerTests.java
  14. 9
      messaging/src/main/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptor.java
  15. 2
      messaging/src/main/java/org/springframework/security/messaging/access/intercept/MessageMatcherDelegatingAuthorizationManager.java
  16. 4
      rsocket/src/main/java/org/springframework/security/rsocket/authorization/PayloadExchangeMatcherReactiveAuthorizationManager.java
  17. 4
      web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
  18. 8
      web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java
  19. 2
      web/src/main/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManager.java
  20. 4
      web/src/main/java/org/springframework/security/web/server/authorization/DelegatingReactiveAuthorizationManager.java

10
config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java
Unescape View File

@ -221,9 +221,8 @@ public class DefaultFilterChainValidator implements FilterChainProxy.FilterChain
AuthorizationManager<HttpServletRequest> authorizationManager = authorizationFilter AuthorizationManager<HttpServletRequest> authorizationManager = authorizationFilter
.getAuthorizationManager(); .getAuthorizationManager();
try { try {
AuthorizationResult decision = authorizationManager.authorize(() -> TEST, AuthorizationResult result = authorizationManager.authorize(() -> TEST, loginRequest.getHttpRequest());
loginRequest.getHttpRequest()); return result != null && result.isGranted();
return decision != null && decision.isGranted();
} }
catch (Exception ex) { catch (Exception ex) {
return false; return false;
@ -253,9 +252,8 @@ public class DefaultFilterChainValidator implements FilterChainProxy.FilterChain
return () -> { return () -> {
AuthorizationManager<HttpServletRequest> authorizationManager = authorizationFilter AuthorizationManager<HttpServletRequest> authorizationManager = authorizationFilter
.getAuthorizationManager(); .getAuthorizationManager();
AuthorizationResult decision = authorizationManager.authorize(() -> token, AuthorizationResult result = authorizationManager.authorize(() -> token, loginRequest.getHttpRequest());
loginRequest.getHttpRequest()); return result != null && result.isGranted();
return decision != null && decision.isGranted();
}; };
} }
return () -> true; return () -> true;

16
config/src/main/java/org/springframework/security/config/method/PointcutDelegatingAuthorizationManager.java
Unescape View File

@ -25,6 +25,7 @@ import org.springframework.aop.Pointcut;
import org.springframework.aop.support.AopUtils; import org.springframework.aop.support.AopUtils;
import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager; import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
class PointcutDelegatingAuthorizationManager implements AuthorizationManager<MethodInvocation> { class PointcutDelegatingAuthorizationManager implements AuthorizationManager<MethodInvocation> {
@ -37,11 +38,24 @@ class PointcutDelegatingAuthorizationManager implements AuthorizationManager<Met
@Override @Override
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation object) { public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation object) {
AuthorizationResult result = authorize(authentication, object);
if (result == null) {
return null;
}
if (result instanceof AuthorizationDecision decision) {
return decision;
}
throw new IllegalArgumentException(
"Please either call authorize or ensure that the returned result is of type AuthorizationDecision");
}
@Override
public AuthorizationResult authorize(Supplier<Authentication> authentication, MethodInvocation object) {
for (Map.Entry<Pointcut, AuthorizationManager<MethodInvocation>> entry : this.managers.entrySet()) { for (Map.Entry<Pointcut, AuthorizationManager<MethodInvocation>> entry : this.managers.entrySet()) {
Class<?> targetClass = (object.getThis() != null) ? AopUtils.getTargetClass(object.getThis()) : null; Class<?> targetClass = (object.getThis() != null) ? AopUtils.getTargetClass(object.getThis()) : null;
if (entry.getKey().getClassFilter().matches(targetClass) if (entry.getKey().getClassFilter().matches(targetClass)
&& entry.getKey().getMethodMatcher().matches(object.getMethod(), targetClass)) { && entry.getKey().getMethodMatcher().matches(object.getMethod(), targetClass)) {
return entry.getValue().check(authentication, object); return entry.getValue().authorize(authentication, object);
} }
} }
return new AuthorizationDecision(false); return new AuthorizationDecision(false);

1
config/src/test/java/org/springframework/security/config/method/InterceptMethodsBeanDefinitionDecoratorTests.java
Unescape View File

@ -168,6 +168,7 @@ public class InterceptMethodsBeanDefinitionDecoratorTests implements Application
@Test @Test
public void targetCustomAuthorizationManagerUsed() { public void targetCustomAuthorizationManagerUsed() {
given(this.mockAuthorizationManager.authorize(any(), any())).willCallRealMethod();
given(this.mockAuthorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(true)); given(this.mockAuthorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(true));
this.targetCustomAuthorizationManager.doSomething(); this.targetCustomAuthorizationManager.doSomething();
verify(this.mockAuthorizationManager).check(any(), any()); verify(this.mockAuthorizationManager).check(any(), any());

2
core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java
Unescape View File

@ -139,7 +139,9 @@ public final class AuthorityAuthorizationManager<T> implements AuthorizationMana
* @param authentication the {@link Supplier} of the {@link Authentication} to check * @param authentication the {@link Supplier} of the {@link Authentication} to check
* @param object the {@link T} object to check * @param object the {@link T} object to check
* @return an {@link AuthorizationDecision} * @return an {@link AuthorizationDecision}
* @deprecated please use {@link #authorize(Supplier, Object)} instead
*/ */
@Deprecated
@Override @Override
public AuthorizationDecision check(Supplier<Authentication> authentication, T object) { public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
return this.delegate.check(authentication, this.authorities); return this.delegate.check(authentication, this.authorities);

82
core/src/main/java/org/springframework/security/authorization/AuthorizationManagers.java
Unescape View File

@ -18,6 +18,9 @@ package org.springframework.security.authorization;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.function.Supplier;
import org.springframework.security.core.Authentication;
/** /**
* A factory class to create an {@link AuthorizationManager} instances. * A factory class to create an {@link AuthorizationManager} instances.
@ -55,22 +58,22 @@ public final class AuthorizationManagers {
@SafeVarargs @SafeVarargs
public static <T> AuthorizationManager<T> anyOf(AuthorizationDecision allAbstainDefaultDecision, public static <T> AuthorizationManager<T> anyOf(AuthorizationDecision allAbstainDefaultDecision,
AuthorizationManager<T>... managers) { AuthorizationManager<T>... managers) {
return (authentication, object) -> { return (AuthorizationManagerCheckAdapter<T>) (authentication, object) -> {
List<AuthorizationDecision> decisions = new ArrayList<>(); List<AuthorizationResult> results = new ArrayList<>();
for (AuthorizationManager<T> manager : managers) { for (AuthorizationManager<T> manager : managers) {
AuthorizationDecision decision = manager.check(authentication, object); AuthorizationResult result = manager.authorize(authentication, object);
if (decision == null) { if (result == null) {
continue; continue;
} }
if (decision.isGranted()) { if (result.isGranted()) {
return decision; return result;
} }
decisions.add(decision); results.add(result);
} }
if (decisions.isEmpty()) { if (results.isEmpty()) {
return allAbstainDefaultDecision; return allAbstainDefaultDecision;
} }
return new CompositeAuthorizationDecision(false, decisions); return new CompositeAuthorizationDecision(false, results);
}; };
} }
@ -101,22 +104,22 @@ public final class AuthorizationManagers {
@SafeVarargs @SafeVarargs
public static <T> AuthorizationManager<T> allOf(AuthorizationDecision allAbstainDefaultDecision, public static <T> AuthorizationManager<T> allOf(AuthorizationDecision allAbstainDefaultDecision,
AuthorizationManager<T>... managers) { AuthorizationManager<T>... managers) {
return (authentication, object) -> { return (AuthorizationManagerCheckAdapter<T>) (authentication, object) -> {
List<AuthorizationDecision> decisions = new ArrayList<>(); List<AuthorizationResult> results = new ArrayList<>();
for (AuthorizationManager<T> manager : managers) { for (AuthorizationManager<T> manager : managers) {
AuthorizationDecision decision = manager.check(authentication, object); AuthorizationResult result = manager.authorize(authentication, object);
if (decision == null) { if (result == null) {
continue; continue;
} }
if (!decision.isGranted()) { if (!result.isGranted()) {
return decision; return result;
} }
decisions.add(decision); results.add(result);
} }
if (decisions.isEmpty()) { if (results.isEmpty()) {
return allAbstainDefaultDecision; return allAbstainDefaultDecision;
} }
return new CompositeAuthorizationDecision(true, decisions); return new CompositeAuthorizationDecision(true, results);
}; };
} }
@ -131,11 +134,11 @@ public final class AuthorizationManagers {
*/ */
public static <T> AuthorizationManager<T> not(AuthorizationManager<T> manager) { public static <T> AuthorizationManager<T> not(AuthorizationManager<T> manager) {
return (authentication, object) -> { return (authentication, object) -> {
AuthorizationDecision decision = manager.check(authentication, object); AuthorizationResult result = manager.authorize(authentication, object);
if (decision == null) { if (result == null) {
return null; return null;
} }
return new NotAuthorizationDecision(decision); return new NotAuthorizationDecision(result);
}; };
} }
@ -144,34 +147,53 @@ public final class AuthorizationManagers {
private static final class CompositeAuthorizationDecision extends AuthorizationDecision { private static final class CompositeAuthorizationDecision extends AuthorizationDecision {
private final List<AuthorizationDecision> decisions; private final List<AuthorizationResult> results;
private CompositeAuthorizationDecision(boolean granted, List<AuthorizationDecision> decisions) { private CompositeAuthorizationDecision(boolean granted, List<AuthorizationResult> results) {
super(granted); super(granted);
this.decisions = decisions; this.results = results;
} }
@Override @Override
public String toString() { public String toString() {
return "CompositeAuthorizationDecision [decisions=" + this.decisions + ']'; return "CompositeAuthorizationDecision [results=" + this.results + ']';
} }
} }
private static final class NotAuthorizationDecision extends AuthorizationDecision { private static final class NotAuthorizationDecision extends AuthorizationDecision {
private final AuthorizationDecision decision; private final AuthorizationResult result;
private NotAuthorizationDecision(AuthorizationDecision decision) { private NotAuthorizationDecision(AuthorizationResult result) {
super(!decision.isGranted()); super(!result.isGranted());
this.decision = decision; this.result = result;
} }
@Override @Override
public String toString() { public String toString() {
return "NotAuthorizationDecision [decision=" + this.decision + ']'; return "NotAuthorizationDecision [result=" + this.result + ']';
} }
} }
private interface AuthorizationManagerCheckAdapter<T> extends AuthorizationManager<T> {
@Override
default AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
AuthorizationResult result = authorize(authentication, object);
if (result == null) {
return null;
}
if (result instanceof AuthorizationDecision decision) {
return decision;
}
throw new IllegalArgumentException(
"please call #authorize or ensure that the result is of type AuthorizationDecision");
}
AuthorizationResult authorize(Supplier<Authentication> authentication, T object);
}
} }

15
core/src/main/java/org/springframework/security/authorization/AuthorizationObservationContext.java
Unescape View File

@ -33,8 +33,6 @@ public class AuthorizationObservationContext<T> extends Observation.Context {
private final T object; private final T object;
private AuthorizationDecision decision;
private AuthorizationResult authorizationResult; private AuthorizationResult authorizationResult;
public AuthorizationObservationContext(T object) { public AuthorizationObservationContext(T object) {
@ -77,9 +75,14 @@ public class AuthorizationObservationContext<T> extends Observation.Context {
*/ */
@Deprecated @Deprecated
public AuthorizationDecision getDecision() { public AuthorizationDecision getDecision() {
Assert.isInstanceOf(AuthorizationDecision.class, this.authorizationResult, if (this.authorizationResult == null) {
return null;
}
if (this.authorizationResult instanceof AuthorizationDecision decision) {
return decision;
}
throw new IllegalArgumentException(
"Please call getAuthorizationResult instead. If you must call getDecision, please ensure that the result you provide is of type AuthorizationDecision"); "Please call getAuthorizationResult instead. If you must call getDecision, please ensure that the result you provide is of type AuthorizationDecision");
return (AuthorizationDecision) this.authorizationResult;
} }
/** /**
@ -89,9 +92,7 @@ public class AuthorizationObservationContext<T> extends Observation.Context {
*/ */
@Deprecated @Deprecated
public void setDecision(AuthorizationDecision decision) { public void setDecision(AuthorizationDecision decision) {
Assert.isInstanceOf(AuthorizationDecision.class, decision, this.authorizationResult = decision;
"Please call setAuthorizationResult instead. If you must call getDecision, please ensure that the result you provide is of type AuthorizationDecision");
this.decision = decision;
} }
/** /**

4
core/src/main/java/org/springframework/security/authorization/ObservationAuthorizationManager.java
Unescape View File

@ -61,6 +61,10 @@ public final class ObservationAuthorizationManager<T>
} }
} }
/**
* @deprecated please use {@link #authorize(Supplier, Object)} instead
*/
@Deprecated
@Override @Override
public AuthorizationDecision check(Supplier<Authentication> authentication, T object) { public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
AuthorizationObservationContext<T> context = new AuthorizationObservationContext<>(object); AuthorizationObservationContext<T> context = new AuthorizationObservationContext<>(object);

4
core/src/main/java/org/springframework/security/authorization/ObservationReactiveAuthorizationManager.java
Unescape View File

@ -56,6 +56,10 @@ public final class ObservationReactiveAuthorizationManager<T>
} }
} }
/**
* @deprecated please use {@link #authorize(Mono, Object)} instead
*/
@Deprecated
@Override @Override
public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object) { public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object) {
AuthorizationObservationContext<T> context = new AuthorizationObservationContext<>(object); AuthorizationObservationContext<T> context = new AuthorizationObservationContext<>(object);

16
core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptor.java
Unescape View File

@ -182,22 +182,22 @@ public final class AuthorizationManagerAfterMethodInterceptor implements Authori
private Object attemptAuthorization(MethodInvocation mi, Object result) { private Object attemptAuthorization(MethodInvocation mi, Object result) {
this.logger.debug(LogMessage.of(() -> "Authorizing method invocation " + mi)); this.logger.debug(LogMessage.of(() -> "Authorizing method invocation " + mi));
MethodInvocationResult object = new MethodInvocationResult(mi, result); MethodInvocationResult object = new MethodInvocationResult(mi, result);
AuthorizationResult decision = this.authorizationManager.authorize(this::getAuthentication, object); AuthorizationResult authorizationResult = this.authorizationManager.authorize(this::getAuthentication, object);
this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, object, decision); this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, object, authorizationResult);
if (decision != null && !decision.isGranted()) { if (authorizationResult != null && !authorizationResult.isGranted()) {
this.logger.debug(LogMessage.of(() -> "Failed to authorize " + mi + " with authorization manager " this.logger.debug(LogMessage.of(() -> "Failed to authorize " + mi + " with authorization manager "
+ this.authorizationManager + " and decision " + decision)); + this.authorizationManager + " and authorizationResult " + authorizationResult));
return handlePostInvocationDenied(object, decision); return handlePostInvocationDenied(object, authorizationResult);
} }
this.logger.debug(LogMessage.of(() -> "Authorized method invocation " + mi)); this.logger.debug(LogMessage.of(() -> "Authorized method invocation " + mi));
return result; return result;
} }
private Object handlePostInvocationDenied(MethodInvocationResult mi, AuthorizationResult decision) { private Object handlePostInvocationDenied(MethodInvocationResult mi, AuthorizationResult result) {
if (this.authorizationManager instanceof MethodAuthorizationDeniedHandler deniedHandler) { if (this.authorizationManager instanceof MethodAuthorizationDeniedHandler deniedHandler) {
return deniedHandler.handleDeniedInvocationResult(mi, decision); return deniedHandler.handleDeniedInvocationResult(mi, result);
} }
return this.defaultHandler.handleDeniedInvocationResult(mi, decision); return this.defaultHandler.handleDeniedInvocationResult(mi, result);
} }
private Authentication getAuthentication() { private Authentication getAuthentication() {

18
core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java
Unescape View File

@ -246,18 +246,18 @@ public final class AuthorizationManagerBeforeMethodInterceptor implements Author
private Object attemptAuthorization(MethodInvocation mi) throws Throwable { private Object attemptAuthorization(MethodInvocation mi) throws Throwable {
this.logger.debug(LogMessage.of(() -> "Authorizing method invocation " + mi)); this.logger.debug(LogMessage.of(() -> "Authorizing method invocation " + mi));
AuthorizationResult decision; AuthorizationResult result;
try { try {
decision = this.authorizationManager.authorize(this::getAuthentication, mi); result = this.authorizationManager.authorize(this::getAuthentication, mi);
} }
catch (AuthorizationDeniedException denied) { catch (AuthorizationDeniedException denied) {
return handle(mi, denied); return handle(mi, denied);
} }
this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, mi, decision); this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, mi, result);
if (decision != null && !decision.isGranted()) { if (result != null && !result.isGranted()) {
this.logger.debug(LogMessage.of(() -> "Failed to authorize " + mi + " with authorization manager " this.logger.debug(LogMessage.of(() -> "Failed to authorize " + mi + " with authorization manager "
+ this.authorizationManager + " and decision " + decision)); + this.authorizationManager + " and result " + result));
return handle(mi, decision); return handle(mi, result);
} }
this.logger.debug(LogMessage.of(() -> "Authorized method invocation " + mi)); this.logger.debug(LogMessage.of(() -> "Authorized method invocation " + mi));
return proceed(mi); return proceed(mi);
@ -282,11 +282,11 @@ public final class AuthorizationManagerBeforeMethodInterceptor implements Author
return this.defaultHandler.handleDeniedInvocation(mi, denied); return this.defaultHandler.handleDeniedInvocation(mi, denied);
} }
private Object handle(MethodInvocation mi, AuthorizationResult decision) { private Object handle(MethodInvocation mi, AuthorizationResult result) {
if (this.authorizationManager instanceof MethodAuthorizationDeniedHandler handler) { if (this.authorizationManager instanceof MethodAuthorizationDeniedHandler handler) {
return handler.handleDeniedInvocation(mi, decision); return handler.handleDeniedInvocation(mi, result);
} }
return this.defaultHandler.handleDeniedInvocation(mi, decision); return this.defaultHandler.handleDeniedInvocation(mi, result);
} }
private Authentication getAuthentication() { private Authentication getAuthentication() {

27
core/src/main/java/org/springframework/security/authorization/method/Jsr250AuthorizationManager.java
Unescape View File

@ -33,6 +33,7 @@ import org.springframework.lang.NonNull;
import org.springframework.security.authorization.AuthoritiesAuthorizationManager; import org.springframework.security.authorization.AuthoritiesAuthorizationManager;
import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager; import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.annotation.SecurityAnnotationScanner; import org.springframework.security.core.annotation.SecurityAnnotationScanner;
import org.springframework.security.core.annotation.SecurityAnnotationScanners; import org.springframework.security.core.annotation.SecurityAnnotationScanners;
@ -86,7 +87,9 @@ public final class Jsr250AuthorizationManager implements AuthorizationManager<Me
* @param methodInvocation the {@link MethodInvocation} to check * @param methodInvocation the {@link MethodInvocation} to check
* @return an {@link AuthorizationDecision} or null if the JSR-250 security * @return an {@link AuthorizationDecision} or null if the JSR-250 security
* annotations is not present * annotations is not present
* @deprecated please use {@link #authorize(Supplier, Object)} instead
*/ */
@Deprecated
@Override @Override
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation methodInvocation) { public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation methodInvocation) {
AuthorizationManager<MethodInvocation> delegate = this.registry.getManager(methodInvocation); AuthorizationManager<MethodInvocation> delegate = this.registry.getManager(methodInvocation);
@ -109,8 +112,9 @@ public final class Jsr250AuthorizationManager implements AuthorizationManager<Me
return (a, o) -> new AuthorizationDecision(true); return (a, o) -> new AuthorizationDecision(true);
} }
if (annotation instanceof RolesAllowed rolesAllowed) { if (annotation instanceof RolesAllowed rolesAllowed) {
return (a, o) -> Jsr250AuthorizationManager.this.authoritiesAuthorizationManager.check(a, return (AuthorizationManagerCheckAdapter<MethodInvocation>) (a,
getAllowedRolesWithPrefix(rolesAllowed)); o) -> Jsr250AuthorizationManager.this.authoritiesAuthorizationManager.authorize(a,
getAllowedRolesWithPrefix(rolesAllowed));
} }
return NULL_MANAGER; return NULL_MANAGER;
} }
@ -130,4 +134,23 @@ public final class Jsr250AuthorizationManager implements AuthorizationManager<Me
} }
private interface AuthorizationManagerCheckAdapter<T> extends AuthorizationManager<T> {
@Override
default AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
AuthorizationResult result = authorize(authentication, object);
if (result == null) {
return null;
}
if (result instanceof AuthorizationDecision decision) {
return decision;
}
throw new IllegalArgumentException(
"please call #authorize or ensure that the result is of type AuthorizationDecision");
}
AuthorizationResult authorize(Supplier<Authentication> authentication, T object);
}
} }

2
core/src/main/java/org/springframework/security/authorization/method/SecuredAuthorizationManager.java
Unescape View File

@ -73,7 +73,9 @@ public final class SecuredAuthorizationManager implements AuthorizationManager<M
* @param mi the {@link MethodInvocation} to check * @param mi the {@link MethodInvocation} to check
* @return an {@link AuthorizationDecision} or null if the {@link Secured} annotation * @return an {@link AuthorizationDecision} or null if the {@link Secured} annotation
* is not present * is not present
* @deprecated please use {@link #authorize(Supplier, Object)} instead
*/ */
@Deprecated
@Override @Override
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation mi) { public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation mi) {
Set<String> authorities = getAuthorities(mi); Set<String> authorities = getAuthorities(mi);

3
core/src/test/java/org/springframework/security/authorization/method/Jsr250AuthorizationManagerTests.java
Unescape View File

@ -38,6 +38,8 @@ import org.springframework.security.core.Authentication;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock; import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verify;
@ -78,6 +80,7 @@ public class Jsr250AuthorizationManagerTests {
@Test @Test
public void setAuthoritiesAuthorizationManagerWhenNotNullThenVerifyUsage() throws Exception { public void setAuthoritiesAuthorizationManagerWhenNotNullThenVerifyUsage() throws Exception {
AuthorizationManager<Collection<String>> authoritiesAuthorizationManager = mock(AuthorizationManager.class); AuthorizationManager<Collection<String>> authoritiesAuthorizationManager = mock(AuthorizationManager.class);
given(authoritiesAuthorizationManager.authorize(any(), any())).willCallRealMethod();
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager(); Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
manager.setAuthoritiesAuthorizationManager(authoritiesAuthorizationManager); manager.setAuthoritiesAuthorizationManager(authoritiesAuthorizationManager);
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(), MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(),

9
messaging/src/main/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptor.java
Unescape View File

@ -67,11 +67,11 @@ public final class AuthorizationChannelInterceptor implements ChannelInterceptor
@Override @Override
public Message<?> preSend(Message<?> message, MessageChannel channel) { public Message<?> preSend(Message<?> message, MessageChannel channel) {
this.logger.debug(LogMessage.of(() -> "Authorizing message send")); this.logger.debug(LogMessage.of(() -> "Authorizing message send"));
AuthorizationResult decision = this.preSendAuthorizationManager.authorize(this.authentication, message); AuthorizationResult result = this.preSendAuthorizationManager.authorize(this.authentication, message);
this.eventPublisher.publishAuthorizationEvent(this.authentication, message, decision); this.eventPublisher.publishAuthorizationEvent(this.authentication, message, result);
if (decision == null || !decision.isGranted()) { // default deny if (result == null || !result.isGranted()) { // default deny
this.logger.debug(LogMessage.of(() -> "Failed to authorize message with authorization manager " this.logger.debug(LogMessage.of(() -> "Failed to authorize message with authorization manager "
+ this.preSendAuthorizationManager + " and decision " + decision)); + this.preSendAuthorizationManager + " and result " + result));
throw new AccessDeniedException("Access Denied"); throw new AccessDeniedException("Access Denied");
} }
this.logger.debug(LogMessage.of(() -> "Authorized message send")); this.logger.debug(LogMessage.of(() -> "Authorized message send"));
@ -118,6 +118,7 @@ public final class AuthorizationChannelInterceptor implements ChannelInterceptor
@Override @Override
public <T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T object, public <T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T object,
AuthorizationResult result) { AuthorizationResult result) {
} }
} }

2
messaging/src/main/java/org/springframework/security/messaging/access/intercept/MessageMatcherDelegatingAuthorizationManager.java
Unescape View File

@ -60,7 +60,9 @@ public final class MessageMatcherDelegatingAuthorizationManager implements Autho
* @return an {@link AuthorizationDecision}. If there is no {@link MessageMatcher} * @return an {@link AuthorizationDecision}. If there is no {@link MessageMatcher}
* matching the message, or the {@link AuthorizationManager} could not decide, then * matching the message, or the {@link AuthorizationManager} could not decide, then
* null is returned * null is returned
* @deprecated please use {@link #authorize(Supplier, Object)} instead
*/ */
@Deprecated
@Override @Override
public AuthorizationDecision check(Supplier<Authentication> authentication, Message<?> message) { public AuthorizationDecision check(Supplier<Authentication> authentication, Message<?> message) {
if (this.logger.isTraceEnabled()) { if (this.logger.isTraceEnabled()) {

4
rsocket/src/main/java/org/springframework/security/rsocket/authorization/PayloadExchangeMatcherReactiveAuthorizationManager.java
Unescape View File

@ -50,6 +50,10 @@ public final class PayloadExchangeMatcherReactiveAuthorizationManager
this.mappings = mappings; this.mappings = mappings;
} }
/**
* @deprecated please use {@link #authorize(Mono, Object)} instead
*/
@Deprecated
@Override @Override
public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, PayloadExchange exchange) { public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, PayloadExchange exchange) {
return Flux.fromIterable(this.mappings) return Flux.fromIterable(this.mappings)

4
web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
Unescape View File

@ -57,8 +57,8 @@ public final class AuthorizationManagerWebInvocationPrivilegeEvaluator
public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) { public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) {
FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext); FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
HttpServletRequest httpRequest = this.requestTransformer.transform(filterInvocation.getHttpRequest()); HttpServletRequest httpRequest = this.requestTransformer.transform(filterInvocation.getHttpRequest());
AuthorizationResult decision = this.authorizationManager.authorize(() -> authentication, httpRequest); AuthorizationResult result = this.authorizationManager.authorize(() -> authentication, httpRequest);
return decision == null || decision.isGranted(); return result == null || result.isGranted();
} }
@Override @Override

8
web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java
Unescape View File

@ -93,10 +93,10 @@ public class AuthorizationFilter extends GenericFilterBean {
String alreadyFilteredAttributeName = getAlreadyFilteredAttributeName(); String alreadyFilteredAttributeName = getAlreadyFilteredAttributeName();
request.setAttribute(alreadyFilteredAttributeName, Boolean.TRUE); request.setAttribute(alreadyFilteredAttributeName, Boolean.TRUE);
try { try {
AuthorizationResult decision = this.authorizationManager.authorize(this::getAuthentication, request); AuthorizationResult result = this.authorizationManager.authorize(this::getAuthentication, request);
this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, request, decision); this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, request, result);
if (decision != null && !decision.isGranted()) { if (result != null && !result.isGranted()) {
throw new AuthorizationDeniedException("Access Denied", decision); throw new AuthorizationDeniedException("Access Denied", result);
} }
chain.doFilter(request, response); chain.doFilter(request, response);
} }

2
web/src/main/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManager.java
Unescape View File

@ -68,7 +68,9 @@ public final class RequestMatcherDelegatingAuthorizationManager implements Autho
* @return an {@link AuthorizationDecision}. If there is no {@link RequestMatcher} * @return an {@link AuthorizationDecision}. If there is no {@link RequestMatcher}
* matching the request, or the {@link AuthorizationManager} could not decide, then * matching the request, or the {@link AuthorizationManager} could not decide, then
* null is returned * null is returned
* @deprecated please use {@link #authorize(Supplier, Object)} instead
*/ */
@Deprecated
@Override @Override
public AuthorizationDecision check(Supplier<Authentication> authentication, HttpServletRequest request) { public AuthorizationDecision check(Supplier<Authentication> authentication, HttpServletRequest request) {
if (this.logger.isTraceEnabled()) { if (this.logger.isTraceEnabled()) {

4
web/src/main/java/org/springframework/security/web/server/authorization/DelegatingReactiveAuthorizationManager.java
Unescape View File

@ -48,6 +48,10 @@ public final class DelegatingReactiveAuthorizationManager implements ReactiveAut
this.mappings = mappings; this.mappings = mappings;
} }
/**
* @deprecated please use {@link #authorize(Mono, Object)} instead
*/
@Deprecated
@Override @Override
public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, ServerWebExchange exchange) { public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, ServerWebExchange exchange) {
return Flux.fromIterable(this.mappings) return Flux.fromIterable(this.mappings)

Write Preview
Loading…
Cancel
Save