From 002a78d87d45e05b67bb280b0c1abb0f9b0c7a08 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@gopivotal.com>
Date: Wed, 19 Nov 2014 11:58:32 -0600
Subject: [PATCH] SEC-2768: DefaultMessageSecurityExpressionHandler sets
 PermissionEvaluator

---
 .../DefaultMessageSecurityExpressionHandler.java    |  1 +
 .../expression/MessageSecurityExpressionRoot.java   |  3 +++
 ...efaultMessageSecurityExpressionHandlerTests.java | 13 +++++++++++++
 3 files changed, 17 insertions(+)

diff --git a/messaging/src/main/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandler.java b/messaging/src/main/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandler.java
index 9f9e74bdb6..72129161c4 100644
--- a/messaging/src/main/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandler.java
+++ b/messaging/src/main/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandler.java
@@ -39,6 +39,7 @@ public class DefaultMessageSecurityExpressionHandler<T> extends AbstractSecurity
     @Override
     protected SecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, Message<T> invocation) {
         MessageSecurityExpressionRoot root = new MessageSecurityExpressionRoot(authentication,invocation);
+        root.setPermissionEvaluator(getPermissionEvaluator());
         root.setTrustResolver(trustResolver);
         root.setRoleHierarchy(getRoleHierarchy());
         return root;
diff --git a/messaging/src/main/java/org/springframework/security/messaging/access/expression/MessageSecurityExpressionRoot.java b/messaging/src/main/java/org/springframework/security/messaging/access/expression/MessageSecurityExpressionRoot.java
index af6da074ef..9806116011 100644
--- a/messaging/src/main/java/org/springframework/security/messaging/access/expression/MessageSecurityExpressionRoot.java
+++ b/messaging/src/main/java/org/springframework/security/messaging/access/expression/MessageSecurityExpressionRoot.java
@@ -27,7 +27,10 @@ import org.springframework.security.core.Authentication;
  */
 final class MessageSecurityExpressionRoot extends SecurityExpressionRoot {
 
+    public final Message<?> message;
+
     public MessageSecurityExpressionRoot(Authentication authentication, Message<?> message) {
         super(authentication);
+        this.message = message;
     }
 }
diff --git a/messaging/src/test/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandlerTests.java b/messaging/src/test/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandlerTests.java
index 742b4ef9c3..e8e024b934 100644
--- a/messaging/src/test/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandlerTests.java
+++ b/messaging/src/test/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandlerTests.java
@@ -27,6 +27,7 @@ import org.springframework.expression.EvaluationContext;
 import org.springframework.expression.Expression;
 import org.springframework.messaging.Message;
 import org.springframework.messaging.support.GenericMessage;
+import org.springframework.security.access.PermissionEvaluator;
 import org.springframework.security.access.expression.ExpressionUtils;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
@@ -39,6 +40,8 @@ import org.springframework.security.core.authority.AuthorityUtils;
 public class DefaultMessageSecurityExpressionHandlerTests {
     @Mock
     AuthenticationTrustResolver trustResolver;
+    @Mock
+    PermissionEvaluator permissionEvaluator;
 
     DefaultMessageSecurityExpressionHandler<Object> handler;
 
@@ -89,4 +92,14 @@ public class DefaultMessageSecurityExpressionHandlerTests {
 
         assertThat(ExpressionUtils.evaluateAsBoolean(expression, context)).isTrue();
     }
+
+    @Test
+    public void permissionEvaluator() {
+        handler.setPermissionEvaluator(permissionEvaluator);
+        EvaluationContext context = handler.createEvaluationContext(authentication, message);
+        Expression expression = handler.getExpressionParser().parseExpression("hasPermission(message, 'read')");
+        when(permissionEvaluator.hasPermission(authentication, message, "read")).thenReturn(true);
+
+        assertThat(ExpressionUtils.evaluateAsBoolean(expression, context)).isTrue();
+    }
 }