root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch '6.3.x' into 6.4.x 

Closes gh-16837
This commit is contained in:
Josh Cummings 2025-03-27 16:27:14 -06:00
parent 1f3dd53bdf 456604ab45
commit 6c5b6d1c51
No known key found for this signature in database
GPG Key ID: 869B37A20E876129
3 changed files with 59 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -56,6 +56,7 @@ import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.context.annotation.Role;
import org.springframework.core.annotation.AnnotationAwareOrderComparator;
import org.springframework.core.annotation.AnnotationConfigurationException;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.PermissionEvaluator;
@ -1103,6 +1104,21 @@ public class PrePostMethodSecurityConfigurationTests {
verifyNoInteractions(handler);
}
// gh-16819
@Test
void autowireWhenDefaultsThenAdvisorAnnotationsAreSorted() {
this.spring.register(MethodSecurityServiceConfig.class).autowire();
AuthorizationAdvisorProxyFactory proxyFactory = this.spring.getContext()
.getBean(AuthorizationAdvisorProxyFactory.class);
AnnotationAwareOrderComparator comparator = AnnotationAwareOrderComparator.INSTANCE;
AuthorizationAdvisor previous = null;
for (AuthorizationAdvisor advisor : proxyFactory) {
boolean ordered = previous == null || comparator.compare(previous, advisor) < 0;
assertThat(ordered).isTrue();
previous = advisor;
}
}
private static Consumer<ConfigurableWebApplicationContext> disallowBeanOverriding() {
return (context) -> ((AnnotationConfigWebApplicationContext) context).setAllowBeanDefinitionOverriding(false);
}

21
core/src/main/java/org/springframework/security/authorization/method/AuthorizationAdvisorProxyFactory.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -47,6 +47,7 @@ import org.springframework.aop.Advisor;
import org.springframework.aop.Pointcut;
import org.springframework.aop.framework.AopInfrastructureBean;
import org.springframework.aop.framework.ProxyFactory;
import org.springframework.beans.factory.SmartInitializingSingleton;
import org.springframework.core.annotation.AnnotationAwareOrderComparator;
import org.springframework.lang.NonNull;
import org.springframework.security.authorization.AuthorizationProxyFactory;
@ -79,8 +80,8 @@ import org.springframework.util.ClassUtils;
* @author Josh Cummings
* @since 6.3
*/
public final class AuthorizationAdvisorProxyFactory
implements AuthorizationProxyFactory, Iterable<AuthorizationAdvisor>, AopInfrastructureBean {
public final class AuthorizationAdvisorProxyFactory implements AuthorizationProxyFactory,
Iterable<AuthorizationAdvisor>, AopInfrastructureBean, SmartInitializingSingleton {
private static final boolean isReactivePresent = ClassUtils.isPresent("reactor.core.publisher.Mono", null);
@ -125,6 +126,7 @@ public final class AuthorizationAdvisorProxyFactory
advisors.add(new PostFilterAuthorizationMethodInterceptor());
AuthorizationAdvisorProxyFactory proxyFactory = new AuthorizationAdvisorProxyFactory(advisors);
proxyFactory.addAdvisor(new AuthorizeReturnObjectMethodInterceptor(proxyFactory));
AnnotationAwareOrderComparator.sort(proxyFactory.advisors);
return proxyFactory;
}
@ -142,9 +144,15 @@ public final class AuthorizationAdvisorProxyFactory
advisors.add(new PostFilterAuthorizationReactiveMethodInterceptor());
AuthorizationAdvisorProxyFactory proxyFactory = new AuthorizationAdvisorProxyFactory(advisors);
proxyFactory.addAdvisor(new AuthorizeReturnObjectMethodInterceptor(proxyFactory));
AnnotationAwareOrderComparator.sort(proxyFactory.advisors);
return proxyFactory;
}
@Override
public void afterSingletonsInstantiated() {
AnnotationAwareOrderComparator.sort(this.advisors);
}
/**
* Proxy an object to enforce authorization advice.
*
@ -165,7 +173,6 @@ public final class AuthorizationAdvisorProxyFactory
*/
@Override
public Object proxy(Object target) {
AnnotationAwareOrderComparator.sort(this.advisors);
if (target == null) {
return null;
}
@ -178,9 +185,9 @@ public final class AuthorizationAdvisorProxyFactory
}
ProxyFactory factory = new ProxyFactory(target);
factory.addAdvisors(this.authorizationProxy);
for (Advisor advisor : this.advisors) {
factory.addAdvisors(advisor);
}
List<Advisor> advisors = new ArrayList<>(this.advisors);
AnnotationAwareOrderComparator.sort(advisors);
factory.addAdvisors(advisors);
factory.addInterface(AuthorizationProxy.class);
factory.setOpaque(true);
factory.setProxyTargetClass(!Modifier.isFinal(target.getClass().getModifiers()));

29
core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -40,6 +40,7 @@ import org.jetbrains.annotations.NotNull;
import org.junit.jupiter.api.Test;
import org.springframework.aop.Pointcut;
import org.springframework.core.annotation.AnnotationAwareOrderComparator;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.authentication.TestAuthentication;
@ -360,6 +361,32 @@ public class AuthorizationAdvisorProxyFactoryTests {
assertThat(target).isSameAs(this.flight);
}
// gh-16819
@Test
void advisorsWhenWithDefaultsThenAreSorted() {
AuthorizationAdvisorProxyFactory proxyFactory = AuthorizationAdvisorProxyFactory.withDefaults();
AnnotationAwareOrderComparator comparator = AnnotationAwareOrderComparator.INSTANCE;
AuthorizationAdvisor previous = null;
for (AuthorizationAdvisor advisor : proxyFactory) {
boolean ordered = previous == null || comparator.compare(previous, advisor) < 0;
assertThat(ordered).isTrue();
previous = advisor;
}
}
// gh-16819
@Test
void advisorsWhenWithReactiveDefaultsThenAreSorted() {
AuthorizationAdvisorProxyFactory proxyFactory = AuthorizationAdvisorProxyFactory.withReactiveDefaults();
AnnotationAwareOrderComparator comparator = AnnotationAwareOrderComparator.INSTANCE;
AuthorizationAdvisor previous = null;
for (AuthorizationAdvisor advisor : proxyFactory) {
boolean ordered = previous == null || comparator.compare(previous, advisor) < 0;
assertThat(ordered).isTrue();
previous = advisor;
}
}
private Authentication authenticated(String user, String... authorities) {
return TestAuthentication.authenticated(TestAuthentication.withUsername(user).authorities(authorities).build());
}