From a3d112979f285659b98d853eb8163ae82bed7bd2 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@vmware.com>
Date: Fri, 20 Sep 2013 15:53:58 -0500
Subject: [PATCH] SEC-2301: GlobalMethodSecurityConfiguration sets
 DefaultWebSecurityExpressionHandler BeanResolver

---
 .../GlobalMethodSecurityConfiguration.java    |  6 +-
 ...balMethodSecurityConfigurationTests.groovy | 61 ++++++++++++++++++-
 ...ethodSecurityExpressionHandlerTests.groovy |  2 +-
 ...mpleEnableGlobalMethodSecurityTests.groovy |  2 +-
 4 files changed, 65 insertions(+), 6 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java
index cbfbed4fb6..fbb7cecd28 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java
@@ -64,6 +64,7 @@ import org.springframework.security.access.vote.RoleVoter;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
 import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
+import org.springframework.security.config.PostProcessedMockUserDetailsService;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.util.Assert;
@@ -206,7 +207,7 @@ public class GlobalMethodSecurityConfiguration implements ImportAware {
      *
      * @return
      */
-    protected MethodSecurityExpressionHandler expressionHandler() {
+    protected MethodSecurityExpressionHandler createExpressionHandler() {
         return defaultMethodExpressionHandler;
     }
 
@@ -217,7 +218,7 @@ public class GlobalMethodSecurityConfiguration implements ImportAware {
      */
     protected final MethodSecurityExpressionHandler getExpressionHandler() {
         if(expressionHandler == null) {
-            expressionHandler = expressionHandler();
+            expressionHandler = createExpressionHandler();
         }
         return expressionHandler;
     }
@@ -358,6 +359,7 @@ public class GlobalMethodSecurityConfiguration implements ImportAware {
     @Autowired(required=false)
     public void setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor) {
         this.objectPostProcessor = objectPostProcessor;
+        this.defaultMethodExpressionHandler = objectPostProcessor.postProcess(defaultMethodExpressionHandler);
     }
 
     @SuppressWarnings("unchecked")
diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.groovy
index d1a9d6f4bd..96c063bf68 100644
--- a/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.groovy
@@ -23,18 +23,21 @@ import org.springframework.context.ApplicationContext
 import org.springframework.context.ApplicationListener
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
-import org.springframework.security.access.AccessDecisionManager
-import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler
+import org.springframework.security.access.AccessDeniedException
+import org.springframework.security.access.prepost.PreAuthorize
 import org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter
 import org.springframework.security.authentication.AuthenticationManager
 import org.springframework.security.authentication.AuthenticationTrustResolver
 import org.springframework.security.authentication.DefaultAuthenticationEventPublisher
+import org.springframework.security.authentication.TestingAuthenticationToken
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
 import org.springframework.security.authentication.event.AuthenticationSuccessEvent
+import org.springframework.security.config.MockAfterInvocationProvider;
 import org.springframework.security.config.annotation.BaseSpringSpec
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder
 import org.springframework.security.core.Authentication
 import org.springframework.security.core.authority.AuthorityUtils
+import org.springframework.security.core.context.SecurityContextHolder
 
 /**
  *
@@ -109,4 +112,58 @@ public class GlobalMethodSecurityConfigurationTests extends BaseSpringSpec {
             return TR
         }
     }
+
+    def "SEC-2301: DefaultWebSecurityExpressionHandler has BeanResolver set"() {
+        setup:
+            SecurityContextHolder.getContext().setAuthentication(
+                new TestingAuthenticationToken("user", "password","ROLE_USER"))
+            loadConfig(ExpressionHandlerHasBeanResolverSetConfig)
+            def service = context.getBean(ServiceImpl)
+        when: "service with bean reference on PreAuthorize invoked"
+            service.message()
+        then: "properly throws AccessDeniedException"
+            thrown(AccessDeniedException)
+        when: "service with bean reference on PreAuthorize invoked"
+            context.getBean(CustomAuthzService).grantAccess = true
+            service.message()
+        then: "grants access too"
+            noExceptionThrown()
+    }
+
+    @Configuration
+    @EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
+    static class ExpressionHandlerHasBeanResolverSetConfig extends GlobalMethodSecurityConfiguration {
+
+        @Override
+        protected void registerAuthentication(AuthenticationManagerBuilder auth)
+                throws Exception {
+            auth
+                .inMemoryAuthentication()
+        }
+
+        @Bean
+        public ServiceImpl service() {
+            return new ServiceImpl()
+        }
+
+        @Bean
+        public CustomAuthzService authz() {
+            return new CustomAuthzService()
+        }
+    }
+
+    static class ServiceImpl {
+        @PreAuthorize("@authz.authorize()")
+        public String message() {
+            null
+        }
+    }
+
+    static class CustomAuthzService {
+        boolean grantAccess
+
+        public boolean authorize() {
+            grantAccess
+        }
+    }
 }
diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/NamespaceGlobalMethodSecurityExpressionHandlerTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/NamespaceGlobalMethodSecurityExpressionHandlerTests.groovy
index b601673c25..e72f9c1991 100644
--- a/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/NamespaceGlobalMethodSecurityExpressionHandlerTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/NamespaceGlobalMethodSecurityExpressionHandlerTests.groovy
@@ -77,7 +77,7 @@ public class NamespaceGlobalMethodSecurityExpressionHandlerTests extends BaseSpr
     @EnableGlobalMethodSecurity(prePostEnabled = true)
     public static class CustomAccessDecisionManagerConfig extends GlobalMethodSecurityConfiguration {
         @Override
-        protected MethodSecurityExpressionHandler expressionHandler() {
+        protected MethodSecurityExpressionHandler createExpressionHandler() {
             DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler()
             expressionHandler.permissionEvaluator = new PermissionEvaluator() {
                 boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/SampleEnableGlobalMethodSecurityTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/SampleEnableGlobalMethodSecurityTests.groovy
index 49e0025c14..a6d32879f0 100644
--- a/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/SampleEnableGlobalMethodSecurityTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/SampleEnableGlobalMethodSecurityTests.groovy
@@ -97,7 +97,7 @@ public class SampleEnableGlobalMethodSecurityTests extends BaseSpringSpec {
         }
 
         @Override
-        protected MethodSecurityExpressionHandler expressionHandler() {
+        protected MethodSecurityExpressionHandler createExpressionHandler() {
             DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
             expressionHandler.setPermissionEvaluator(new CustomPermissionEvaluator());
             return expressionHandler;