root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 36 Packages Projects Releases Wiki Activity

Merge 3de359c580 into 725745defd

This commit is contained in:
Tran Ngoc Nhan 2025-07-02 13:49:04 +09:00 committed by GitHub
parent 725745defd 3de359c580
commit baeb494ad1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
81 changed files with 426 additions and 872 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
config/src/main/java/org/springframework/security/config/method/PointcutDelegatingAuthorizationManager.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -36,19 +36,6 @@ class PointcutDelegatingAuthorizationManager implements AuthorizationManager<Met
this.managers = managers;
}
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation object) {
AuthorizationResult result = authorize(authentication, object);
if (result == null) {
return null;
}
if (result instanceof AuthorizationDecision decision) {
return decision;
}
throw new IllegalArgumentException(
"Please either call authorize or ensure that the returned result is of type AuthorizationDecision");
}
@Override
public AuthorizationResult authorize(Supplier<Authentication> authentication, MethodInvocation object) {
for (Map.Entry<Pointcut, AuthorizationManager<MethodInvocation>> entry : this.managers.entrySet()) {

5
config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -53,6 +53,7 @@ import org.springframework.security.access.expression.SecurityExpressionHandler;
import org.springframework.security.access.vote.ConsensusBased;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.config.Elements;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
@ -463,7 +464,7 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
}
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication,
public AuthorizationResult authorize(Supplier<Authentication> authentication,
MessageAuthorizationContext<?> object) {
EvaluationContext context = this.expressionHandler.createEvaluationContext(authentication, object);
boolean granted = ExpressionUtils.evaluateAsBoolean(this.expression, context);

4
config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java
View File

@ -93,7 +93,6 @@ import org.springframework.security.access.prepost.PreFilter;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationEventPublisher;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.authorization.SpringAuthorizationEventPublisher;
import org.springframework.security.authorization.event.AuthorizationDeniedEvent;
import org.springframework.security.authorization.method.AuthorizationAdvisor;
@ -143,7 +142,6 @@ import static org.assertj.core.api.Assertions.assertThatNoException;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.atLeastOnce;
import static org.mockito.Mockito.clearInvocations;
import static org.mockito.Mockito.doCallRealMethod;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.spy;
@ -1555,8 +1553,6 @@ public class PrePostMethodSecurityConfigurationTests {
@Bean
AuthorizationEventPublisher authorizationEventPublisher() {
doCallRealMethod().when(this.publisher)
.publishAuthorizationEvent(any(), any(), any(AuthorizationResult.class));
return this.publisher;
}

12
config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java
View File

@ -44,7 +44,6 @@ import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationEventPublisher;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.AuthorizationObservationContext;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.authorization.SpringAuthorizationEventPublisher;
import org.springframework.security.authorization.event.AuthorizationDeniedEvent;
import org.springframework.security.config.ObjectPostProcessor;
@ -85,10 +84,8 @@ import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.any;
import static org.mockito.Mockito.atLeastOnce;
import static org.mockito.Mockito.doCallRealMethod;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.verify;
@ -154,20 +151,17 @@ public class AuthorizeHttpRequestsConfigurerTests {
@Test
public void configureMvcMatcherAccessAuthorizationManagerWhenNotNullThenVerifyUse() throws Exception {
CustomAuthorizationManagerConfig.authorizationManager = mock(AuthorizationManager.class);
given(CustomAuthorizationManagerConfig.authorizationManager.authorize(any(), any())).willCallRealMethod();
this.spring.register(CustomAuthorizationManagerConfig.class, BasicController.class).autowire();
this.mvc.perform(get("/")).andExpect(status().isOk());
verify(CustomAuthorizationManagerConfig.authorizationManager).check(any(), any());
verify(CustomAuthorizationManagerConfig.authorizationManager).authorize(any(), any());
}
@Test
public void configureNoParameterMvcMatcherAccessAuthorizationManagerWhenNotNullThenVerifyUse() throws Exception {
CustomAuthorizationManagerNoParameterConfig.authorizationManager = mock(AuthorizationManager.class);
given(CustomAuthorizationManagerNoParameterConfig.authorizationManager.authorize(any(), any()))
.willCallRealMethod();
this.spring.register(CustomAuthorizationManagerNoParameterConfig.class, BasicController.class).autowire();
this.mvc.perform(get("/")).andExpect(status().isOk());
verify(CustomAuthorizationManagerNoParameterConfig.authorizationManager).check(any(), any());
verify(CustomAuthorizationManagerNoParameterConfig.authorizationManager).authorize(any(), any());
}
@Test
@ -1278,8 +1272,6 @@ public class AuthorizeHttpRequestsConfigurerTests {
@Bean
AuthorizationEventPublisher authorizationEventPublisher() {
doCallRealMethod().when(this.publisher)
.publishAuthorizationEvent(any(), any(), any(AuthorizationResult.class));
return this.publisher;
}

5
config/src/test/java/org/springframework/security/config/http/DefaultFilterChainValidatorTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -124,8 +124,7 @@ public class DefaultFilterChainValidatorTests {
@Test
public void validateCheckLoginPageAllowsAnonymous() {
given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false));
given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
given(this.authorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(false));
this.validator.validate(this.chainAuthorizationFilter);
verify(this.logger).warn("Anonymous access to the login page doesn't appear to be enabled. "
+ "This is almost certainly an error. Please check your configuration allows unauthenticated "

7
config/src/test/java/org/springframework/security/config/http/HttpConfigTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -90,14 +90,13 @@ public class HttpConfigTests {
this.spring.configLocations(this.xml("AuthorizationManager")).autowire();
AuthorizationManager<HttpServletRequest> authorizationManager = this.spring.getContext()
.getBean(AuthorizationManager.class);
given(authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false));
given(authorizationManager.authorize(any(), any())).willCallRealMethod();
given(authorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(false));
// @formatter:off
this.mvc.perform(get("/"))
.andExpect(status().isFound())
.andExpect(redirectedUrl("http://localhost/login"));
// @formatter:on
verify(authorizationManager).check(any(), any());
verify(authorizationManager).authorize(any(), any());
}
@Test

7
config/src/test/java/org/springframework/security/config/method/InterceptMethodsBeanDefinitionDecoratorTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -168,10 +168,9 @@ public class InterceptMethodsBeanDefinitionDecoratorTests implements Application
@Test
public void targetCustomAuthorizationManagerUsed() {
given(this.mockAuthorizationManager.authorize(any(), any())).willCallRealMethod();
given(this.mockAuthorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(true));
given(this.mockAuthorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(true));
this.targetCustomAuthorizationManager.doSomething();
verify(this.mockAuthorizationManager).check(any(), any());
verify(this.mockAuthorizationManager).authorize(any(), any());
}
@Override

5
config/src/test/java/org/springframework/security/config/method/MethodSecurityBeanDefinitionParserTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -39,6 +39,7 @@ import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.config.annotation.method.configuration.MethodSecurityService;
import org.springframework.security.config.test.SpringTestContext;
import org.springframework.security.config.test.SpringTestContextExtension;
@ -463,7 +464,7 @@ public class MethodSecurityBeanDefinitionParserTests {
static class MyAuthorizationManager implements AuthorizationManager<MethodInvocation> {
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation object) {
public AuthorizationResult authorize(Supplier<Authentication> authentication, MethodInvocation object) {
return new AuthorizationDecision("bob".equals(authentication.get().getName()));
}

7
config/src/test/java/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -513,12 +513,11 @@ public class WebSocketMessageBrokerConfigTests {
this.spring.configLocations(xml("CustomAuthorizationManagerConfig")).autowire();
AuthorizationManager<Message<?>> authorizationManager = this.spring.getContext()
.getBean(AuthorizationManager.class);
given(authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false));
given(authorizationManager.authorize(any(), any())).willCallRealMethod();
given(authorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(false));
Message<?> message = message("/any");
assertThatExceptionOfType(Exception.class).isThrownBy(send(message))
.withCauseInstanceOf(AccessDeniedException.class);
verify(authorizationManager).check(any(), any());
verify(authorizationManager).authorize(any(), any());
}
private String xml(String configName) {

4
core/src/main/java/org/springframework/security/authorization/AuthenticatedAuthorizationManager.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -111,7 +111,7 @@ public final class AuthenticatedAuthorizationManager<T> implements Authorization
* @return an {@link AuthorizationDecision}
*/
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
public AuthorizationResult authorize(Supplier<Authentication> authentication, T object) {
boolean granted = this.authorizationStrategy.isGranted(authentication.get());
return new AuthorizationDecision(granted);
}

6
core/src/main/java/org/springframework/security/authorization/AuthenticatedReactiveAuthorizationManager.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2017 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -39,13 +39,13 @@ public class AuthenticatedReactiveAuthorizationManager<T> implements ReactiveAut
}
@Override
public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object) {
public Mono<AuthorizationResult> authorize(Mono<Authentication> authentication, T object) {
return authentication.filter(this::isNotAnonymous)
.map(this::getAuthorizationDecision)
.defaultIfEmpty(new AuthorizationDecision(false));
}
private AuthorizationDecision getAuthorizationDecision(Authentication authentication) {
private AuthorizationResult getAuthorizationDecision(Authentication authentication) {
return new AuthorizationDecision(authentication.isAuthenticated());
}

5
core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -55,8 +55,7 @@ public final class AuthoritiesAuthorizationManager implements AuthorizationManag
* @return an {@link AuthorityAuthorizationDecision}
*/
@Override
public AuthorityAuthorizationDecision check(Supplier<Authentication> authentication,
Collection<String> authorities) {
public AuthorizationResult authorize(Supplier<Authentication> authentication, Collection<String> authorities) {
boolean granted = isGranted(authentication.get(), authorities);
return new AuthorityAuthorizationDecision(granted, AuthorityUtils.createAuthorityList(authorities));
}

14
core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -134,17 +134,11 @@ public final class AuthorityAuthorizationManager<T> implements AuthorizationMana
}
/**
* Determines if the current user is authorized by evaluating if the
* {@link Authentication} contains a specified authority.
* @param authentication the {@link Supplier} of the {@link Authentication} to check
* @param object the {@link T} object to check
* @return an {@link AuthorizationDecision}
* @deprecated please use {@link #authorize(Supplier, Object)} instead
* {@inheritDoc}
*/
@Deprecated
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
return this.delegate.check(authentication, this.authorities);
public AuthorizationResult authorize(Supplier<Authentication> authentication, T object) {
return this.delegate.authorize(authentication, this.authorities);
}
@Override

6
core/src/main/java/org/springframework/security/authorization/AuthorityReactiveAuthorizationManager.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -43,13 +43,13 @@ public class AuthorityReactiveAuthorizationManager<T> implements ReactiveAuthori
}
@Override
public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object) {
public Mono<AuthorizationResult> authorize(Mono<Authentication> authentication, T object) {
// @formatter:off
return authentication.filter(Authentication::isAuthenticated)
.flatMapIterable(Authentication::getAuthorities)
.map(GrantedAuthority::getAuthority)
.any((grantedAuthority) -> this.authorities.stream().anyMatch((authority) -> authority.getAuthority().equals(grantedAuthority)))
.map((granted) -> ((AuthorizationDecision) new AuthorityAuthorizationDecision(granted, this.authorities)))
.map((granted) -> ((AuthorizationResult) new AuthorityAuthorizationDecision(granted, this.authorities)))
.defaultIfEmpty(new AuthorityAuthorizationDecision(false, this.authorities));
// @formatter:on
}

32
core/src/main/java/org/springframework/security/authorization/AuthorizationEventPublisher.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -33,23 +33,6 @@ import org.springframework.security.core.Authentication;
@FunctionalInterface
public interface AuthorizationEventPublisher {
/**
* Publish the given details in the form of an event, typically
* {@link AuthorizationGrantedEvent} or {@link AuthorizationDeniedEvent}.
*
* Note that success events can be very noisy if enabled by default. Because of this
* implementations may choose to drop success events by default.
* @param authentication a {@link Supplier} for the current user
* @param object the secured object
* @param decision the decision about whether the user may access the secured object
* @param <T> the secured object's type
* @deprecated use
* {@link #publishAuthorizationEvent(Supplier, Object, AuthorizationResult)} instead
*/
@Deprecated
<T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T object,
AuthorizationDecision decision);
/**
* Publish the given details in the form of an event, typically
* {@link AuthorizationGrantedEvent} or {@link AuthorizationDeniedEvent}.
@ -63,17 +46,6 @@ public interface AuthorizationEventPublisher {
* @param <T> the secured object's type
* @since 6.4
*/
default <T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T object,
AuthorizationResult result) {
if (result == null) {
publishAuthorizationEvent(authentication, object, null);
return;
}
if (result instanceof AuthorizationDecision decision) {
publishAuthorizationEvent(authentication, object, decision);
return;
}
throw new UnsupportedOperationException("result must be of type AuthorizationDecision");
}
<T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T object, AuthorizationResult result);
}

15
core/src/main/java/org/springframework/security/authorization/AuthorizationManager.java
View File

@ -45,17 +45,6 @@ public interface AuthorizationManager<T> {
}
}
/**
* Determines if access is granted for a specific authentication and object.
* @param authentication the {@link Supplier} of the {@link Authentication} to check
* @param object the {@link T} object to check
* @return an {@link AuthorizationDecision} or null if no decision could be made
* @deprecated please use {@link #authorize(Supplier, Object)} instead
*/
@Nullable
@Deprecated
AuthorizationDecision check(Supplier<Authentication> authentication, T object);
/**
* Determines if access is granted for a specific authentication and object.
* @param authentication the {@link Supplier} of the {@link Authentication} to
@ -65,8 +54,6 @@ public interface AuthorizationManager<T> {
* @since 6.4
*/
@Nullable
default AuthorizationResult authorize(Supplier<Authentication> authentication, T object) {
return check(authentication, object);
}
AuthorizationResult authorize(Supplier<Authentication> authentication, T object);
}

14
core/src/main/java/org/springframework/security/authorization/AuthorizationManagers.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -182,18 +182,6 @@ public final class AuthorizationManagers {
private interface AuthorizationManagerCheckAdapter<T> extends AuthorizationManager<T> {
@Override
default AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
AuthorizationResult result = authorize(authentication, object);
if (result == null) {
return null;
}
if (result instanceof AuthorizationDecision decision) {
return decision;
}
throw new IllegalArgumentException(
"please call #authorize or ensure that the result is of type AuthorizationDecision");
}
AuthorizationResult authorize(Supplier<Authentication> authentication, T object);
}

29
core/src/main/java/org/springframework/security/authorization/AuthorizationObservationContext.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -68,33 +68,6 @@ public class AuthorizationObservationContext<T> extends Observation.Context {
return this.object;
}
/**
* Get the observed {@link AuthorizationDecision}
* @return the observed {@link AuthorizationDecision}
* @deprecated please use {@link #getAuthorizationResult()} instead
*/
@Deprecated
public AuthorizationDecision getDecision() {
if (this.authorizationResult == null) {
return null;
}
if (this.authorizationResult instanceof AuthorizationDecision decision) {
return decision;
}
throw new IllegalArgumentException(
"Please call getAuthorizationResult instead. If you must call getDecision, please ensure that the result you provide is of type AuthorizationDecision");
}
/**
* Set the observed {@link AuthorizationDecision}
* @param decision the observed {@link AuthorizationDecision}
* @deprecated please use {@link #setAuthorizationResult(AuthorizationResult)} instead
*/
@Deprecated
public void setDecision(AuthorizationDecision decision) {
this.authorizationResult = decision;
}
/**
* Get the observed {@link AuthorizationResult}
* @return the observed {@link AuthorizationResult}

17
core/src/main/java/org/springframework/security/authorization/ObservationAuthorizationManager.java
View File

@ -61,23 +61,6 @@ public final class ObservationAuthorizationManager<T>
}
}
/**
* @deprecated please use {@link #authorize(Supplier, Object)} instead
*/
@Deprecated
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
AuthorizationResult result = authorize(authentication, object);
if (result == null) {
return null;
}
if (result instanceof AuthorizationDecision decision) {
return decision;
}
throw new IllegalArgumentException(
"Please call #authorize or ensure that the returned result is of type AuthorizationDecision");
}
@Override
public AuthorizationResult authorize(Supplier<Authentication> authentication, T object) {
AuthorizationObservationContext<T> context = new AuthorizationObservationContext<>(object);

15
core/src/main/java/org/springframework/security/authorization/ObservationReactiveAuthorizationManager.java
View File

@ -56,21 +56,6 @@ public final class ObservationReactiveAuthorizationManager<T>
}
}
/**
* @deprecated please use {@link #authorize(Mono, Object)} instead
*/
@Deprecated
@Override
public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object) {
return authorize(authentication, object).flatMap((result) -> {
if (result instanceof AuthorizationDecision decision) {
return Mono.just(decision);
}
return Mono.error(new IllegalArgumentException(
"Please call #authorize or ensure that the returned result is of type Mono<AuthorizationDecision>"));
});
}
@Override
public Mono<AuthorizationResult> authorize(Mono<Authentication> authentication, T object) {
AuthorizationObservationContext<T> context = new AuthorizationObservationContext<>(object);

14
core/src/main/java/org/springframework/security/authorization/ReactiveAuthorizationManager.java
View File

@ -31,16 +31,6 @@ import org.springframework.security.core.Authentication;
*/
public interface ReactiveAuthorizationManager<T> {
/**
* Determines if access is granted for a specific authentication and object.
* @param authentication the Authentication to check
* @param object the object to check
* @return an decision or empty Mono if no decision could be made.
* @deprecated please use {@link #authorize(Mono, Object)} instead
*/
@Deprecated
Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object);
/**
* Determines if access should be granted for a specific authentication and object
* @param authentication the Authentication to check
@ -64,8 +54,6 @@ public interface ReactiveAuthorizationManager<T> {
* @return an decision or empty Mono if no decision could be made.
* @since 6.4
*/
default Mono<AuthorizationResult> authorize(Mono<Authentication> authentication, T object) {
return check(authentication, object).cast(AuthorizationResult.class);
}
Mono<AuthorizationResult> authorize(Mono<Authentication> authentication, T object);
}

7
core/src/main/java/org/springframework/security/authorization/SingleResultAuthorizationManager.java
View File

@ -44,15 +44,10 @@ public final class SingleResultAuthorizationManager<C> implements AuthorizationM
}
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, C object) {
public AuthorizationResult authorize(Supplier<Authentication> authentication, C object) {
if (!(this.result instanceof AuthorizationDecision)) {
throw new IllegalArgumentException("result should be AuthorizationDecision");
}
return (AuthorizationDecision) this.result;
}
@Override
public AuthorizationResult authorize(Supplier<Authentication> authentication, C object) {
return this.result;
}

8
core/src/main/java/org/springframework/security/authorization/SpringAuthorizationEventPublisher.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -52,12 +52,6 @@ public final class SpringAuthorizationEventPublisher implements AuthorizationEve
/**
* {@inheritDoc}
*/
@Override
public <T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T object,
AuthorizationDecision decision) {
publishAuthorizationEvent(authentication, object, (AuthorizationResult) decision);
}
@Override
public <T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T object,
AuthorizationResult result) {

9
core/src/main/java/org/springframework/security/authorization/event/AuthorizationDeniedEvent.java
View File

@ -21,7 +21,6 @@ import java.util.function.Supplier;
import org.springframework.context.ApplicationEvent;
import org.springframework.core.ResolvableType;
import org.springframework.core.ResolvableTypeProvider;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.core.Authentication;
@ -35,14 +34,6 @@ import org.springframework.security.core.Authentication;
@SuppressWarnings("serial")
public class AuthorizationDeniedEvent<T> extends AuthorizationEvent implements ResolvableTypeProvider {
/**
* @deprecated Please use an {@link AuthorizationResult} constructor instead
*/
@Deprecated
public AuthorizationDeniedEvent(Supplier<Authentication> authentication, T object, AuthorizationDecision decision) {
super(authentication, object, decision);
}
/**
* @since 6.4
*/

17
core/src/main/java/org/springframework/security/authorization/event/AuthorizationEvent.java
View File

@ -84,23 +84,6 @@ public class AuthorizationEvent extends ApplicationEvent {
return getSource();
}
/**
* Get the response to the principal's request
* @return the response to the principal's request
* @deprecated please use {@link #getAuthorizationResult()}
*/
@Deprecated
public AuthorizationDecision getAuthorizationDecision() {
if (this.result == null) {
return null;
}
if (this.result instanceof AuthorizationDecision decision) {
return decision;
}
throw new IllegalArgumentException(
"Please either call getAuthorizationResult or ensure that the result is of type AuthorizationDecision");
}
/**
* Get the response to the principal's request
* @return the response to the principal's request

11
core/src/main/java/org/springframework/security/authorization/event/AuthorizationGrantedEvent.java
View File

@ -22,7 +22,6 @@ import java.util.function.Supplier;
import org.springframework.context.ApplicationEvent;
import org.springframework.core.ResolvableType;
import org.springframework.core.ResolvableTypeProvider;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.core.Authentication;
@ -38,16 +37,6 @@ public class AuthorizationGrantedEvent<T> extends AuthorizationEvent implements
@Serial
private static final long serialVersionUID = -8690818228055810339L;
/**
* @deprecated please use a constructor that takes an
* {@link org.springframework.security.authorization.AuthorizationResult}
*/
@Deprecated
public AuthorizationGrantedEvent(Supplier<Authentication> authentication, T object,
AuthorizationDecision decision) {
super(authentication, object, decision);
}
/**
* @since 6.4
*/

50
core/src/main/java/org/springframework/security/authorization/method/ExpressionAttributeAuthorizationDecision.java
View File

@ -1,50 +0,0 @@
/*
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.authorization.method;
import org.springframework.security.authorization.AuthorizationDecision;
/**
* Represents an {@link AuthorizationDecision} based on a {@link ExpressionAttribute}
*
* @author Marcus Da Coregio
* @since 5.6
* @deprecated Use
* {@link org.springframework.security.authorization.ExpressionAuthorizationDecision}
* instead
*/
@Deprecated
public class ExpressionAttributeAuthorizationDecision extends AuthorizationDecision {
private final ExpressionAttribute expressionAttribute;
public ExpressionAttributeAuthorizationDecision(boolean granted, ExpressionAttribute expressionAttribute) {
super(granted);
this.expressionAttribute = expressionAttribute;
}
public ExpressionAttribute getExpressionAttribute() {
return this.expressionAttribute;
}
@Override
public String toString() {
return getClass().getSimpleName() + " [" + "granted=" + isGranted() + ", expressionAttribute="
+ this.expressionAttribute + ']';
}
}

27
core/src/main/java/org/springframework/security/authorization/method/Jsr250AuthorizationManager.java
View File

@ -31,7 +31,6 @@ import org.aopalliance.intercept.MethodInvocation;
import org.springframework.lang.NonNull;
import org.springframework.security.authorization.AuthoritiesAuthorizationManager;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.authorization.SingleResultAuthorizationManager;
@ -81,20 +80,12 @@ public final class Jsr250AuthorizationManager implements AuthorizationManager<Me
}
/**
* Determine if an {@link Authentication} has access to a method by evaluating the
* {@link DenyAll}, {@link PermitAll}, and {@link RolesAllowed} annotations that
* {@link MethodInvocation} specifies.
* @param authentication the {@link Supplier} of the {@link Authentication} to check
* @param methodInvocation the {@link MethodInvocation} to check
* @return an {@link AuthorizationDecision} or null if the JSR-250 security
* annotations is not present
* @deprecated please use {@link #authorize(Supplier, Object)} instead
* {@inheritDoc}
*/
@Deprecated
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation methodInvocation) {
public AuthorizationResult authorize(Supplier<Authentication> authentication, MethodInvocation methodInvocation) {
AuthorizationManager<MethodInvocation> delegate = this.registry.getManager(methodInvocation);
return delegate.check(authentication, methodInvocation);
return delegate.authorize(authentication, methodInvocation);
}
private final class Jsr250AuthorizationManagerRegistry extends AbstractAuthorizationManagerRegistry {
@ -138,18 +129,6 @@ public final class Jsr250AuthorizationManager implements AuthorizationManager<Me
private interface AuthorizationManagerCheckAdapter<T> extends AuthorizationManager<T> {
@Override
default AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
AuthorizationResult result = authorize(authentication, object);
if (result == null) {
return null;
}
if (result instanceof AuthorizationDecision decision) {
return decision;
}
throw new IllegalArgumentException(
"please call #authorize or ensure that the result is of type AuthorizationDecision");
}
AuthorizationResult authorize(Supplier<Authentication> authentication, T object);
}

6
core/src/main/java/org/springframework/security/authorization/method/MethodExpressionAuthorizationManager.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -25,8 +25,8 @@ import org.springframework.expression.Expression;
import org.springframework.security.access.expression.ExpressionUtils;
import org.springframework.security.access.expression.SecurityExpressionHandler;
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.authorization.ExpressionAuthorizationDecision;
import org.springframework.security.core.Authentication;
import org.springframework.util.Assert;
@ -73,7 +73,7 @@ public final class MethodExpressionAuthorizationManager implements Authorization
* expression
*/
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation context) {
public AuthorizationResult authorize(Supplier<Authentication> authentication, MethodInvocation context) {
EvaluationContext ctx = this.expressionHandler.createEvaluationContext(authentication, context);
boolean granted = ExpressionUtils.evaluateAsBoolean(this.expression, ctx);
return new ExpressionAuthorizationDecision(granted, this.expression);

8
core/src/main/java/org/springframework/security/authorization/method/NoOpAuthorizationEventPublisher.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -18,7 +18,6 @@ package org.springframework.security.authorization.method;
import java.util.function.Supplier;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationEventPublisher;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.core.Authentication;
@ -31,11 +30,6 @@ import org.springframework.security.core.Authentication;
*/
final class NoOpAuthorizationEventPublisher implements AuthorizationEventPublisher {
@Override
public <T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T object,
AuthorizationDecision decision) {
}
@Override
public <T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T object,
AuthorizationResult result) {

6
core/src/main/java/org/springframework/security/authorization/method/PostAuthorizeAuthorizationManager.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -100,7 +100,7 @@ public final class PostAuthorizeAuthorizationManager
* {@link PostAuthorize} annotation is not present
*/
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocationResult mi) {
public AuthorizationResult authorize(Supplier<Authentication> authentication, MethodInvocationResult mi) {
ExpressionAttribute attribute = this.registry.getAttribute(mi.getMethodInvocation());
if (attribute == ExpressionAttribute.NULL_ATTRIBUTE) {
return null;
@ -108,7 +108,7 @@ public final class PostAuthorizeAuthorizationManager
MethodSecurityExpressionHandler expressionHandler = this.registry.getExpressionHandler();
EvaluationContext ctx = expressionHandler.createEvaluationContext(authentication, mi.getMethodInvocation());
expressionHandler.setReturnObject(mi.getResult(), ctx);
return (AuthorizationDecision) ExpressionUtils.evaluate(attribute.getExpression(), ctx);
return ExpressionUtils.evaluate(attribute.getExpression(), ctx);
}
@Override

6
core/src/main/java/org/springframework/security/authorization/method/PostAuthorizeReactiveAuthorizationManager.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -93,7 +93,7 @@ public final class PostAuthorizeReactiveAuthorizationManager
* {@link PostAuthorize} annotation is not present
*/
@Override
public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, MethodInvocationResult result) {
public Mono<AuthorizationResult> authorize(Mono<Authentication> authentication, MethodInvocationResult result) {
MethodInvocation mi = result.getMethodInvocation();
ExpressionAttribute attribute = this.registry.getAttribute(mi);
if (attribute == ExpressionAttribute.NULL_ATTRIBUTE) {
@ -106,7 +106,7 @@ public final class PostAuthorizeReactiveAuthorizationManager
.map((auth) -> expressionHandler.createEvaluationContext(auth, mi))
.doOnNext((ctx) -> expressionHandler.setReturnObject(result.getResult(), ctx))
.flatMap((ctx) -> ReactiveExpressionUtils.evaluate(attribute.getExpression(), ctx))
.cast(AuthorizationDecision.class);
.cast(AuthorizationResult.class);
// @formatter:on
}

6
core/src/main/java/org/springframework/security/authorization/method/PreAuthorizeAuthorizationManager.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -92,13 +92,13 @@ public final class PreAuthorizeAuthorizationManager
* {@link PreAuthorize} annotation is not present
*/
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation mi) {
public AuthorizationResult authorize(Supplier<Authentication> authentication, MethodInvocation mi) {
ExpressionAttribute attribute = this.registry.getAttribute(mi);
if (attribute == ExpressionAttribute.NULL_ATTRIBUTE) {
return null;
}
EvaluationContext ctx = this.registry.getExpressionHandler().createEvaluationContext(authentication, mi);
return (AuthorizationDecision) ExpressionUtils.evaluate(attribute.getExpression(), ctx);
return ExpressionUtils.evaluate(attribute.getExpression(), ctx);
}
@Override

11
core/src/main/java/org/springframework/security/authorization/method/PreAuthorizeReactiveAuthorizationManager.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -23,7 +23,6 @@ import org.springframework.context.ApplicationContext;
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.authorization.ReactiveAuthorizationManager;
import org.springframework.security.core.Authentication;
@ -88,11 +87,11 @@ public final class PreAuthorizeReactiveAuthorizationManager
* by evaluating an expression from the {@link PreAuthorize} annotation.
* @param authentication the {@link Mono} of the {@link Authentication} to check
* @param mi the {@link MethodInvocation} to check
* @return a {@link Mono} of the {@link AuthorizationDecision} or an empty
* {@link Mono} if the {@link PreAuthorize} annotation is not present
* @return a {@link Mono} of the {@link AuthorizationResult} or an empty {@link Mono}
* if the {@link PreAuthorize} annotation is not present
*/
@Override
public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, MethodInvocation mi) {
public Mono<AuthorizationResult> authorize(Mono<Authentication> authentication, MethodInvocation mi) {
ExpressionAttribute attribute = this.registry.getAttribute(mi);
if (attribute == ExpressionAttribute.NULL_ATTRIBUTE) {
return Mono.empty();
@ -101,7 +100,7 @@ public final class PreAuthorizeReactiveAuthorizationManager
return authentication
.map((auth) -> this.registry.getExpressionHandler().createEvaluationContext(auth, mi))
.flatMap((ctx) -> ReactiveExpressionUtils.evaluate(attribute.getExpression(), ctx))
.cast(AuthorizationDecision.class);
.cast(AuthorizationResult.class);
// @formatter:on
}

19
core/src/main/java/org/springframework/security/authorization/method/SecuredAuthorizationManager.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -29,8 +29,8 @@ import org.aopalliance.intercept.MethodInvocation;
import org.springframework.core.MethodClassKey;
import org.springframework.security.access.annotation.Secured;
import org.springframework.security.authorization.AuthoritiesAuthorizationManager;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.annotation.SecurityAnnotationScanner;
import org.springframework.security.core.annotation.SecurityAnnotationScanners;
@ -66,20 +66,11 @@ public final class SecuredAuthorizationManager implements AuthorizationManager<M
this.authoritiesAuthorizationManager = authoritiesAuthorizationManager;
}
/**
* Determine if an {@link Authentication} has access to a method by evaluating the
* {@link Secured} annotation that {@link MethodInvocation} specifies.
* @param authentication the {@link Supplier} of the {@link Authentication} to check
* @param mi the {@link MethodInvocation} to check
* @return an {@link AuthorizationDecision} or null if the {@link Secured} annotation
* is not present
* @deprecated please use {@link #authorize(Supplier, Object)} instead
*/
@Deprecated
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation mi) {
public AuthorizationResult authorize(Supplier<Authentication> authentication, MethodInvocation mi) {
Set<String> authorities = getAuthorities(mi);
return authorities.isEmpty() ? null : this.authoritiesAuthorizationManager.check(authentication, authorities);
return authorities.isEmpty() ? null
: this.authoritiesAuthorizationManager.authorize(authentication, authorities);
}
private Set<String> getAuthorities(MethodInvocation methodInvocation) {

28
core/src/test/java/org/springframework/security/authorization/AuthenticatedAuthorizationManagerTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -43,7 +43,7 @@ public class AuthenticatedAuthorizationManagerTests {
"ROLE_USER");
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isTrue();
assertThat(manager.authorize(authentication, object).isGranted()).isTrue();
}
@Test
@ -52,7 +52,7 @@ public class AuthenticatedAuthorizationManagerTests {
Supplier<Authentication> authentication = () -> null;
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isFalse();
assertThat(manager.authorize(authentication, object).isGranted()).isFalse();
}
@Test
@ -62,7 +62,7 @@ public class AuthenticatedAuthorizationManagerTests {
AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isFalse();
assertThat(manager.authorize(authentication, object).isGranted()).isFalse();
}
@Test
@ -73,7 +73,7 @@ public class AuthenticatedAuthorizationManagerTests {
authentication.setAuthenticated(false);
Object object = new Object();
assertThat(manager.check(() -> authentication, object).isGranted()).isFalse();
assertThat(manager.authorize(() -> authentication, object).isGranted()).isFalse();
}
@Test
@ -82,7 +82,7 @@ public class AuthenticatedAuthorizationManagerTests {
Supplier<Authentication> authentication = () -> new RememberMeAuthenticationToken("user", "password",
Collections.emptyList());
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isTrue();
assertThat(manager.authorize(authentication, object).isGranted()).isTrue();
}
@Test
@ -91,7 +91,7 @@ public class AuthenticatedAuthorizationManagerTests {
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_ADMIN",
"ROLE_USER");
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isTrue();
assertThat(manager.authorize(authentication, object).isGranted()).isTrue();
}
@Test
@ -99,7 +99,7 @@ public class AuthenticatedAuthorizationManagerTests {
AuthenticatedAuthorizationManager<Object> manager = AuthenticatedAuthorizationManager.fullyAuthenticated();
Supplier<Authentication> authentication = () -> null;
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isFalse();
assertThat(manager.authorize(authentication, object).isGranted()).isFalse();
}
@Test
@ -108,7 +108,7 @@ public class AuthenticatedAuthorizationManagerTests {
Supplier<Authentication> authentication = () -> new RememberMeAuthenticationToken("user", "password",
Collections.emptyList());
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isFalse();
assertThat(manager.authorize(authentication, object).isGranted()).isFalse();
}
@Test
@ -117,7 +117,7 @@ public class AuthenticatedAuthorizationManagerTests {
Supplier<Authentication> authentication = () -> new AnonymousAuthenticationToken("key", "principal",
AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isFalse();
assertThat(manager.authorize(authentication, object).isGranted()).isFalse();
}
@Test
@ -126,7 +126,7 @@ public class AuthenticatedAuthorizationManagerTests {
Supplier<Authentication> authentication = () -> new AnonymousAuthenticationToken("key", "principal",
AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isTrue();
assertThat(manager.authorize(authentication, object).isGranted()).isTrue();
}
@Test
@ -135,7 +135,7 @@ public class AuthenticatedAuthorizationManagerTests {
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_ADMIN",
"ROLE_USER");
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isFalse();
assertThat(manager.authorize(authentication, object).isGranted()).isFalse();
}
@Test
@ -144,7 +144,7 @@ public class AuthenticatedAuthorizationManagerTests {
Supplier<Authentication> authentication = () -> new RememberMeAuthenticationToken("user", "password",
Collections.emptyList());
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isTrue();
assertThat(manager.authorize(authentication, object).isGranted()).isTrue();
}
@Test
@ -153,7 +153,7 @@ public class AuthenticatedAuthorizationManagerTests {
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_ADMIN",
"ROLE_USER");
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isFalse();
assertThat(manager.authorize(authentication, object).isGranted()).isFalse();
}
}

12
core/src/test/java/org/springframework/security/authorization/AuthenticatedReactiveAuthorizationManagerTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2017 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -46,32 +46,32 @@ public class AuthenticatedReactiveAuthorizationManagerTests {
@Test
public void checkWhenAuthenticatedThenReturnTrue() {
given(this.authentication.isAuthenticated()).willReturn(true);
boolean granted = this.manager.check(Mono.just(this.authentication), null).block().isGranted();
boolean granted = this.manager.authorize(Mono.just(this.authentication), null).block().isGranted();
assertThat(granted).isTrue();
}
@Test
public void checkWhenNotAuthenticatedThenReturnFalse() {
boolean granted = this.manager.check(Mono.just(this.authentication), null).block().isGranted();
boolean granted = this.manager.authorize(Mono.just(this.authentication), null).block().isGranted();
assertThat(granted).isFalse();
}
@Test
public void checkWhenEmptyThenReturnFalse() {
boolean granted = this.manager.check(Mono.empty(), null).block().isGranted();
boolean granted = this.manager.authorize(Mono.empty(), null).block().isGranted();
assertThat(granted).isFalse();
}
@Test
public void checkWhenAnonymousAuthenticatedThenReturnFalse() {
AnonymousAuthenticationToken anonymousAuthenticationToken = mock(AnonymousAuthenticationToken.class);
boolean granted = this.manager.check(Mono.just(anonymousAuthenticationToken), null).block().isGranted();
boolean granted = this.manager.authorize(Mono.just(anonymousAuthenticationToken), null).block().isGranted();
assertThat(granted).isFalse();
}
@Test
public void checkWhenErrorThenError() {
Mono<AuthorizationDecision> result = this.manager.check(Mono.error(new RuntimeException("ooops")), null);
Mono<AuthorizationResult> result = this.manager.authorize(Mono.error(new RuntimeException("ooops")), null);
// @formatter:off
StepVerifier.create(result)
.expectError()

8
core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -63,14 +63,14 @@ class AuthoritiesAuthorizationManagerTests {
void checkWhenUserHasAnyAuthorityThenGrantedDecision() {
AuthoritiesAuthorizationManager manager = new AuthoritiesAuthorizationManager();
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "USER");
assertThat(manager.check(authentication, Arrays.asList("ADMIN", "USER")).isGranted()).isTrue();
assertThat(manager.authorize(authentication, Arrays.asList("ADMIN", "USER")).isGranted()).isTrue();
}
@Test
void checkWhenUserHasNotAnyAuthorityThenDeniedDecision() {
AuthoritiesAuthorizationManager manager = new AuthoritiesAuthorizationManager();
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ANONYMOUS");
assertThat(manager.check(authentication, Arrays.asList("ADMIN", "USER")).isGranted()).isFalse();
assertThat(manager.authorize(authentication, Arrays.asList("ADMIN", "USER")).isGranted()).isFalse();
}
@Test
@ -81,7 +81,7 @@ class AuthoritiesAuthorizationManagerTests {
manager.setRoleHierarchy(roleHierarchy);
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password",
"ROLE_ADMIN");
assertThat(manager.check(authentication, Collections.singleton("ROLE_USER")).isGranted()).isTrue();
assertThat(manager.authorize(authentication, Collections.singleton("ROLE_USER")).isGranted()).isTrue();
}
}

26
core/src/test/java/org/springframework/security/authorization/AuthorityAuthorizationManagerTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -123,7 +123,7 @@ public class AuthorityAuthorizationManagerTests {
"ROLE_USER");
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isTrue();
assertThat(manager.authorize(authentication, object).isGranted()).isTrue();
}
@Test
@ -133,7 +133,7 @@ public class AuthorityAuthorizationManagerTests {
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_USER");
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isFalse();
assertThat(manager.authorize(authentication, object).isGranted()).isFalse();
}
@Test
@ -144,7 +144,7 @@ public class AuthorityAuthorizationManagerTests {
"USER");
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isTrue();
assertThat(manager.authorize(authentication, object).isGranted()).isTrue();
}
@Test
@ -154,7 +154,7 @@ public class AuthorityAuthorizationManagerTests {
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "USER");
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isFalse();
assertThat(manager.authorize(authentication, object).isGranted()).isFalse();
}
@Test
@ -166,7 +166,7 @@ public class AuthorityAuthorizationManagerTests {
Collections.singletonList(customGrantedAuthority));
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isTrue();
assertThat(manager.authorize(authentication, object).isGranted()).isTrue();
}
@Test
@ -178,7 +178,7 @@ public class AuthorityAuthorizationManagerTests {
Collections.singletonList(customGrantedAuthority));
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isFalse();
assertThat(manager.authorize(authentication, object).isGranted()).isFalse();
}
@Test
@ -188,7 +188,7 @@ public class AuthorityAuthorizationManagerTests {
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_USER");
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isTrue();
assertThat(manager.authorize(authentication, object).isGranted()).isTrue();
}
@Test
@ -199,7 +199,7 @@ public class AuthorityAuthorizationManagerTests {
"ROLE_ANONYMOUS");
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isFalse();
assertThat(manager.authorize(authentication, object).isGranted()).isFalse();
}
@Test
@ -210,7 +210,7 @@ public class AuthorityAuthorizationManagerTests {
"CUSTOM_USER");
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isTrue();
assertThat(manager.authorize(authentication, object).isGranted()).isTrue();
}
@Test
@ -220,7 +220,7 @@ public class AuthorityAuthorizationManagerTests {
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "USER");
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isTrue();
assertThat(manager.authorize(authentication, object).isGranted()).isTrue();
}
@Test
@ -230,7 +230,7 @@ public class AuthorityAuthorizationManagerTests {
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ANONYMOUS");
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isFalse();
assertThat(manager.authorize(authentication, object).isGranted()).isFalse();
}
@Test
@ -263,7 +263,7 @@ public class AuthorityAuthorizationManagerTests {
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password",
"ROLE_ADMIN");
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isTrue();
assertThat(manager.authorize(authentication, object).isGranted()).isTrue();
}
// gh-13079

26
core/src/test/java/org/springframework/security/authorization/AuthorityReactiveAuthorizationManagerTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2017 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -47,19 +47,19 @@ public class AuthorityReactiveAuthorizationManagerTests {
@Test
public void checkWhenHasAuthorityAndNotAuthenticatedThenReturnFalse() {
boolean granted = this.manager.check(Mono.just(this.authentication), null).block().isGranted();
boolean granted = this.manager.authorize(Mono.just(this.authentication), null).block().isGranted();
assertThat(granted).isFalse();
}
@Test
public void checkWhenHasAuthorityAndEmptyThenReturnFalse() {
boolean granted = this.manager.check(Mono.empty(), null).block().isGranted();
boolean granted = this.manager.authorize(Mono.empty(), null).block().isGranted();
assertThat(granted).isFalse();
}
@Test
public void checkWhenHasAuthorityAndErrorThenError() {
Mono<AuthorizationDecision> result = this.manager.check(Mono.error(new RuntimeException("ooops")), null);
Mono<AuthorizationResult> result = this.manager.authorize(Mono.error(new RuntimeException("ooops")), null);
// @formatter:off
StepVerifier.create(result)
.expectError()
@ -71,21 +71,21 @@ public class AuthorityReactiveAuthorizationManagerTests {
public void checkWhenHasAuthorityAndAuthenticatedAndNoAuthoritiesThenReturnFalse() {
given(this.authentication.isAuthenticated()).willReturn(true);
given(this.authentication.getAuthorities()).willReturn(Collections.emptyList());
boolean granted = this.manager.check(Mono.just(this.authentication), null).block().isGranted();
boolean granted = this.manager.authorize(Mono.just(this.authentication), null).block().isGranted();
assertThat(granted).isFalse();
}
@Test
public void checkWhenHasAuthorityAndAuthenticatedAndWrongAuthoritiesThenReturnFalse() {
this.authentication = new TestingAuthenticationToken("rob", "secret", "ROLE_ADMIN");
boolean granted = this.manager.check(Mono.just(this.authentication), null).block().isGranted();
boolean granted = this.manager.authorize(Mono.just(this.authentication), null).block().isGranted();
assertThat(granted).isFalse();
}
@Test
public void checkWhenHasAuthorityAndAuthorizedThenReturnTrue() {
this.authentication = new TestingAuthenticationToken("rob", "secret", "ADMIN");
boolean granted = this.manager.check(Mono.just(this.authentication), null).block().isGranted();
boolean granted = this.manager.authorize(Mono.just(this.authentication), null).block().isGranted();
assertThat(granted).isTrue();
}
@ -94,7 +94,7 @@ public class AuthorityReactiveAuthorizationManagerTests {
GrantedAuthority customGrantedAuthority = () -> "ADMIN";
this.authentication = new TestingAuthenticationToken("rob", "secret",
Collections.singletonList(customGrantedAuthority));
boolean granted = this.manager.check(Mono.just(this.authentication), null).block().isGranted();
boolean granted = this.manager.authorize(Mono.just(this.authentication), null).block().isGranted();
assertThat(granted).isTrue();
}
@ -103,7 +103,7 @@ public class AuthorityReactiveAuthorizationManagerTests {
GrantedAuthority customGrantedAuthority = () -> "USER";
this.authentication = new TestingAuthenticationToken("rob", "secret",
Collections.singletonList(customGrantedAuthority));
boolean granted = this.manager.check(Mono.just(this.authentication), null).block().isGranted();
boolean granted = this.manager.authorize(Mono.just(this.authentication), null).block().isGranted();
assertThat(granted).isFalse();
}
@ -111,7 +111,7 @@ public class AuthorityReactiveAuthorizationManagerTests {
public void checkWhenHasRoleAndAuthorizedThenReturnTrue() {
this.manager = AuthorityReactiveAuthorizationManager.hasRole("ADMIN");
this.authentication = new TestingAuthenticationToken("rob", "secret", "ROLE_ADMIN");
boolean granted = this.manager.check(Mono.just(this.authentication), null).block().isGranted();
boolean granted = this.manager.authorize(Mono.just(this.authentication), null).block().isGranted();
assertThat(granted).isTrue();
}
@ -119,7 +119,7 @@ public class AuthorityReactiveAuthorizationManagerTests {
public void checkWhenHasRoleAndNotAuthorizedThenReturnFalse() {
this.manager = AuthorityReactiveAuthorizationManager.hasRole("ADMIN");
this.authentication = new TestingAuthenticationToken("rob", "secret", "ADMIN");
boolean granted = this.manager.check(Mono.just(this.authentication), null).block().isGranted();
boolean granted = this.manager.authorize(Mono.just(this.authentication), null).block().isGranted();
assertThat(granted).isFalse();
}
@ -128,7 +128,7 @@ public class AuthorityReactiveAuthorizationManagerTests {
this.manager = AuthorityReactiveAuthorizationManager.hasAnyRole("GENERAL", "USER", "TEST");
this.authentication = new TestingAuthenticationToken("rob", "secret", "ROLE_USER", "ROLE_AUDITING",
"ROLE_ADMIN");
boolean granted = this.manager.check(Mono.just(this.authentication), null).block().isGranted();
boolean granted = this.manager.authorize(Mono.just(this.authentication), null).block().isGranted();
assertThat(granted).isTrue();
}
@ -136,7 +136,7 @@ public class AuthorityReactiveAuthorizationManagerTests {
public void checkWhenHasAnyRoleAndNotAuthorizedThenReturnFalse() {
this.manager = AuthorityReactiveAuthorizationManager.hasAnyRole("GENERAL", "USER", "TEST");
this.authentication = new TestingAuthenticationToken("rob", "secret", "USER", "AUDITING", "ADMIN");
boolean granted = this.manager.check(Mono.just(this.authentication), null).block().isGranted();
boolean granted = this.manager.authorize(Mono.just(this.authentication), null).block().isGranted();
assertThat(granted).isFalse();
}

48
core/src/test/java/org/springframework/security/authorization/AuthorizationManagersTests.java
View File

@ -31,7 +31,7 @@ class AuthorizationManagersTests {
void checkAnyOfWhenOneGrantedThenGrantedDecision() {
AuthorizationManager<?> composed = AuthorizationManagers.anyOf(SingleResultAuthorizationManager.permitAll(),
SingleResultAuthorizationManager.permitAll());
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -41,7 +41,7 @@ class AuthorizationManagersTests {
AuthorizationDecision allAbstainDefaultDecision = new AuthorizationDecision(false);
AuthorizationManager<?> composed = AuthorizationManagers.anyOf(allAbstainDefaultDecision,
(a, o) -> new AuthorizationDecision(false), (a, o) -> new AuthorizationDecision(true));
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -51,7 +51,7 @@ class AuthorizationManagersTests {
void checkAnyOfWhenAllNonAbstainingDeniesThenDeniedDecision() {
AuthorizationManager<?> composed = AuthorizationManagers.anyOf((a, o) -> new AuthorizationDecision(false),
(a, o) -> null);
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -59,7 +59,7 @@ class AuthorizationManagersTests {
@Test
void checkAnyOfWhenEmptyThenDeniedDecision() {
AuthorizationManager<?> composed = AuthorizationManagers.anyOf();
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -68,7 +68,7 @@ class AuthorizationManagersTests {
void checkAnyOfWithAllAbstainDefaultDecisionIsDeniedWhenEmptyThenDeniedDecision() {
AuthorizationDecision allAbstainDefaultDecision = new AuthorizationDecision(false);
AuthorizationManager<?> composed = AuthorizationManagers.anyOf(allAbstainDefaultDecision);
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -77,7 +77,7 @@ class AuthorizationManagersTests {
void checkAnyOfWithAllAbstainDefaultDecisionIsGrantedWhenEmptyThenGrantedDecision() {
AuthorizationDecision allAbstainDefaultDecision = new AuthorizationDecision(true);
AuthorizationManager<?> composed = AuthorizationManagers.anyOf(allAbstainDefaultDecision);
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -86,7 +86,7 @@ class AuthorizationManagersTests {
void checkAnyOfWithAllAbstainDefaultDecisionIsAbstainWhenEmptyThenAbstainDecision() {
AuthorizationDecision allAbstainDefaultDecision = null;
AuthorizationManager<?> composed = AuthorizationManagers.anyOf(allAbstainDefaultDecision);
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNull();
}
@ -94,7 +94,7 @@ class AuthorizationManagersTests {
void checkAnyOfWhenAllAbstainDefaultDecisionIsGrantedAndAllManagersAbstainThenGrantedDecision() {
AuthorizationDecision allAbstainDefaultDecision = new AuthorizationDecision(true);
AuthorizationManager<?> composed = AuthorizationManagers.anyOf(allAbstainDefaultDecision, (a, o) -> null);
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -103,7 +103,7 @@ class AuthorizationManagersTests {
void checkAnyOfWhenAllAbstainDefaultDecisionIsDeniedAndAllManagersAbstainThenDeniedDecision() {
AuthorizationDecision allAbstainDefaultDecision = new AuthorizationDecision(false);
AuthorizationManager<?> composed = AuthorizationManagers.anyOf(allAbstainDefaultDecision, (a, o) -> null);
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -112,7 +112,7 @@ class AuthorizationManagersTests {
void checkAnyOfWhenAllAbstainDefaultDecisionIsAbstainAndAllManagersAbstainThenAbstainDecision() {
AuthorizationDecision allAbstainDefaultDecision = null;
AuthorizationManager<?> composed = AuthorizationManagers.anyOf(allAbstainDefaultDecision, (a, o) -> null);
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNull();
}
@ -120,7 +120,7 @@ class AuthorizationManagersTests {
void checkAllOfWhenAllGrantedThenGrantedDecision() {
AuthorizationManager<?> composed = AuthorizationManagers.allOf(SingleResultAuthorizationManager.permitAll(),
SingleResultAuthorizationManager.permitAll());
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -130,7 +130,7 @@ class AuthorizationManagersTests {
AuthorizationDecision allAbstainDefaultDecision = new AuthorizationDecision(false);
AuthorizationManager<?> composed = AuthorizationManagers.allOf(allAbstainDefaultDecision,
(a, o) -> new AuthorizationDecision(true), (a, o) -> new AuthorizationDecision(true));
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -140,7 +140,7 @@ class AuthorizationManagersTests {
void checkAllOfWhenAllNonAbstainingGrantsThenGrantedDecision() {
AuthorizationManager<?> composed = AuthorizationManagers.allOf((a, o) -> new AuthorizationDecision(true),
(a, o) -> null);
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -149,7 +149,7 @@ class AuthorizationManagersTests {
void checkAllOfWhenOneDeniedThenDeniedDecision() {
AuthorizationManager<?> composed = AuthorizationManagers.allOf((a, o) -> new AuthorizationDecision(true),
(a, o) -> new AuthorizationDecision(false));
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -159,7 +159,7 @@ class AuthorizationManagersTests {
AuthorizationDecision allAbstainDefaultDecision = new AuthorizationDecision(true);
AuthorizationManager<?> composed = AuthorizationManagers.allOf(allAbstainDefaultDecision,
SingleResultAuthorizationManager.permitAll(), SingleResultAuthorizationManager.denyAll());
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -167,7 +167,7 @@ class AuthorizationManagersTests {
@Test
void checkAllOfWhenEmptyThenGrantedDecision() {
AuthorizationManager<?> composed = AuthorizationManagers.allOf();
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -176,7 +176,7 @@ class AuthorizationManagersTests {
void checkAllOfWithAllAbstainDefaultDecisionIsDeniedWhenEmptyThenDeniedDecision() {
AuthorizationDecision allAbstainDefaultDecision = new AuthorizationDecision(false);
AuthorizationManager<?> composed = AuthorizationManagers.allOf(allAbstainDefaultDecision);
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -185,7 +185,7 @@ class AuthorizationManagersTests {
void checkAllOfWithAllAbstainDefaultDecisionIsGrantedWhenEmptyThenGrantedDecision() {
AuthorizationDecision allAbstainDefaultDecision = new AuthorizationDecision(true);
AuthorizationManager<?> composed = AuthorizationManagers.allOf(allAbstainDefaultDecision);
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -194,7 +194,7 @@ class AuthorizationManagersTests {
void checkAllOfWithAllAbstainDefaultDecisionIsAbstainWhenEmptyThenAbstainDecision() {
AuthorizationDecision allAbstainDefaultDecision = null;
AuthorizationManager<?> composed = AuthorizationManagers.allOf(allAbstainDefaultDecision);
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNull();
}
@ -202,7 +202,7 @@ class AuthorizationManagersTests {
void checkAllOfWhenAllAbstainDefaultDecisionIsDeniedAndAllManagersAbstainThenDeniedDecision() {
AuthorizationDecision allAbstainDefaultDecision = new AuthorizationDecision(false);
AuthorizationManager<?> composed = AuthorizationManagers.allOf(allAbstainDefaultDecision, (a, o) -> null);
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -211,7 +211,7 @@ class AuthorizationManagersTests {
void checkAllOfWhenAllAbstainDefaultDecisionIsGrantedAndAllManagersAbstainThenGrantedDecision() {
AuthorizationDecision allAbstainDefaultDecision = new AuthorizationDecision(true);
AuthorizationManager<?> composed = AuthorizationManagers.allOf(allAbstainDefaultDecision, (a, o) -> null);
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -220,21 +220,21 @@ class AuthorizationManagersTests {
void checkAllOfWhenAllAbstainDefaultDecisionIsAbstainAndAllManagersAbstainThenAbstainDecision() {
AuthorizationDecision allAbstainDefaultDecision = null;
AuthorizationManager<?> composed = AuthorizationManagers.allOf(allAbstainDefaultDecision, (a, o) -> null);
AuthorizationDecision decision = composed.check(null, null);
AuthorizationResult decision = composed.authorize(null, null);
assertThat(decision).isNull();
}
@Test
void checkNotWhenEmptyThenAbstainedDecision() {
AuthorizationManager<?> negated = AuthorizationManagers.not((a, o) -> null);
AuthorizationDecision decision = negated.check(null, null);
AuthorizationResult decision = negated.authorize(null, null);
assertThat(decision).isNull();
}
@Test
void checkNotWhenGrantedThenDeniedDecision() {
AuthorizationManager<?> negated = AuthorizationManagers.not((a, o) -> new AuthorizationDecision(true));
AuthorizationDecision decision = negated.check(null, null);
AuthorizationResult decision = negated.authorize(null, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}

15
core/src/test/java/org/springframework/security/authorization/ObservationAuthorizationManagerTests.java
View File

@ -73,8 +73,7 @@ public class ObservationAuthorizationManagerTests {
@Test
void verifyWhenDefaultsThenObserves() {
given(this.handler.supportsContext(any())).willReturn(true);
given(this.authorizationManager.check(any(), any())).willReturn(this.grant);
given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
given(this.authorizationManager.authorize(any(), any())).willReturn(this.grant);
this.tested.verify(this.token, this.object);
ArgumentCaptor<Observation.Context> captor = ArgumentCaptor.forClass(Observation.Context.class);
verify(this.handler).onStart(captor.capture());
@ -84,7 +83,7 @@ public class ObservationAuthorizationManagerTests {
AuthorizationObservationContext<?> context = (AuthorizationObservationContext<?>) captor.getValue();
assertThat(context.getAuthentication()).isNull();
assertThat(context.getObject()).isEqualTo(this.object);
assertThat(context.getDecision()).isEqualTo(this.grant);
assertThat(context.getAuthorizationResult()).isEqualTo(this.grant);
}
@Test
@ -92,8 +91,7 @@ public class ObservationAuthorizationManagerTests {
MessageSource source = mock(MessageSource.class);
this.tested.setMessageSource(source);
given(this.handler.supportsContext(any())).willReturn(true);
given(this.authorizationManager.check(any(), any())).willReturn(this.deny);
given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
given(this.authorizationManager.authorize(any(), any())).willReturn(this.deny);
given(source.getMessage(eq("AbstractAccessDecisionManager.accessDenied"), any(), any(), any()))
.willReturn("accessDenied");
assertThatExceptionOfType(AccessDeniedException.class)
@ -108,17 +106,16 @@ public class ObservationAuthorizationManagerTests {
AuthorizationObservationContext<?> context = (AuthorizationObservationContext<?>) captor.getValue();
assertThat(context.getAuthentication()).isNull();
assertThat(context.getObject()).isEqualTo(this.object);
assertThat(context.getDecision()).isEqualTo(this.deny);
assertThat(context.getAuthorizationResult()).isEqualTo(this.deny);
}
@Test
void verifyWhenLooksUpAuthenticationThenObserves() {
given(this.handler.supportsContext(any())).willReturn(true);
given(this.authorizationManager.check(any(), any())).willAnswer((invocation) -> {
given(this.authorizationManager.authorize(any(), any())).willAnswer((invocation) -> {
((Supplier<Authentication>) invocation.getArgument(0)).get();
return this.grant;
});
given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
this.tested.verify(this.token, this.object);
ArgumentCaptor<Observation.Context> captor = ArgumentCaptor.forClass(Observation.Context.class);
verify(this.handler).onStart(captor.capture());
@ -127,7 +124,7 @@ public class ObservationAuthorizationManagerTests {
AuthorizationObservationContext<?> context = (AuthorizationObservationContext<?>) captor.getValue();
assertThat(context.getAuthentication()).isEqualTo(this.token.get());
assertThat(context.getObject()).isEqualTo(this.object);
assertThat(context.getDecision()).isEqualTo(this.grant);
assertThat(context.getAuthorizationResult()).isEqualTo(this.grant);
}
@Test

15
core/src/test/java/org/springframework/security/authorization/ObservationReactiveAuthorizationManagerTests.java
View File

@ -69,8 +69,7 @@ public class ObservationReactiveAuthorizationManagerTests {
@Test
void verifyWhenDefaultsThenObserves() {
given(this.handler.supportsContext(any())).willReturn(true);
given(this.authorizationManager.check(any(), any())).willReturn(Mono.just(this.grant));
given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
given(this.authorizationManager.authorize(any(), any())).willReturn(Mono.just(this.grant));
this.tested.verify(this.token, this.object).block();
ArgumentCaptor<Observation.Context> captor = ArgumentCaptor.forClass(Observation.Context.class);
verify(this.handler).onStart(captor.capture());
@ -80,14 +79,13 @@ public class ObservationReactiveAuthorizationManagerTests {
AuthorizationObservationContext<?> context = (AuthorizationObservationContext<?>) captor.getValue();
assertThat(context.getAuthentication()).isNull();
assertThat(context.getObject()).isEqualTo(this.object);
assertThat(context.getDecision()).isEqualTo(this.grant);
assertThat(context.getAuthorizationResult()).isEqualTo(this.grant);
}
@Test
void verifyWhenErrorsThenObserves() {
given(this.handler.supportsContext(any())).willReturn(true);
given(this.authorizationManager.check(any(), any())).willReturn(Mono.just(this.deny));
given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
given(this.authorizationManager.authorize(any(), any())).willReturn(Mono.just(this.deny));
assertThatExceptionOfType(AccessDeniedException.class)
.isThrownBy(() -> this.tested.verify(this.token, this.object).block());
ArgumentCaptor<Observation.Context> captor = ArgumentCaptor.forClass(Observation.Context.class);
@ -98,17 +96,16 @@ public class ObservationReactiveAuthorizationManagerTests {
AuthorizationObservationContext<?> context = (AuthorizationObservationContext<?>) captor.getValue();
assertThat(context.getAuthentication()).isNull();
assertThat(context.getObject()).isEqualTo(this.object);
assertThat(context.getDecision()).isEqualTo(this.deny);
assertThat(context.getAuthorizationResult()).isEqualTo(this.deny);
}
@Test
void verifyWhenLooksUpAuthenticationThenObserves() {
given(this.handler.supportsContext(any())).willReturn(true);
given(this.authorizationManager.check(any(), any())).willAnswer((invocation) -> {
given(this.authorizationManager.authorize(any(), any())).willAnswer((invocation) -> {
((Mono<Authentication>) invocation.getArgument(0)).block();
return Mono.just(this.grant);
});
given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
this.tested.verify(this.token, this.object).block();
ArgumentCaptor<Observation.Context> captor = ArgumentCaptor.forClass(Observation.Context.class);
verify(this.handler).onStart(captor.capture());
@ -117,7 +114,7 @@ public class ObservationReactiveAuthorizationManagerTests {
AuthorizationObservationContext<?> context = (AuthorizationObservationContext<?>) captor.getValue();
assertThat(context.getAuthentication()).isEqualTo(this.token.block());
assertThat(context.getObject()).isEqualTo(this.object);
assertThat(context.getDecision()).isEqualTo(this.grant);
assertThat(context.getAuthorizationResult()).isEqualTo(this.grant);
}
@Test

4
core/src/test/java/org/springframework/security/authorization/SingleResultAuthorizationManagerTests.java
View File

@ -43,7 +43,7 @@ public class SingleResultAuthorizationManagerTests {
void checkWhenManagerWithGrantedDecisionIsCreatedThenAuthorizes() {
this.manager = new SingleResultAuthorizationManager<>(new AuthorizationDecision(true));
AuthorizationResult result = this.manager.check(null, null);
AuthorizationResult result = this.manager.authorize(null, null);
assertThat(result.isGranted()).isTrue();
}
@ -52,7 +52,7 @@ public class SingleResultAuthorizationManagerTests {
void checkWhenManagerWithGrantedCustomAuthorizationResultIsCreatedThenFails() {
this.manager = new SingleResultAuthorizationManager<>((AuthorizationResult) () -> true);
assertThatIllegalArgumentException().isThrownBy(() -> this.manager.check(null, null));
assertThatIllegalArgumentException().isThrownBy(() -> this.manager.authorize(null, null));
}
@Test

11
core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptorTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -42,7 +42,6 @@ import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.doCallRealMethod;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
@ -75,12 +74,11 @@ public class AuthorizationManagerAfterMethodInterceptorTests {
MethodInvocationResult result = new MethodInvocationResult(mockMethodInvocation, new Object());
given(mockMethodInvocation.proceed()).willReturn(result.getResult());
AuthorizationManager<MethodInvocationResult> mockAuthorizationManager = mock(AuthorizationManager.class);
given(mockAuthorizationManager.authorize(any(), any())).willCallRealMethod();
AuthorizationManagerAfterMethodInterceptor advice = new AuthorizationManagerAfterMethodInterceptor(
Pointcut.TRUE, mockAuthorizationManager);
Object returnedObject = advice.invoke(mockMethodInvocation);
assertThat(returnedObject).isEqualTo(result.getResult());
verify(mockAuthorizationManager).check(any(Supplier.class), any(MethodInvocationResult.class));
verify(mockAuthorizationManager).authorize(any(Supplier.class), any(MethodInvocationResult.class));
}
@Test
@ -130,8 +128,6 @@ public class AuthorizationManagerAfterMethodInterceptorTests {
AuthorizationManagerAfterMethodInterceptor advice = new AuthorizationManagerAfterMethodInterceptor(
Pointcut.TRUE, AuthenticatedAuthorizationManager.authenticated());
AuthorizationEventPublisher eventPublisher = mock(AuthorizationEventPublisher.class);
doCallRealMethod().when(eventPublisher)
.publishAuthorizationEvent(any(Supplier.class), any(), any(AuthorizationResult.class));
advice.setAuthorizationEventPublisher(eventPublisher);
SecurityContext securityContext = new SecurityContextImpl();
@ -152,9 +148,8 @@ public class AuthorizationManagerAfterMethodInterceptorTests {
MethodInvocation mi = mock(MethodInvocation.class);
given(mi.proceed()).willReturn("ok");
AuthorizationManager<MethodInvocationResult> manager = mock(AuthorizationManager.class);
given(manager.check(any(), any()))
given(manager.authorize(any(), any()))
.willThrow(new MyAuthzDeniedException("denied", new AuthorizationDecision(false)));
given(manager.authorize(any(), any())).willCallRealMethod();
AuthorizationManagerAfterMethodInterceptor advice = new AuthorizationManagerAfterMethodInterceptor(
Pointcut.TRUE, manager);
assertThatExceptionOfType(MyAuthzDeniedException.class).isThrownBy(() -> advice.invoke(mi));

50
core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerAfterReactiveMethodInterceptorTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -70,16 +70,15 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
given(mockMethodInvocation.proceed()).willReturn(Mono.just("john"));
ReactiveAuthorizationManager<MethodInvocationResult> mockReactiveAuthorizationManager = mock(
ReactiveAuthorizationManager.class);
given(mockReactiveAuthorizationManager.check(any(), any()))
given(mockReactiveAuthorizationManager.authorize(any(), any()))
.willReturn(Mono.just(new AuthorizationDecision(true)));
given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor(
Pointcut.TRUE, mockReactiveAuthorizationManager);
Object result = interceptor.invoke(mockMethodInvocation);
assertThat(result).asInstanceOf(InstanceOfAssertFactories.type(Mono.class))
.extracting(Mono::block)
.isEqualTo("john");
verify(mockReactiveAuthorizationManager).check(any(), any());
verify(mockReactiveAuthorizationManager).authorize(any(), any());
}
@Test
@ -89,9 +88,8 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
given(mockMethodInvocation.proceed()).willReturn(Flux.just("john", "bob"));
ReactiveAuthorizationManager<MethodInvocationResult> mockReactiveAuthorizationManager = mock(
ReactiveAuthorizationManager.class);
given(mockReactiveAuthorizationManager.check(any(), any()))
given(mockReactiveAuthorizationManager.authorize(any(), any()))
.willReturn(Mono.just(new AuthorizationDecision(true)));
given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor(
Pointcut.TRUE, mockReactiveAuthorizationManager);
Object result = interceptor.invoke(mockMethodInvocation);
@ -99,7 +97,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
.extracting(Flux::collectList)
.extracting(Mono::block, InstanceOfAssertFactories.list(String.class))
.containsExactly("john", "bob");
verify(mockReactiveAuthorizationManager, times(2)).check(any(), any());
verify(mockReactiveAuthorizationManager, times(2)).authorize(any(), any());
}
@Test
@ -109,9 +107,8 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
given(mockMethodInvocation.proceed()).willReturn(Mono.just("john"));
ReactiveAuthorizationManager<MethodInvocationResult> mockReactiveAuthorizationManager = mock(
ReactiveAuthorizationManager.class);
given(mockReactiveAuthorizationManager.check(any(), any()))
given(mockReactiveAuthorizationManager.authorize(any(), any()))
.willReturn(Mono.just(new AuthorizationDecision(false)));
given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor(
Pointcut.TRUE, mockReactiveAuthorizationManager);
Object result = interceptor.invoke(mockMethodInvocation);
@ -119,7 +116,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
.isThrownBy(() -> assertThat(result).asInstanceOf(InstanceOfAssertFactories.type(Mono.class))
.extracting(Mono::block))
.withMessage("Access Denied");
verify(mockReactiveAuthorizationManager).check(any(), any());
verify(mockReactiveAuthorizationManager).authorize(any(), any());
}
@Test
@ -132,8 +129,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
HandlingReactiveAuthorizationManager.class);
given(mockReactiveAuthorizationManager.handleDeniedInvocationResult(any(), any(AuthorizationResult.class)))
.willAnswer(this::masking);
given(mockReactiveAuthorizationManager.check(any(), any())).willReturn(Mono.empty());
given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
given(mockReactiveAuthorizationManager.authorize(any(), any())).willReturn(Mono.empty());
AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor(
Pointcut.TRUE, mockReactiveAuthorizationManager);
Object result = interceptor.invoke(mockMethodInvocation);
@ -141,7 +137,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
.extracting(Flux::collectList)
.extracting(Mono::block, InstanceOfAssertFactories.list(String.class))
.containsExactly("john-masked", "bob-masked");
verify(mockReactiveAuthorizationManager, times(2)).check(any(), any());
verify(mockReactiveAuthorizationManager, times(2)).authorize(any(), any());
}
@Test
@ -159,8 +155,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
}
return Mono.just(argument.getResult());
});
given(mockReactiveAuthorizationManager.check(any(), any())).willReturn(Mono.empty());
given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
given(mockReactiveAuthorizationManager.authorize(any(), any())).willReturn(Mono.empty());
AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor(
Pointcut.TRUE, mockReactiveAuthorizationManager);
Object result = interceptor.invoke(mockMethodInvocation);
@ -168,7 +163,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
.extracting(Flux::collectList)
.extracting(Mono::block, InstanceOfAssertFactories.list(String.class))
.containsExactly("john", "bob-masked");
verify(mockReactiveAuthorizationManager, times(2)).check(any(), any());
verify(mockReactiveAuthorizationManager, times(2)).authorize(any(), any());
}
@Test
@ -180,15 +175,14 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
HandlingReactiveAuthorizationManager.class);
given(mockReactiveAuthorizationManager.handleDeniedInvocationResult(any(), any(AuthorizationResult.class)))
.willAnswer(this::masking);
given(mockReactiveAuthorizationManager.check(any(), any())).willReturn(Mono.empty());
given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
given(mockReactiveAuthorizationManager.authorize(any(), any())).willReturn(Mono.empty());
AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor(
Pointcut.TRUE, mockReactiveAuthorizationManager);
Object result = interceptor.invoke(mockMethodInvocation);
assertThat(result).asInstanceOf(InstanceOfAssertFactories.type(Mono.class))
.extracting(Mono::block)
.isEqualTo("john-masked");
verify(mockReactiveAuthorizationManager).check(any(), any());
verify(mockReactiveAuthorizationManager).authorize(any(), any());
}
@Test
@ -200,15 +194,14 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
HandlingReactiveAuthorizationManager.class);
given(mockReactiveAuthorizationManager.handleDeniedInvocationResult(any(), any(AuthorizationResult.class)))
.willAnswer(this::monoMasking);
given(mockReactiveAuthorizationManager.check(any(), any())).willReturn(Mono.empty());
given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
given(mockReactiveAuthorizationManager.authorize(any(), any())).willReturn(Mono.empty());
AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor(
Pointcut.TRUE, mockReactiveAuthorizationManager);
Object result = interceptor.invoke(mockMethodInvocation);
assertThat(result).asInstanceOf(InstanceOfAssertFactories.type(Mono.class))
.extracting(Mono::block)
.isEqualTo("john-masked");
verify(mockReactiveAuthorizationManager).check(any(), any());
verify(mockReactiveAuthorizationManager).authorize(any(), any());
}
@Test
@ -220,15 +213,14 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
HandlingReactiveAuthorizationManager.class);
given(mockReactiveAuthorizationManager.handleDeniedInvocationResult(any(), any(AuthorizationResult.class)))
.willReturn(null);
given(mockReactiveAuthorizationManager.check(any(), any())).willReturn(Mono.empty());
given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
given(mockReactiveAuthorizationManager.authorize(any(), any())).willReturn(Mono.empty());
AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor(
Pointcut.TRUE, mockReactiveAuthorizationManager);
Object result = interceptor.invoke(mockMethodInvocation);
assertThat(result).asInstanceOf(InstanceOfAssertFactories.type(Mono.class))
.extracting(Mono::block)
.isEqualTo(null);
verify(mockReactiveAuthorizationManager).check(any(), any());
verify(mockReactiveAuthorizationManager).authorize(any(), any());
}
@Test
@ -238,8 +230,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
given(mockMethodInvocation.proceed()).willReturn(Mono.just("john"));
ReactiveAuthorizationManager<MethodInvocationResult> mockReactiveAuthorizationManager = mock(
ReactiveAuthorizationManager.class);
given(mockReactiveAuthorizationManager.check(any(), any())).willReturn(Mono.empty());
given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
given(mockReactiveAuthorizationManager.authorize(any(), any())).willReturn(Mono.empty());
AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor(
Pointcut.TRUE, mockReactiveAuthorizationManager);
Object result = interceptor.invoke(mockMethodInvocation);
@ -247,7 +238,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
.isThrownBy(() -> assertThat(result).asInstanceOf(InstanceOfAssertFactories.type(Mono.class))
.extracting(Mono::block))
.withMessage("Access Denied");
verify(mockReactiveAuthorizationManager).check(any(), any());
verify(mockReactiveAuthorizationManager).authorize(any(), any());
}
@Test
@ -256,9 +247,8 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
new MockMethodInvocation(new Sample(), Sample.class.getDeclaredMethod("mono")));
given(mockMethodInvocation.proceed()).willReturn(Mono.just("ok"));
ReactiveAuthorizationManager<MethodInvocationResult> manager = mock(ReactiveAuthorizationManager.class);
given(manager.check(any(), any()))
given(manager.authorize(any(), any()))
.willReturn(Mono.error(new MyAuthzDeniedException("denied", new AuthorizationDecision(false))));
given(manager.authorize(any(), any())).willCallRealMethod();
AuthorizationManagerAfterReactiveMethodInterceptor advice = new AuthorizationManagerAfterReactiveMethodInterceptor(
Pointcut.TRUE, manager);
assertThatExceptionOfType(MyAuthzDeniedException.class)

10
core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptorTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -41,7 +41,6 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.doCallRealMethod;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
@ -71,11 +70,10 @@ public class AuthorizationManagerBeforeMethodInterceptorTests {
public void beforeWhenMockAuthorizationManagerThenCheck() throws Throwable {
MethodInvocation mockMethodInvocation = mock(MethodInvocation.class);
AuthorizationManager<MethodInvocation> mockAuthorizationManager = mock(AuthorizationManager.class);
given(mockAuthorizationManager.authorize(any(), any())).willCallRealMethod();
AuthorizationManagerBeforeMethodInterceptor advice = new AuthorizationManagerBeforeMethodInterceptor(
Pointcut.TRUE, mockAuthorizationManager);
advice.invoke(mockMethodInvocation);
verify(mockAuthorizationManager).check(any(Supplier.class), eq(mockMethodInvocation));
verify(mockAuthorizationManager).authorize(any(Supplier.class), eq(mockMethodInvocation));
}
@Test
@ -125,7 +123,6 @@ public class AuthorizationManagerBeforeMethodInterceptorTests {
AuthorizationManagerBeforeMethodInterceptor advice = new AuthorizationManagerBeforeMethodInterceptor(
Pointcut.TRUE, AuthenticatedAuthorizationManager.authenticated());
AuthorizationEventPublisher eventPublisher = mock(AuthorizationEventPublisher.class);
doCallRealMethod().when(eventPublisher).publishAuthorizationEvent(any(), any(), any(AuthorizationResult.class));
advice.setAuthorizationEventPublisher(eventPublisher);
SecurityContext securityContext = new SecurityContextImpl();
@ -144,9 +141,8 @@ public class AuthorizationManagerBeforeMethodInterceptorTests {
@Test
public void invokeWhenCustomAuthorizationDeniedExceptionThenThrows() {
AuthorizationManager<MethodInvocation> manager = mock(AuthorizationManager.class);
given(manager.check(any(), any()))
given(manager.authorize(any(), any()))
.willThrow(new MyAuthzDeniedException("denied", new AuthorizationDecision(false)));
given(manager.authorize(any(), any())).willCallRealMethod();
AuthorizationManagerBeforeMethodInterceptor advice = new AuthorizationManagerBeforeMethodInterceptor(
Pointcut.TRUE, manager);
assertThatExceptionOfType(MyAuthzDeniedException.class).isThrownBy(() -> advice.invoke(null));

45
core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeReactiveMethodInterceptorTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -70,16 +70,15 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
given(mockMethodInvocation.proceed()).willReturn(Mono.just("john"));
ReactiveAuthorizationManager<MethodInvocation> mockReactiveAuthorizationManager = mock(
ReactiveAuthorizationManager.class);
given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation)))
given(mockReactiveAuthorizationManager.authorize(any(), eq(mockMethodInvocation)))
.willReturn(Mono.just(new AuthorizationDecision(true)));
given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor(
Pointcut.TRUE, mockReactiveAuthorizationManager);
Object result = interceptor.invoke(mockMethodInvocation);
assertThat(result).asInstanceOf(InstanceOfAssertFactories.type(Mono.class))
.extracting(Mono::block)
.isEqualTo("john");
verify(mockReactiveAuthorizationManager).check(any(), eq(mockMethodInvocation));
verify(mockReactiveAuthorizationManager).authorize(any(), eq(mockMethodInvocation));
}
@Test
@ -89,9 +88,8 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
given(mockMethodInvocation.proceed()).willReturn(Flux.just("john", "bob"));
ReactiveAuthorizationManager<MethodInvocation> mockReactiveAuthorizationManager = mock(
ReactiveAuthorizationManager.class);
given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation)))
given(mockReactiveAuthorizationManager.authorize(any(), eq(mockMethodInvocation)))
.willReturn(Mono.just(new AuthorizationDecision((true))));
given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor(
Pointcut.TRUE, mockReactiveAuthorizationManager);
Object result = interceptor.invoke(mockMethodInvocation);
@ -99,7 +97,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
.extracting(Flux::collectList)
.extracting(Mono::block, InstanceOfAssertFactories.list(String.class))
.containsExactly("john", "bob");
verify(mockReactiveAuthorizationManager).check(any(), eq(mockMethodInvocation));
verify(mockReactiveAuthorizationManager).authorize(any(), eq(mockMethodInvocation));
}
@Test
@ -109,9 +107,8 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
given(mockMethodInvocation.proceed()).willReturn(Mono.just("john"));
ReactiveAuthorizationManager<MethodInvocation> mockReactiveAuthorizationManager = mock(
ReactiveAuthorizationManager.class);
given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation)))
given(mockReactiveAuthorizationManager.authorize(any(), eq(mockMethodInvocation)))
.willReturn(Mono.just(new AuthorizationDecision(false)));
given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor(
Pointcut.TRUE, mockReactiveAuthorizationManager);
Object result = interceptor.invoke(mockMethodInvocation);
@ -119,7 +116,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
.isThrownBy(() -> assertThat(result).asInstanceOf(InstanceOfAssertFactories.type(Mono.class))
.extracting(Mono::block))
.withMessage("Access Denied");
verify(mockReactiveAuthorizationManager).check(any(), eq(mockMethodInvocation));
verify(mockReactiveAuthorizationManager).authorize(any(), eq(mockMethodInvocation));
}
@Test
@ -129,8 +126,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
given(mockMethodInvocation.proceed()).willReturn(Mono.just("john"));
HandlingReactiveAuthorizationManager mockReactiveAuthorizationManager = mock(
HandlingReactiveAuthorizationManager.class);
given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation))).willReturn(Mono.empty());
given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
given(mockReactiveAuthorizationManager.authorize(any(), eq(mockMethodInvocation))).willReturn(Mono.empty());
given(mockReactiveAuthorizationManager.handleDeniedInvocation(any(), any(AuthorizationResult.class)))
.willReturn("***");
AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor(
@ -139,7 +135,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
assertThat(result).asInstanceOf(InstanceOfAssertFactories.type(Mono.class))
.extracting(Mono::block)
.isEqualTo("***");
verify(mockReactiveAuthorizationManager).check(any(), eq(mockMethodInvocation));
verify(mockReactiveAuthorizationManager).authorize(any(), eq(mockMethodInvocation));
}
@Test
@ -149,8 +145,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
given(mockMethodInvocation.proceed()).willReturn(Mono.just("john"));
HandlingReactiveAuthorizationManager mockReactiveAuthorizationManager = mock(
HandlingReactiveAuthorizationManager.class);
given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation))).willReturn(Mono.empty());
given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
given(mockReactiveAuthorizationManager.authorize(any(), eq(mockMethodInvocation))).willReturn(Mono.empty());
given(mockReactiveAuthorizationManager.handleDeniedInvocation(any(), any(AuthorizationResult.class)))
.willReturn(Mono.just("***"));
AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor(
@ -159,7 +154,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
assertThat(result).asInstanceOf(InstanceOfAssertFactories.type(Mono.class))
.extracting(Mono::block)
.isEqualTo("***");
verify(mockReactiveAuthorizationManager).check(any(), eq(mockMethodInvocation));
verify(mockReactiveAuthorizationManager).authorize(any(), eq(mockMethodInvocation));
}
@Test
@ -169,8 +164,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
given(mockMethodInvocation.proceed()).willReturn(Flux.just("john", "bob"));
HandlingReactiveAuthorizationManager mockReactiveAuthorizationManager = mock(
HandlingReactiveAuthorizationManager.class);
given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation))).willReturn(Mono.empty());
given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
given(mockReactiveAuthorizationManager.authorize(any(), eq(mockMethodInvocation))).willReturn(Mono.empty());
given(mockReactiveAuthorizationManager.handleDeniedInvocation(any(), any(AuthorizationResult.class)))
.willReturn(Mono.just("***"));
AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor(
@ -180,7 +174,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
.extracting(Flux::collectList)
.extracting(Mono::block, InstanceOfAssertFactories.list(String.class))
.containsExactly("***");
verify(mockReactiveAuthorizationManager).check(any(), eq(mockMethodInvocation));
verify(mockReactiveAuthorizationManager).authorize(any(), eq(mockMethodInvocation));
}
@Test
@ -190,8 +184,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
given(mockMethodInvocation.proceed()).willReturn(Mono.just("john"));
ReactiveAuthorizationManager<MethodInvocation> mockReactiveAuthorizationManager = mock(
ReactiveAuthorizationManager.class);
given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation))).willReturn(Mono.empty());
given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
given(mockReactiveAuthorizationManager.authorize(any(), eq(mockMethodInvocation))).willReturn(Mono.empty());
AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor(
Pointcut.TRUE, mockReactiveAuthorizationManager);
Object result = interceptor.invoke(mockMethodInvocation);
@ -199,7 +192,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
.isThrownBy(() -> assertThat(result).asInstanceOf(InstanceOfAssertFactories.type(Mono.class))
.extracting(Mono::block))
.withMessage("Access Denied");
verify(mockReactiveAuthorizationManager).check(any(), eq(mockMethodInvocation));
verify(mockReactiveAuthorizationManager).authorize(any(), eq(mockMethodInvocation));
}
@Test
@ -209,8 +202,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
given(mockMethodInvocation.proceed()).willReturn(Flux.just("john", "bob"));
ReactiveAuthorizationManager<MethodInvocation> mockReactiveAuthorizationManager = mock(
ReactiveAuthorizationManager.class);
given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation))).willReturn(Mono.empty());
given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
given(mockReactiveAuthorizationManager.authorize(any(), eq(mockMethodInvocation))).willReturn(Mono.empty());
AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor(
Pointcut.TRUE, mockReactiveAuthorizationManager);
Object result = interceptor.invoke(mockMethodInvocation);
@ -218,7 +210,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
.isThrownBy(() -> assertThat(result).asInstanceOf(InstanceOfAssertFactories.type(Flux.class))
.extracting(Flux::blockFirst))
.withMessage("Access Denied");
verify(mockReactiveAuthorizationManager).check(any(), eq(mockMethodInvocation));
verify(mockReactiveAuthorizationManager).authorize(any(), eq(mockMethodInvocation));
}
@Test
@ -226,9 +218,8 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
MethodInvocation mockMethodInvocation = spy(
new MockMethodInvocation(new Sample(), Sample.class.getDeclaredMethod("flux")));
ReactiveAuthorizationManager<MethodInvocation> manager = mock(ReactiveAuthorizationManager.class);
given(manager.check(any(), any()))
given(manager.authorize(any(), any()))
.willThrow(new MyAuthzDeniedException("denied", new AuthorizationDecision(false)));
given(manager.authorize(any(), any())).willCallRealMethod();
AuthorizationManagerBeforeReactiveMethodInterceptor advice = new AuthorizationManagerBeforeReactiveMethodInterceptor(
Pointcut.TRUE, manager);
assertThatExceptionOfType(MyAuthzDeniedException.class)

39
core/src/test/java/org/springframework/security/authorization/method/Jsr250AuthorizationManagerTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -31,15 +31,13 @@ import org.springframework.core.annotation.AnnotationConfigurationException;
import org.springframework.security.access.intercept.method.MockMethodInvocation;
import org.springframework.security.authentication.TestAuthentication;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.core.Authentication;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
@ -80,16 +78,15 @@ public class Jsr250AuthorizationManagerTests {
@Test
public void setAuthoritiesAuthorizationManagerWhenNotNullThenVerifyUsage() throws Exception {
AuthorizationManager<Collection<String>> authoritiesAuthorizationManager = mock(AuthorizationManager.class);
given(authoritiesAuthorizationManager.authorize(any(), any())).willCallRealMethod();
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
manager.setAuthoritiesAuthorizationManager(authoritiesAuthorizationManager);
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(),
ClassLevelAnnotations.class, "rolesAllowedAdmin");
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password",
"ROLE_ADMIN");
AuthorizationDecision decision = manager.check(authentication, methodInvocation);
AuthorizationResult decision = manager.authorize(authentication, methodInvocation);
assertThat(decision).isNull();
verify(authoritiesAuthorizationManager).check(authentication, Set.of("ROLE_ADMIN"));
verify(authoritiesAuthorizationManager).authorize(authentication, Set.of("ROLE_ADMIN"));
}
@Test
@ -97,7 +94,7 @@ public class Jsr250AuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
"doSomething");
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, methodInvocation);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, methodInvocation);
assertThat(decision).isNull();
}
@ -105,7 +102,7 @@ public class Jsr250AuthorizationManagerTests {
public void checkPermitAllWhenRoleUserThenGrantedDecision() throws Exception {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, "permitAll");
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, methodInvocation);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, methodInvocation);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -114,7 +111,7 @@ public class Jsr250AuthorizationManagerTests {
public void checkDenyAllWhenRoleAdminThenDeniedDecision() throws Exception {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, "denyAll");
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedAdmin, methodInvocation);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedAdmin, methodInvocation);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -124,7 +121,7 @@ public class Jsr250AuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
"rolesAllowedUserOrAdmin");
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, methodInvocation);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, methodInvocation);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -134,7 +131,7 @@ public class Jsr250AuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
"rolesAllowedUserOrAdmin");
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedAdmin, methodInvocation);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedAdmin, methodInvocation);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -146,7 +143,7 @@ public class Jsr250AuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
"rolesAllowedUserOrAdmin");
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
AuthorizationDecision decision = manager.check(authentication, methodInvocation);
AuthorizationResult decision = manager.authorize(authentication, methodInvocation);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -159,7 +156,7 @@ public class Jsr250AuthorizationManagerTests {
"multipleAnnotations");
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
assertThatExceptionOfType(AnnotationConfigurationException.class)
.isThrownBy(() -> manager.check(authentication, methodInvocation));
.isThrownBy(() -> manager.authorize(authentication, methodInvocation));
}
@Test
@ -169,7 +166,7 @@ public class Jsr250AuthorizationManagerTests {
ClassLevelIllegalAnnotations.class, "inheritedAnnotations");
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
assertThatExceptionOfType(AnnotationConfigurationException.class)
.isThrownBy(() -> manager.check(authentication, methodInvocation));
.isThrownBy(() -> manager.authorize(authentication, methodInvocation));
}
@Test
@ -178,10 +175,10 @@ public class Jsr250AuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(),
ClassLevelAnnotations.class, "rolesAllowedAdmin");
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
AuthorizationDecision decision = manager.check(authentication, methodInvocation);
AuthorizationResult decision = manager.authorize(authentication, methodInvocation);
assertThat(decision.isGranted()).isFalse();
authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_ADMIN");
decision = manager.check(authentication, methodInvocation);
decision = manager.authorize(authentication, methodInvocation);
assertThat(decision.isGranted()).isTrue();
}
@ -191,7 +188,7 @@ public class Jsr250AuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(),
ClassLevelAnnotations.class, "denyAll");
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
AuthorizationDecision decision = manager.check(authentication, methodInvocation);
AuthorizationResult decision = manager.authorize(authentication, methodInvocation);
assertThat(decision.isGranted()).isFalse();
}
@ -201,10 +198,10 @@ public class Jsr250AuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(),
ClassLevelAnnotations.class, "rolesAllowedUser");
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
AuthorizationDecision decision = manager.check(authentication, methodInvocation);
AuthorizationResult decision = manager.authorize(authentication, methodInvocation);
assertThat(decision.isGranted()).isTrue();
authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_ADMIN");
decision = manager.check(authentication, methodInvocation);
decision = manager.authorize(authentication, methodInvocation);
assertThat(decision.isGranted()).isFalse();
}
@ -215,7 +212,7 @@ public class Jsr250AuthorizationManagerTests {
"inheritedAnnotations");
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
assertThatExceptionOfType(AnnotationConfigurationException.class)
.isThrownBy(() -> manager.check(authentication, methodInvocation));
.isThrownBy(() -> manager.authorize(authentication, methodInvocation));
}
public static class TestClass implements InterfaceAnnotationsOne, InterfaceAnnotationsTwo {

8
core/src/test/java/org/springframework/security/authorization/method/MethodExpressionAuthorizationManagerTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -24,7 +24,7 @@ import org.springframework.expression.ExpressionParser;
import org.springframework.security.access.annotation.BusinessService;
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
import org.springframework.security.authentication.TestAuthentication;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.util.SimpleMethodInvocation;
import static org.assertj.core.api.Assertions.assertThat;
@ -84,7 +84,7 @@ class MethodExpressionAuthorizationManagerTests {
@Test
void checkWhenExpressionHasRoleAdminConfiguredAndRoleAdminThenGrantedDecision() {
MethodExpressionAuthorizationManager manager = new MethodExpressionAuthorizationManager("hasRole('ADMIN')");
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedAdmin,
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedAdmin,
new SimpleMethodInvocation(new Object(),
ReflectionUtils.getRequiredMethod(BusinessService.class, "someAdminMethod")));
assertThat(decision).isNotNull();
@ -94,7 +94,7 @@ class MethodExpressionAuthorizationManagerTests {
@Test
void checkWhenExpressionHasRoleAdminConfiguredAndRoleUserThenDeniedDecision() {
MethodExpressionAuthorizationManager manager = new MethodExpressionAuthorizationManager("hasRole('ADMIN')");
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser,
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser,
new SimpleMethodInvocation(new Object(),
ReflectionUtils.getRequiredMethod(BusinessService.class, "someAdminMethod")));
assertThat(decision).isNotNull();

23
core/src/test/java/org/springframework/security/authorization/method/PostAuthorizeAuthorizationManagerTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -34,7 +34,6 @@ import org.springframework.security.access.intercept.method.MockMethodInvocation
import org.springframework.security.access.prepost.PostAuthorize;
import org.springframework.security.authentication.TestAuthentication;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.core.Authentication;
@ -70,7 +69,7 @@ public class PostAuthorizeAuthorizationManagerTests {
"doSomething", new Class[] {}, new Object[] {});
PostAuthorizeAuthorizationManager manager = new PostAuthorizeAuthorizationManager();
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, null);
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, result);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, result);
assertThat(decision).isNull();
}
@ -80,7 +79,7 @@ public class PostAuthorizeAuthorizationManagerTests {
"doSomethingString", new Class[] { String.class }, new Object[] { "grant" });
PostAuthorizeAuthorizationManager manager = new PostAuthorizeAuthorizationManager();
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, null);
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, result);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, result);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -91,7 +90,7 @@ public class PostAuthorizeAuthorizationManagerTests {
"doSomethingString", new Class[] { String.class }, new Object[] { "deny" });
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, null);
PostAuthorizeAuthorizationManager manager = new PostAuthorizeAuthorizationManager();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, result);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, result);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -103,7 +102,7 @@ public class PostAuthorizeAuthorizationManagerTests {
"doSomethingList", new Class[] { List.class }, new Object[] { list });
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, list);
PostAuthorizeAuthorizationManager manager = new PostAuthorizeAuthorizationManager();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, result);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, result);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -115,7 +114,7 @@ public class PostAuthorizeAuthorizationManagerTests {
"doSomethingList", new Class[] { List.class }, new Object[] { list });
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, list);
PostAuthorizeAuthorizationManager manager = new PostAuthorizeAuthorizationManager();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, result);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, result);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -127,10 +126,10 @@ public class PostAuthorizeAuthorizationManagerTests {
ClassLevelAnnotations.class, "securedAdmin");
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, null);
PostAuthorizeAuthorizationManager manager = new PostAuthorizeAuthorizationManager();
AuthorizationDecision decision = manager.check(authentication, result);
AuthorizationResult decision = manager.authorize(authentication, result);
assertThat(decision.isGranted()).isFalse();
authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_ADMIN");
decision = manager.check(authentication, result);
decision = manager.authorize(authentication, result);
assertThat(decision.isGranted()).isTrue();
}
@ -141,10 +140,10 @@ public class PostAuthorizeAuthorizationManagerTests {
ClassLevelAnnotations.class, "securedUser");
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, null);
PostAuthorizeAuthorizationManager manager = new PostAuthorizeAuthorizationManager();
AuthorizationDecision decision = manager.check(authentication, result);
AuthorizationResult decision = manager.authorize(authentication, result);
assertThat(decision.isGranted()).isTrue();
authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_ADMIN");
decision = manager.check(authentication, result);
decision = manager.authorize(authentication, result);
assertThat(decision.isGranted()).isFalse();
}
@ -156,7 +155,7 @@ public class PostAuthorizeAuthorizationManagerTests {
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, null);
PostAuthorizeAuthorizationManager manager = new PostAuthorizeAuthorizationManager();
assertThatExceptionOfType(AnnotationConfigurationException.class)
.isThrownBy(() -> manager.check(authentication, result));
.isThrownBy(() -> manager.authorize(authentication, result));
}
@Test

29
core/src/test/java/org/springframework/security/authorization/method/PostAuthorizeReactiveAuthorizationManagerTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -31,7 +31,7 @@ import org.springframework.security.access.expression.method.MethodSecurityExpre
import org.springframework.security.access.intercept.method.MockMethodInvocation;
import org.springframework.security.access.prepost.PostAuthorize;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.core.Authentication;
import static org.assertj.core.api.Assertions.assertThat;
@ -65,7 +65,8 @@ public class PostAuthorizeReactiveAuthorizationManagerTests {
"doSomething", new Class[] {}, new Object[] {});
PostAuthorizeReactiveAuthorizationManager manager = new PostAuthorizeReactiveAuthorizationManager();
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, null);
AuthorizationDecision decision = manager.check(ReactiveAuthenticationUtils.getAuthentication(), result).block();
AuthorizationResult decision = manager.authorize(ReactiveAuthenticationUtils.getAuthentication(), result)
.block();
assertThat(decision).isNull();
}
@ -75,7 +76,8 @@ public class PostAuthorizeReactiveAuthorizationManagerTests {
"doSomethingString", new Class[] { String.class }, new Object[] { "grant" });
PostAuthorizeReactiveAuthorizationManager manager = new PostAuthorizeReactiveAuthorizationManager();
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, null);
AuthorizationDecision decision = manager.check(ReactiveAuthenticationUtils.getAuthentication(), result).block();
AuthorizationResult decision = manager.authorize(ReactiveAuthenticationUtils.getAuthentication(), result)
.block();
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -86,7 +88,8 @@ public class PostAuthorizeReactiveAuthorizationManagerTests {
"doSomethingString", new Class[] { String.class }, new Object[] { "deny" });
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, null);
PostAuthorizeReactiveAuthorizationManager manager = new PostAuthorizeReactiveAuthorizationManager();
AuthorizationDecision decision = manager.check(ReactiveAuthenticationUtils.getAuthentication(), result).block();
AuthorizationResult decision = manager.authorize(ReactiveAuthenticationUtils.getAuthentication(), result)
.block();
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -98,7 +101,8 @@ public class PostAuthorizeReactiveAuthorizationManagerTests {
"doSomethingList", new Class[] { List.class }, new Object[] { list });
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, list);
PostAuthorizeReactiveAuthorizationManager manager = new PostAuthorizeReactiveAuthorizationManager();
AuthorizationDecision decision = manager.check(ReactiveAuthenticationUtils.getAuthentication(), result).block();
AuthorizationResult decision = manager.authorize(ReactiveAuthenticationUtils.getAuthentication(), result)
.block();
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -110,7 +114,8 @@ public class PostAuthorizeReactiveAuthorizationManagerTests {
"doSomethingList", new Class[] { List.class }, new Object[] { list });
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, list);
PostAuthorizeReactiveAuthorizationManager manager = new PostAuthorizeReactiveAuthorizationManager();
AuthorizationDecision decision = manager.check(ReactiveAuthenticationUtils.getAuthentication(), result).block();
AuthorizationResult decision = manager.authorize(ReactiveAuthenticationUtils.getAuthentication(), result)
.block();
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -123,11 +128,11 @@ public class PostAuthorizeReactiveAuthorizationManagerTests {
ClassLevelAnnotations.class, "securedAdmin");
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, null);
PostAuthorizeReactiveAuthorizationManager manager = new PostAuthorizeReactiveAuthorizationManager();
AuthorizationDecision decision = manager.check(authentication, result).block();
AuthorizationResult decision = manager.authorize(authentication, result).block();
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
authentication = Mono.just(new TestingAuthenticationToken("user", "password", "ROLE_ADMIN"));
decision = manager.check(authentication, result).block();
decision = manager.authorize(authentication, result).block();
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -140,11 +145,11 @@ public class PostAuthorizeReactiveAuthorizationManagerTests {
ClassLevelAnnotations.class, "securedUser");
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, null);
PostAuthorizeReactiveAuthorizationManager manager = new PostAuthorizeReactiveAuthorizationManager();
AuthorizationDecision decision = manager.check(authentication, result).block();
AuthorizationResult decision = manager.authorize(authentication, result).block();
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
authentication = Mono.just(new TestingAuthenticationToken("user", "password", "ROLE_ADMIN"));
decision = manager.check(authentication, result).block();
decision = manager.authorize(authentication, result).block();
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -158,7 +163,7 @@ public class PostAuthorizeReactiveAuthorizationManagerTests {
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, null);
PostAuthorizeReactiveAuthorizationManager manager = new PostAuthorizeReactiveAuthorizationManager();
assertThatExceptionOfType(AnnotationConfigurationException.class)
.isThrownBy(() -> manager.check(authentication, result));
.isThrownBy(() -> manager.authorize(authentication, result));
}
public static class TestClass implements InterfaceAnnotationsOne, InterfaceAnnotationsTwo {

23
core/src/test/java/org/springframework/security/authorization/method/PreAuthorizeAuthorizationManagerTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -32,7 +32,6 @@ import org.springframework.security.access.intercept.method.MockMethodInvocation
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.authentication.TestAuthentication;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.core.Authentication;
@ -67,7 +66,7 @@ public class PreAuthorizeAuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
"doSomething", new Class[] {}, new Object[] {});
PreAuthorizeAuthorizationManager manager = new PreAuthorizeAuthorizationManager();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, methodInvocation);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, methodInvocation);
assertThat(decision).isNull();
}
@ -76,7 +75,7 @@ public class PreAuthorizeAuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
"doSomethingString", new Class[] { String.class }, new Object[] { "grant" });
PreAuthorizeAuthorizationManager manager = new PreAuthorizeAuthorizationManager();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, methodInvocation);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, methodInvocation);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -86,7 +85,7 @@ public class PreAuthorizeAuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
"doSomethingString", new Class[] { String.class }, new Object[] { "deny" });
PreAuthorizeAuthorizationManager manager = new PreAuthorizeAuthorizationManager();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, methodInvocation);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, methodInvocation);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -97,10 +96,10 @@ public class PreAuthorizeAuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(),
ClassLevelAnnotations.class, "securedAdmin");
PreAuthorizeAuthorizationManager manager = new PreAuthorizeAuthorizationManager();
AuthorizationDecision decision = manager.check(authentication, methodInvocation);
AuthorizationResult decision = manager.authorize(authentication, methodInvocation);
assertThat(decision.isGranted()).isFalse();
authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_ADMIN");
decision = manager.check(authentication, methodInvocation);
decision = manager.authorize(authentication, methodInvocation);
assertThat(decision.isGranted()).isTrue();
}
@ -110,10 +109,10 @@ public class PreAuthorizeAuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(),
ClassLevelAnnotations.class, "securedUser");
PreAuthorizeAuthorizationManager manager = new PreAuthorizeAuthorizationManager();
AuthorizationDecision decision = manager.check(authentication, methodInvocation);
AuthorizationResult decision = manager.authorize(authentication, methodInvocation);
assertThat(decision.isGranted()).isTrue();
authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_ADMIN");
decision = manager.check(authentication, methodInvocation);
decision = manager.authorize(authentication, methodInvocation);
assertThat(decision.isGranted()).isFalse();
}
@ -124,7 +123,7 @@ public class PreAuthorizeAuthorizationManagerTests {
ConflictingAnnotations.class, "inheritedAnnotations");
PreAuthorizeAuthorizationManager manager = new PreAuthorizeAuthorizationManager();
assertThatExceptionOfType(AnnotationConfigurationException.class)
.isThrownBy(() -> manager.check(authentication, methodInvocation));
.isThrownBy(() -> manager.authorize(authentication, methodInvocation));
}
@Test
@ -132,10 +131,10 @@ public class PreAuthorizeAuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestTargetClassAware(),
TestTargetClassAware.class, "doSomething");
PreAuthorizeAuthorizationManager manager = new PreAuthorizeAuthorizationManager();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, methodInvocation);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, methodInvocation);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
decision = manager.check(TestAuthentication::authenticatedAdmin, methodInvocation);
decision = manager.authorize(TestAuthentication::authenticatedAdmin, methodInvocation);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}

26
core/src/test/java/org/springframework/security/authorization/method/PreAuthorizeReactiveAuthorizationManagerTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -28,7 +28,7 @@ import org.springframework.security.access.expression.method.MethodSecurityExpre
import org.springframework.security.access.intercept.method.MockMethodInvocation;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.core.Authentication;
import static org.assertj.core.api.Assertions.assertThat;
@ -61,8 +61,8 @@ public class PreAuthorizeReactiveAuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
"doSomething", new Class[] {}, new Object[] {});
PreAuthorizeReactiveAuthorizationManager manager = new PreAuthorizeReactiveAuthorizationManager();
AuthorizationDecision decision = manager
.check(ReactiveAuthenticationUtils.getAuthentication(), methodInvocation)
AuthorizationResult decision = manager
.authorize(ReactiveAuthenticationUtils.getAuthentication(), methodInvocation)
.block();
assertThat(decision).isNull();
}
@ -72,8 +72,8 @@ public class PreAuthorizeReactiveAuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
"doSomethingString", new Class[] { String.class }, new Object[] { "grant" });
PreAuthorizeReactiveAuthorizationManager manager = new PreAuthorizeReactiveAuthorizationManager();
AuthorizationDecision decision = manager
.check(ReactiveAuthenticationUtils.getAuthentication(), methodInvocation)
AuthorizationResult decision = manager
.authorize(ReactiveAuthenticationUtils.getAuthentication(), methodInvocation)
.block();
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
@ -84,8 +84,8 @@ public class PreAuthorizeReactiveAuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
"doSomethingString", new Class[] { String.class }, new Object[] { "deny" });
PreAuthorizeReactiveAuthorizationManager manager = new PreAuthorizeReactiveAuthorizationManager();
AuthorizationDecision decision = manager
.check(ReactiveAuthenticationUtils.getAuthentication(), methodInvocation)
AuthorizationResult decision = manager
.authorize(ReactiveAuthenticationUtils.getAuthentication(), methodInvocation)
.block();
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
@ -98,11 +98,11 @@ public class PreAuthorizeReactiveAuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(),
ClassLevelAnnotations.class, "securedAdmin");
PreAuthorizeReactiveAuthorizationManager manager = new PreAuthorizeReactiveAuthorizationManager();
AuthorizationDecision decision = manager.check(authentication, methodInvocation).block();
AuthorizationResult decision = manager.authorize(authentication, methodInvocation).block();
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
authentication = Mono.just(new TestingAuthenticationToken("user", "password", "ROLE_ADMIN"));
decision = manager.check(authentication, methodInvocation).block();
decision = manager.authorize(authentication, methodInvocation).block();
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -114,11 +114,11 @@ public class PreAuthorizeReactiveAuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(),
ClassLevelAnnotations.class, "securedUser");
PreAuthorizeReactiveAuthorizationManager manager = new PreAuthorizeReactiveAuthorizationManager();
AuthorizationDecision decision = manager.check(authentication, methodInvocation).block();
AuthorizationResult decision = manager.authorize(authentication, methodInvocation).block();
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
authentication = Mono.just(new TestingAuthenticationToken("user", "password", "ROLE_ADMIN"));
decision = manager.check(authentication, methodInvocation).block();
decision = manager.authorize(authentication, methodInvocation).block();
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -131,7 +131,7 @@ public class PreAuthorizeReactiveAuthorizationManagerTests {
ConflictingAnnotations.class, "inheritedAnnotations");
PreAuthorizeReactiveAuthorizationManager manager = new PreAuthorizeReactiveAuthorizationManager();
assertThatExceptionOfType(AnnotationConfigurationException.class)
.isThrownBy(() -> manager.check(authentication, methodInvocation));
.isThrownBy(() -> manager.authorize(authentication, methodInvocation));
}
public static class TestClass implements InterfaceAnnotationsOne, InterfaceAnnotationsTwo {

32
core/src/test/java/org/springframework/security/authorization/method/SecuredAuthorizationManagerTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -30,8 +30,8 @@ import org.springframework.security.access.annotation.Secured;
import org.springframework.security.access.intercept.method.MockMethodInvocation;
import org.springframework.security.authentication.TestAuthentication;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.core.Authentication;
import static org.assertj.core.api.Assertions.assertThat;
@ -62,9 +62,9 @@ public class SecuredAuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
"securedUserOrAdmin");
Supplier<Authentication> authentication = TestAuthentication::authenticatedUser;
AuthorizationDecision decision = manager.check(authentication, methodInvocation);
AuthorizationResult decision = manager.authorize(authentication, methodInvocation);
assertThat(decision).isNull();
verify(authoritiesAuthorizationManager).check(authentication, Set.of("ROLE_USER", "ROLE_ADMIN"));
verify(authoritiesAuthorizationManager).authorize(authentication, Set.of("ROLE_USER", "ROLE_ADMIN"));
}
@Test
@ -72,7 +72,7 @@ public class SecuredAuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
"doSomething");
SecuredAuthorizationManager manager = new SecuredAuthorizationManager();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, methodInvocation);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, methodInvocation);
assertThat(decision).isNull();
}
@ -81,7 +81,7 @@ public class SecuredAuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
"securedUserOrAdmin");
SecuredAuthorizationManager manager = new SecuredAuthorizationManager();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, methodInvocation);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, methodInvocation);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -91,7 +91,7 @@ public class SecuredAuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
"securedUserOrAdmin");
SecuredAuthorizationManager manager = new SecuredAuthorizationManager();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedAdmin, methodInvocation);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedAdmin, methodInvocation);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -103,7 +103,7 @@ public class SecuredAuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
"securedUserOrAdmin");
SecuredAuthorizationManager manager = new SecuredAuthorizationManager();
AuthorizationDecision decision = manager.check(authentication, methodInvocation);
AuthorizationResult decision = manager.authorize(authentication, methodInvocation);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -114,10 +114,10 @@ public class SecuredAuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(),
ClassLevelAnnotations.class, "securedAdmin");
SecuredAuthorizationManager manager = new SecuredAuthorizationManager();
AuthorizationDecision decision = manager.check(authentication, methodInvocation);
AuthorizationResult decision = manager.authorize(authentication, methodInvocation);
assertThat(decision.isGranted()).isFalse();
authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_ADMIN");
decision = manager.check(authentication, methodInvocation);
decision = manager.authorize(authentication, methodInvocation);
assertThat(decision.isGranted()).isTrue();
}
@ -127,10 +127,10 @@ public class SecuredAuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(),
ClassLevelAnnotations.class, "securedUser");
SecuredAuthorizationManager manager = new SecuredAuthorizationManager();
AuthorizationDecision decision = manager.check(authentication, methodInvocation);
AuthorizationResult decision = manager.authorize(authentication, methodInvocation);
assertThat(decision.isGranted()).isTrue();
authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_ADMIN");
decision = manager.check(authentication, methodInvocation);
decision = manager.authorize(authentication, methodInvocation);
assertThat(decision.isGranted()).isFalse();
}
@ -141,7 +141,7 @@ public class SecuredAuthorizationManagerTests {
"inheritedAnnotations");
SecuredAuthorizationManager manager = new SecuredAuthorizationManager();
assertThatExceptionOfType(AnnotationConfigurationException.class)
.isThrownBy(() -> manager.check(authentication, methodInvocation));
.isThrownBy(() -> manager.authorize(authentication, methodInvocation));
}
@Test
@ -151,7 +151,7 @@ public class SecuredAuthorizationManagerTests {
"inheritedAnnotations");
SecuredAuthorizationManager manager = new SecuredAuthorizationManager();
assertThatExceptionOfType(AnnotationConfigurationException.class)
.isThrownBy(() -> manager.check(authentication, methodInvocation));
.isThrownBy(() -> manager.authorize(authentication, methodInvocation));
}
@Test
@ -159,10 +159,10 @@ public class SecuredAuthorizationManagerTests {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestTargetClassAware(),
TestTargetClassAware.class, "doSomething");
SecuredAuthorizationManager manager = new SecuredAuthorizationManager();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, methodInvocation);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, methodInvocation);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
decision = manager.check(TestAuthentication::authenticatedAdmin, methodInvocation);
decision = manager.authorize(TestAuthentication::authenticatedAdmin, methodInvocation);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}

4
docs/modules/ROOT/pages/reactive/authorization/method.adoc
View File

@ -308,7 +308,7 @@ Java::
@Component
public class MyPreAuthorizeAuthorizationManager implements ReactiveAuthorizationManager<MethodInvocation> {
@Override
public Mono<AuthorizationDecision> check(Supplier<Authentication> authentication, MethodInvocation invocation) {
public Mono<AuthorizationResult> authorize(Supplier<Authentication> authentication, MethodInvocation invocation) {
// ... authorization logic
}
@ -321,7 +321,7 @@ Kotlin::
----
@Component
class MyPreAuthorizeAuthorizationManager : ReactiveAuthorizationManager<MethodInvocation> {
override fun check(authentication: Supplier<Authentication>, invocation: MethodInvocation): Mono<AuthorizationDecision> {
override fun authorize(authentication: Supplier<Authentication>, invocation: MethodInvocation): Mono<AuthorizationResult> {
// ... authorization logic
}

8
docs/modules/ROOT/pages/servlet/appendix/faq.adoc
View File

@ -544,7 +544,7 @@ public class DynamicAuthorizationManager implements AuthorizationManager<Request
// ...
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, RequestAuthorizationContext context) {
public AuthorizationResult authorize(Supplier<Authentication> authentication, RequestAuthorizationContext context) {
// query the external service
}
}
@ -565,7 +565,7 @@ class DynamicAuthorizationManager : AuthorizationManager<RequestAuthorizationCon
// ...
override fun check(authentication: Supplier<Authentication?>?, context: RequestAuthorizationContext?): AuthorizationDecision {
override fun authorize(authentication: Supplier<Authentication?>?, context: RequestAuthorizationContext?): AuthorizationResult {
// look up rules from the database
}
}
@ -595,7 +595,7 @@ public class DynamicAuthorizationManager implements AuthorizationManager<MethodI
// ...
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation invocation) {
public AuthorizationResult authorize(Supplier<Authentication> authentication, MethodInvocation invocation) {
// query the external service
}
}
@ -617,7 +617,7 @@ class DynamicAuthorizationManager : AuthorizationManager<MethodInvocation?> {
private val authz: MyExternalAuthorizationService? = null
// ...
override fun check(authentication: Supplier<Authentication?>?, invocation: MethodInvocation?): AuthorizationDecision {
override fun authorize(authentication: Supplier<Authentication?>?, invocation: MethodInvocation?): AuthorizationResult {
// query the external service
}
}

8
docs/modules/ROOT/pages/servlet/authorization/architecture.adoc
View File

@ -99,7 +99,7 @@ The `AuthorizationManager` interface contains two methods:
[source,java]
----
AuthorizationDecision check(Supplier<Authentication> authentication, Object secureObject);
AuthorizationResult authorize(Supplier<Authentication> authentication, Object secureObject);
default void verify(Supplier<Authentication> authentication, Object secureObject)
throws AccessDeniedException {
@ -113,7 +113,7 @@ For example, let's assume the secure object was a `MethodInvocation`.
It would be easy to query the `MethodInvocation` for any `Customer` argument, and then implement some sort of security logic in the `AuthorizationManager` to ensure the principal is permitted to operate on that customer.
Implementations are expected to return a positive `AuthorizationDecision` if access is granted, negative `AuthorizationDecision` if access is denied, and a null `AuthorizationDecision` when abstaining from making a decision.
`verify` calls `check` and subsequently throws an `AccessDeniedException` in the case of a negative `AuthorizationDecision`.
`verify` calls `authorize` and subsequently throws an `AccessDeniedException` in the case of a negative `AuthorizationDecision`.
[[authz-delegate-authorization-manager]]
=== Delegate-based AuthorizationManager Implementations
@ -180,7 +180,7 @@ public class AccessDecisionManagerAuthorizationManagerAdapter implements Authori
private final SecurityMetadataSource securityMetadataSource;
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, Object object) {
public AuthorizationResult authorize(Supplier<Authentication> authentication, Object object) {
try {
Collection<ConfigAttribute> attributes = this.securityMetadataSource.getAttributes(object);
this.accessDecisionManager.decide(authentication.get(), object, attributes);
@ -216,7 +216,7 @@ public class AccessDecisionVoterAuthorizationManagerAdapter implements Authoriza
private final SecurityMetadataSource securityMetadataSource;
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, Object object) {
public AuthorizationResult authorize(Supplier<Authentication> authentication, Object object) {
Collection<ConfigAttribute> attributes = this.securityMetadataSource.getAttributes(object);
int decision = this.accessDecisionVoter.vote(authentication.get(), object, attributes);
switch (decision) {

2
docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc
View File

@ -861,7 +861,7 @@ Java::
@Component
public final class OpenPolicyAgentAuthorizationManager implements AuthorizationManager<RequestAuthorizationContext> {
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, RequestAuthorizationContext context) {
public AuthorizationResult authorize(Supplier<Authentication> authentication, RequestAuthorizationContext context) {
// make request to Open Policy Agent
}
}

35
docs/modules/ROOT/pages/servlet/authorization/events.adoc
View File

@ -95,31 +95,30 @@ public class MyAuthorizationEventPublisher implements AuthorizationEventPublishe
@Override
public <T> void publishAuthorizationEvent(Supplier<Authentication> authentication,
T object, AuthorizationDecision decision) {
if (decision == null) {
T object, AuthorizationResult result) {
if (result == null) {
return;
}
if (!decision.isGranted()) {
this.delegate.publishAuthorizationEvent(authentication, object, decision);
if (!result.isGranted()) {
this.delegate.publishAuthorizationEvent(authentication, object, result);
return;
}
if (shouldThisEventBePublished(decision)) {
if (shouldThisEventBePublished(result)) {
AuthorizationGrantedEvent granted = new AuthorizationGrantedEvent(
authentication, object, decision);
authentication, object, result);
this.publisher.publishEvent(granted);
}
}
private boolean shouldThisEventBePublished(AuthorizationDecision decision) {
if (!(decision instanceof AuthorityAuthorizationDecision)) {
return false;
}
Collection<GrantedAuthority> authorities = ((AuthorityAuthorizationDecision) decision).getAuthorities();
private boolean shouldThisEventBePublished(AuthorizationResult result) {
if (result instanceof AuthorityAuthorizationDecision authorityAuthorizationDecision) {
Collection<GrantedAuthority> authorities = authorityAuthorizationDecision.getAuthorities();
for (GrantedAuthority authority : authorities) {
if ("ROLE_ADMIN".equals(authority.getAuthority())) {
return true;
}
}
}
return false;
}
}
@ -137,22 +136,22 @@ class MyAuthorizationEventPublisher(val publisher: ApplicationEventPublisher,
override fun <T : Any?> publishAuthorizationEvent(
authentication: Supplier<Authentication>?,
`object`: T,
decision: AuthorizationDecision?
result: AuthorizationResult?
) {
if (decision == null) {
if (result == null) {
return
}
if (!decision.isGranted) {
this.delegate.publishAuthorizationEvent(authentication, `object`, decision)
if (!result.isGranted) {
this.delegate.publishAuthorizationEvent(authentication, `object`, result)
return
}
if (shouldThisEventBePublished(decision)) {
val granted = AuthorizationGrantedEvent(authentication, `object`, decision)
if (shouldThisEventBePublished(result)) {
val granted = AuthorizationGrantedEvent(authentication, `object`, result)
this.publisher.publishEvent(granted)
}
}
private fun shouldThisEventBePublished(decision: AuthorizationDecision): Boolean {
private fun shouldThisEventBePublished(result: AuthorizationResult): Boolean {
if (decision !is AuthorityAuthorizationDecision) {
return false
}

8
docs/modules/ROOT/pages/servlet/authorization/method-security.adoc
View File

@ -1371,12 +1371,12 @@ Java::
@Component
public class MyAuthorizationManager implements AuthorizationManager<MethodInvocation>, AuthorizationManager<MethodInvocationResult> {
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation invocation) {
public AuthorizationResult authorize(Supplier<Authentication> authentication, MethodInvocation invocation) {
// ... authorization logic
}
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocationResult invocation) {
public AuthorizationResult authorize(Supplier<Authentication> authentication, MethodInvocationResult invocation) {
// ... authorization logic
}
}
@ -1388,11 +1388,11 @@ Kotlin::
----
@Component
class MyAuthorizationManager : AuthorizationManager<MethodInvocation>, AuthorizationManager<MethodInvocationResult> {
override fun check(authentication: Supplier<Authentication>, invocation: MethodInvocation): AuthorizationDecision {
override fun authorize(authentication: Supplier<Authentication>, invocation: MethodInvocation): AuthorizationResult {
// ... authorization logic
}
override fun check(authentication: Supplier<Authentication>, invocation: MethodInvocationResult): AuthorizationDecision {
override fun authorize(authentication: Supplier<Authentication>, invocation: MethodInvocationResult): AuthorizationResult {
// ... authorization logic
}
}

2
docs/modules/ROOT/pages/servlet/integrations/websocket.adoc
View File

@ -227,7 +227,7 @@ public final class MessageExpressionAuthorizationManager implements Authorizatio
}
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, MessageAuthorizationContext<?> context) {
public AuthorizationResult authorize(Supplier<Authentication> authentication, MessageAuthorizationContext<?> context) {
EvaluationContext ctx = this.expressionHandler.createEvaluationContext(authentication, context.getMessage());
boolean granted = ExpressionUtils.evaluateAsBoolean(this.expression, ctx);
return new ExpressionAuthorizationDecision(granted, this.expression);

9
messaging/src/main/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptor.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -27,7 +27,6 @@ import org.springframework.messaging.MessageChannel;
import org.springframework.messaging.support.ChannelInterceptor;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationEventPublisher;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.AuthorizationResult;
@ -109,12 +108,6 @@ public final class AuthorizationChannelInterceptor implements ChannelInterceptor
private static class NoopAuthorizationEventPublisher implements AuthorizationEventPublisher {
@Override
public <T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T object,
AuthorizationDecision decision) {
}
@Override
public <T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T object,
AuthorizationResult result) {

25
messaging/src/main/java/org/springframework/security/messaging/access/intercept/MessageMatcherDelegatingAuthorizationManager.java
View File

@ -28,7 +28,6 @@ import org.springframework.messaging.Message;
import org.springframework.messaging.simp.SimpMessageType;
import org.springframework.security.authorization.AuthenticatedAuthorizationManager;
import org.springframework.security.authorization.AuthorityAuthorizationManager;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.authorization.SingleResultAuthorizationManager;
@ -56,30 +55,6 @@ public final class MessageMatcherDelegatingAuthorizationManager implements Autho
this.mappings = mappings;
}
/**
* Delegates to a specific {@link AuthorizationManager} based on a
* {@link MessageMatcher} evaluation.
* @param authentication the {@link Supplier} of the {@link Authentication} to check
* @param message the {@link Message} to check
* @return an {@link AuthorizationDecision}. If there is no {@link MessageMatcher}
* matching the message, or the {@link AuthorizationManager} could not decide, then
* null is returned
* @deprecated please use {@link #authorize(Supplier, Message)} instead
*/
@Deprecated
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, Message<?> message) {
AuthorizationResult result = authorize(authentication, message);
if (result == null) {
return null;
}
if (result instanceof AuthorizationDecision decision) {
return decision;
}
throw new IllegalArgumentException(
"Please call #authorize or ensure that the returned result is of type AuthorizationDecision");
}
@Override
public AuthorizationResult authorize(Supplier<Authentication> authentication, Message<?> message) {
if (this.logger.isTraceEnabled()) {

16
messaging/src/test/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptorTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -30,7 +30,6 @@ import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationEventPublisher;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
@ -39,7 +38,6 @@ import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.lenient;
import static org.mockito.Mockito.verify;
/**
@ -83,15 +81,13 @@ public class AuthorizationChannelInterceptorTests {
@Test
public void preSendWhenAllowThenSameMessage() {
given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(true));
given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
given(this.authorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(true));
assertThat(this.interceptor.preSend(this.message, this.channel)).isSameAs(this.message);
}
@Test
public void preSendWhenDenyThenException() {
given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false));
given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
given(this.authorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(false));
assertThatExceptionOfType(AccessDeniedException.class)
.isThrownBy(() -> this.interceptor.preSend(this.message, this.channel));
}
@ -105,11 +101,7 @@ public class AuthorizationChannelInterceptorTests {
@Test
public void preSendWhenAuthorizationEventPublisherThenPublishes() {
this.interceptor.setAuthorizationEventPublisher(this.eventPublisher);
given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(true));
given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
lenient().doCallRealMethod()
.when(this.eventPublisher)
.publishAuthorizationEvent(any(), any(), any(AuthorizationResult.class));
given(this.authorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(true));
this.interceptor.preSend(this.message, this.channel);
verify(this.eventPublisher).publishAuthorizationEvent(any(), any(), any());
}

20
messaging/src/test/java/org/springframework/security/messaging/access/intercept/MessageMatcherDelegatingAuthorizationManagerTests.java
View File

@ -65,7 +65,7 @@ public final class MessageMatcherDelegatingAuthorizationManagerTests {
void checkWhenPermitAllThenPermits() {
AuthorizationManager<Message<?>> authorizationManager = builder().anyMessage().permitAll().build();
Message<?> message = new GenericMessage<>(new Object());
assertThat(authorizationManager.check(mock(Supplier.class), message).isGranted()).isTrue();
assertThat(authorizationManager.authorize(mock(Supplier.class), message).isGranted()).isTrue();
}
@Test
@ -73,9 +73,9 @@ public final class MessageMatcherDelegatingAuthorizationManagerTests {
AuthorizationManager<Message<?>> authorizationManager = builder().anyMessage().hasRole("USER").build();
Message<?> message = new GenericMessage<>(new Object());
Authentication user = new TestingAuthenticationToken("user", "password", "ROLE_USER");
assertThat(authorizationManager.check(() -> user, message).isGranted()).isTrue();
assertThat(authorizationManager.authorize(() -> user, message).isGranted()).isTrue();
Authentication admin = new TestingAuthenticationToken("user", "password", "ROLE_ADMIN");
assertThat(authorizationManager.check(() -> admin, message).isGranted()).isFalse();
assertThat(authorizationManager.authorize(() -> admin, message).isGranted()).isFalse();
}
@Test
@ -88,7 +88,7 @@ public final class MessageMatcherDelegatingAuthorizationManagerTests {
MessageHeaders headers = new MessageHeaders(
Map.of(SimpMessageHeaderAccessor.DESTINATION_HEADER, "destination"));
Message<?> message = new GenericMessage<>(new Object(), headers);
assertThat(authorizationManager.check(mock(Supplier.class), message).isGranted()).isTrue();
assertThat(authorizationManager.authorize(mock(Supplier.class), message).isGranted()).isTrue();
}
@Test
@ -99,11 +99,11 @@ public final class MessageMatcherDelegatingAuthorizationManagerTests {
.denyAll()
.build();
Message<?> message = new GenericMessage<>(new Object());
assertThat(authorizationManager.check(mock(Supplier.class), message).isGranted()).isTrue();
assertThat(authorizationManager.authorize(mock(Supplier.class), message).isGranted()).isTrue();
MessageHeaders headers = new MessageHeaders(
Map.of(SimpMessageHeaderAccessor.DESTINATION_HEADER, "destination"));
message = new GenericMessage<>(new Object(), headers);
assertThat(authorizationManager.check(mock(Supplier.class), message).isGranted()).isFalse();
assertThat(authorizationManager.authorize(mock(Supplier.class), message).isGranted()).isFalse();
}
@Test
@ -116,7 +116,7 @@ public final class MessageMatcherDelegatingAuthorizationManagerTests {
MessageHeaders headers = new MessageHeaders(
Map.of(SimpMessageHeaderAccessor.MESSAGE_TYPE_HEADER, SimpMessageType.CONNECT));
Message<?> message = new GenericMessage<>(new Object(), headers);
assertThat(authorizationManager.check(mock(Supplier.class), message).isGranted()).isTrue();
assertThat(authorizationManager.authorize(mock(Supplier.class), message).isGranted()).isTrue();
}
// gh-12540
@ -130,7 +130,7 @@ public final class MessageMatcherDelegatingAuthorizationManagerTests {
MessageHeaders headers = new MessageHeaders(
Map.of(SimpMessageHeaderAccessor.DESTINATION_HEADER, "destination/3"));
Message<?> message = new GenericMessage<>(new Object(), headers);
assertThat(authorizationManager.check(mock(Supplier.class), message).isGranted()).isTrue();
assertThat(authorizationManager.authorize(mock(Supplier.class), message).isGranted()).isTrue();
}
@Test
@ -151,7 +151,7 @@ public final class MessageMatcherDelegatingAuthorizationManagerTests {
MessageHeaders headers2 = new MessageHeaders(Map.of(SimpMessageHeaderAccessor.MESSAGE_TYPE_HEADER,
SimpMessageType.SUBSCRIBE, SimpMessageHeaderAccessor.DESTINATION_HEADER, "/destination"));
Message<?> message2 = new GenericMessage<>(new Object(), headers2);
assertThat(authorizationManager.check(mock(Supplier.class), message2).isGranted()).isFalse();
assertThat(authorizationManager.authorize(mock(Supplier.class), message2).isGranted()).isFalse();
}
@Test
@ -166,7 +166,7 @@ public final class MessageMatcherDelegatingAuthorizationManagerTests {
MessageHeaders headers = new MessageHeaders(
Map.of(SimpMessageHeaderAccessor.DESTINATION_HEADER, "/destination/sub/asdf"));
Message<?> message = new GenericMessage<>(new Object(), headers);
assertThat(authorizationManager.check(mock(Supplier.class), message).isGranted()).isFalse();
assertThat(authorizationManager.authorize(mock(Supplier.class), message).isGranted()).isFalse();
}
private MessageMatcherDelegatingAuthorizationManager.Builder builder() {

15
rsocket/src/main/java/org/springframework/security/rsocket/authorization/PayloadExchangeMatcherReactiveAuthorizationManager.java
View File

@ -51,21 +51,6 @@ public final class PayloadExchangeMatcherReactiveAuthorizationManager
this.mappings = mappings;
}
/**
* @deprecated please use {@link #authorize(Mono, PayloadExchange)} instead
*/
@Deprecated
@Override
public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, PayloadExchange exchange) {
return authorize(authentication, exchange).flatMap((result) -> {
if (result instanceof AuthorizationDecision decision) {
return Mono.just(decision);
}
return Mono.error(new IllegalArgumentException(
"Please call #authorize or ensure that the returned result is of type Mono<AuthorizationDecision>"));
});
}
@Override
public Mono<AuthorizationResult> authorize(Mono<Authentication> authentication, PayloadExchange exchange) {
return Flux.fromIterable(this.mappings)

20
rsocket/src/test/java/org/springframework/security/rsocket/authorization/PayloadExchangeMatcherReactiveAuthorizationManagerTests.java
View File

@ -52,51 +52,47 @@ public class PayloadExchangeMatcherReactiveAuthorizationManagerTests {
@Test
public void checkWhenGrantedThenGranted() {
AuthorizationDecision expected = new AuthorizationDecision(true);
given(this.authz.check(any(), any())).willReturn(Mono.just(expected));
given(this.authz.authorize(any(), any())).willCallRealMethod();
given(this.authz.authorize(any(), any())).willReturn(Mono.just(expected));
PayloadExchangeMatcherReactiveAuthorizationManager manager = PayloadExchangeMatcherReactiveAuthorizationManager
.builder()
.add(new PayloadExchangeMatcherEntry<>(PayloadExchangeMatchers.anyExchange(), this.authz))
.build();
assertThat(manager.check(Mono.empty(), this.exchange).block()).isEqualTo(expected);
assertThat(manager.authorize(Mono.empty(), this.exchange).block()).isEqualTo(expected);
}
@Test
public void checkWhenDeniedThenDenied() {
AuthorizationDecision expected = new AuthorizationDecision(false);
given(this.authz.check(any(), any())).willReturn(Mono.just(expected));
given(this.authz.authorize(any(), any())).willCallRealMethod();
given(this.authz.authorize(any(), any())).willReturn(Mono.just(expected));
PayloadExchangeMatcherReactiveAuthorizationManager manager = PayloadExchangeMatcherReactiveAuthorizationManager
.builder()
.add(new PayloadExchangeMatcherEntry<>(PayloadExchangeMatchers.anyExchange(), this.authz))
.build();
assertThat(manager.check(Mono.empty(), this.exchange).block()).isEqualTo(expected);
assertThat(manager.authorize(Mono.empty(), this.exchange).block()).isEqualTo(expected);
}
@Test
public void checkWhenFirstMatchThenSecondUsed() {
AuthorizationDecision expected = new AuthorizationDecision(true);
given(this.authz.check(any(), any())).willReturn(Mono.just(expected));
given(this.authz.authorize(any(), any())).willCallRealMethod();
given(this.authz.authorize(any(), any())).willReturn(Mono.just(expected));
PayloadExchangeMatcherReactiveAuthorizationManager manager = PayloadExchangeMatcherReactiveAuthorizationManager
.builder()
.add(new PayloadExchangeMatcherEntry<>(PayloadExchangeMatchers.anyExchange(), this.authz))
.add(new PayloadExchangeMatcherEntry<>((e) -> PayloadExchangeMatcher.MatchResult.notMatch(), this.authz2))
.build();
assertThat(manager.check(Mono.empty(), this.exchange).block()).isEqualTo(expected);
assertThat(manager.authorize(Mono.empty(), this.exchange).block()).isEqualTo(expected);
}
@Test
public void checkWhenSecondMatchThenSecondUsed() {
AuthorizationDecision expected = new AuthorizationDecision(true);
given(this.authz2.check(any(), any())).willReturn(Mono.just(expected));
given(this.authz2.authorize(any(), any())).willCallRealMethod();
given(this.authz2.authorize(any(), any())).willReturn(Mono.just(expected));
PayloadExchangeMatcherReactiveAuthorizationManager manager = PayloadExchangeMatcherReactiveAuthorizationManager
.builder()
.add(new PayloadExchangeMatcherEntry<>((e) -> PayloadExchangeMatcher.MatchResult.notMatch(), this.authz))
.add(new PayloadExchangeMatcherEntry<>(PayloadExchangeMatchers.anyExchange(), this.authz2))
.build();
assertThat(manager.check(Mono.empty(), this.exchange).block()).isEqualTo(expected);
assertThat(manager.authorize(Mono.empty(), this.exchange).block()).isEqualTo(expected);
}
}

5
web/src/main/java/org/springframework/security/web/access/IpAddressAuthorizationManager.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -20,6 +20,7 @@ import java.util.function.Supplier;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
import org.springframework.security.web.util.matcher.IpAddressMatcher;
@ -52,7 +53,7 @@ public final class IpAddressAuthorizationManager implements AuthorizationManager
}
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication,
public AuthorizationResult authorize(Supplier<Authentication> authentication,
RequestAuthorizationContext requestAuthorizationContext) {
return new AuthorizationDecision(
this.ipAddressMatcher.matcher(requestAuthorizationContext.getRequest()).isMatch());

6
web/src/main/java/org/springframework/security/web/access/expression/WebExpressionAuthorizationManager.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -22,8 +22,8 @@ import org.springframework.expression.EvaluationContext;
import org.springframework.expression.Expression;
import org.springframework.security.access.expression.ExpressionUtils;
import org.springframework.security.access.expression.SecurityExpressionHandler;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.authorization.ExpressionAuthorizationDecision;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
@ -71,7 +71,7 @@ public final class WebExpressionAuthorizationManager implements AuthorizationMan
* expression
*/
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, RequestAuthorizationContext context) {
public AuthorizationResult authorize(Supplier<Authentication> authentication, RequestAuthorizationContext context) {
EvaluationContext ctx = this.expressionHandler.createEvaluationContext(authentication, context);
boolean granted = ExpressionUtils.evaluateAsBoolean(this.expression, ctx);
return new ExpressionAuthorizationDecision(granted, this.expression);

9
web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -29,7 +29,6 @@ import jakarta.servlet.http.HttpServletResponse;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationDeniedException;
import org.springframework.security.authorization.AuthorizationEventPublisher;
import org.springframework.security.authorization.AuthorizationManager;
@ -231,12 +230,6 @@ public class AuthorizationFilter extends GenericFilterBean {
private static class NoopAuthorizationEventPublisher implements AuthorizationEventPublisher {
@Override
public <T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T object,
AuthorizationDecision decision) {
}
@Override
public <T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T object,
AuthorizationResult result) {

24
web/src/main/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManager.java
View File

@ -62,30 +62,6 @@ public final class RequestMatcherDelegatingAuthorizationManager implements Autho
this.mappings = mappings;
}
/**
* Delegates to a specific {@link AuthorizationManager} based on a
* {@link RequestMatcher} evaluation.
* @param authentication the {@link Supplier} of the {@link Authentication} to check
* @param request the {@link HttpServletRequest} to check
* @return an {@link AuthorizationDecision}. If there is no {@link RequestMatcher}
* matching the request, or the {@link AuthorizationManager} could not decide, then
* null is returned
* @deprecated please use {@link #authorize(Supplier, HttpServletRequest)} instead
*/
@Deprecated
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, HttpServletRequest request) {
AuthorizationResult result = authorize(authentication, request);
if (result == null) {
return null;
}
if (result instanceof AuthorizationDecision decision) {
return decision;
}
throw new IllegalArgumentException(
"Please call #authorize or ensure that the returned result is of type AuthorizationDecision");
}
@Override
public AuthorizationResult authorize(Supplier<Authentication> authentication, HttpServletRequest request) {
if (this.logger.isTraceEnabled()) {

15
web/src/main/java/org/springframework/security/web/server/authorization/DelegatingReactiveAuthorizationManager.java
View File

@ -50,21 +50,6 @@ public final class DelegatingReactiveAuthorizationManager implements ReactiveAut
this.mappings = mappings;
}
/**
* @deprecated please use {@link #authorize(Mono, ServerWebExchange)} instead
*/
@Deprecated
@Override
public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, ServerWebExchange exchange) {
return authorize(authentication, exchange).flatMap((result) -> {
if (result instanceof AuthorizationDecision decision) {
return Mono.just(decision);
}
return Mono.error(new IllegalArgumentException(
"Please call #authorize or ensure that the returned result is of type Mono<AuthorizationDecision>"));
});
}
@Override
public Mono<AuthorizationResult> authorize(Mono<Authentication> authentication, ServerWebExchange exchange) {
return Flux.fromIterable(this.mappings)

5
web/src/main/java/org/springframework/security/web/server/authorization/IpAddressReactiveAuthorizationManager.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -19,6 +19,7 @@ package org.springframework.security.web.server.authorization;
import reactor.core.publisher.Mono;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.authorization.ReactiveAuthorizationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.server.util.matcher.IpAddressServerWebExchangeMatcher;
@ -40,7 +41,7 @@ public final class IpAddressReactiveAuthorizationManager implements ReactiveAuth
}
@Override
public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, AuthorizationContext context) {
public Mono<AuthorizationResult> authorize(Mono<Authentication> authentication, AuthorizationContext context) {
return Mono.just(context.getExchange())
.flatMap(this.ipAddressExchangeMatcher::matches)
.map((matchResult) -> new AuthorizationDecision(matchResult.isMatch()));

24
web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -62,25 +62,22 @@ class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests {
@Test
void isAllowedWhenAuthorizationManagerAllowsThenAllowedTrue() {
given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(true));
given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
given(this.authorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(true));
boolean allowed = this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
assertThat(allowed).isTrue();
verify(this.authorizationManager).check(any(), any());
verify(this.authorizationManager).authorize(any(), any());
}
@Test
void isAllowedWhenAuthorizationManagerDeniesAllowedFalse() {
given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false));
given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
given(this.authorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(false));
boolean allowed = this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
assertThat(allowed).isFalse();
}
@Test
void isAllowedWhenAuthorizationManagerAbstainsThenAllowedTrue() {
given(this.authorizationManager.check(any(), any())).willReturn(null);
given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
given(this.authorizationManager.authorize(any(), any())).willReturn(null);
boolean allowed = this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
assertThat(allowed).isTrue();
}
@ -88,11 +85,10 @@ class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests {
@Test
void isAllowedWhenServletContextExistsThenFilterInvocationHasServletContext() {
ServletContext servletContext = new MockServletContext();
given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
this.privilegeEvaluator.setServletContext(servletContext);
this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
ArgumentCaptor<HttpServletRequest> captor = ArgumentCaptor.forClass(HttpServletRequest.class);
verify(this.authorizationManager).check(any(), captor.capture());
verify(this.authorizationManager).authorize(any(), captor.capture());
assertThat(captor.getValue().getServletContext()).isSameAs(servletContext);
}
@ -105,12 +101,11 @@ class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests {
void isAllowedWhenRequestTransformerThenUsesRequestTransformerResult() {
HttpServletRequest request = new MockHttpServletRequest();
given(this.requestTransformer.transform(any())).willReturn(request);
given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
this.privilegeEvaluator.setRequestTransformer(this.requestTransformer);
this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
verify(this.authorizationManager).check(any(), eq(request));
verify(this.authorizationManager).authorize(any(), eq(request));
}
// gh-16771
@ -119,13 +114,14 @@ class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests {
RequestMatcherDelegatingAuthorizationManager authorizationManager = RequestMatcherDelegatingAuthorizationManager
.builder()
.add(PathPatternRequestMatcher.withDefaults().matcher("/test/**"),
(authentication, context) -> this.authorizationManager.check(authentication, context.getRequest()))
(authentication, context) -> this.authorizationManager.authorize(authentication,
context.getRequest()))
.build();
AuthorizationManagerWebInvocationPrivilegeEvaluator privilegeEvaluator = new AuthorizationManagerWebInvocationPrivilegeEvaluator(
authorizationManager);
privilegeEvaluator.setRequestTransformer(new PathPatternRequestTransformer());
privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
verify(this.authorizationManager).check(any(), any());
verify(this.authorizationManager).authorize(any(), any());
}
}

8
web/src/test/java/org/springframework/security/web/access/expression/WebExpressionAuthorizationManagerTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -22,7 +22,7 @@ import org.springframework.expression.Expression;
import org.springframework.expression.ExpressionParser;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.security.authentication.TestAuthentication;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
import static org.assertj.core.api.Assertions.assertThat;
@ -87,7 +87,7 @@ class WebExpressionAuthorizationManagerTests {
@Test
void checkWhenExpressionHasRoleAdminConfiguredAndRoleAdminThenGrantedDecision() {
WebExpressionAuthorizationManager manager = new WebExpressionAuthorizationManager("hasRole('ADMIN')");
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedAdmin,
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedAdmin,
new RequestAuthorizationContext(new MockHttpServletRequest()));
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
@ -96,7 +96,7 @@ class WebExpressionAuthorizationManagerTests {
@Test
void checkWhenExpressionHasRoleAdminConfiguredAndRoleUserThenDeniedDecision() {
WebExpressionAuthorizationManager manager = new WebExpressionAuthorizationManager("hasRole('ADMIN')");
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser,
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser,
new RequestAuthorizationContext(new MockHttpServletRequest()));
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();

33
web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -38,7 +38,6 @@ import org.springframework.security.authorization.AuthenticatedAuthorizationMana
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationEventPublisher;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
@ -54,7 +53,6 @@ import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.BDDMockito.given;
import static org.mockito.BDDMockito.willThrow;
import static org.mockito.Mockito.doCallRealMethod;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.verify;
@ -93,8 +91,7 @@ public class AuthorizationFilterTests {
@Test
public void filterWhenAuthorizationManagerVerifyPassesThenNextFilter() throws Exception {
AuthorizationManager<HttpServletRequest> mockAuthorizationManager = mock(AuthorizationManager.class);
given(mockAuthorizationManager.authorize(any(), any())).willCallRealMethod();
given(mockAuthorizationManager.check(any(Supplier.class), any(HttpServletRequest.class)))
given(mockAuthorizationManager.authorize(any(Supplier.class), any(HttpServletRequest.class)))
.willReturn(new AuthorizationDecision(true));
AuthorizationFilter filter = new AuthorizationFilter(mockAuthorizationManager);
TestingAuthenticationToken authenticationToken = new TestingAuthenticationToken("user", "password");
@ -110,7 +107,7 @@ public class AuthorizationFilterTests {
filter.doFilter(mockRequest, mockResponse, mockFilterChain);
ArgumentCaptor<Supplier<Authentication>> authenticationCaptor = ArgumentCaptor.forClass(Supplier.class);
verify(mockAuthorizationManager).check(authenticationCaptor.capture(), eq(mockRequest));
verify(mockAuthorizationManager).authorize(authenticationCaptor.capture(), eq(mockRequest));
Supplier<Authentication> authentication = authenticationCaptor.getValue();
assertThat(authentication.get()).isEqualTo(authenticationToken);
@ -121,7 +118,6 @@ public class AuthorizationFilterTests {
@Test
public void filterWhenAuthorizationManagerVerifyThrowsAccessDeniedExceptionThenStopFilterChain() {
AuthorizationManager<HttpServletRequest> mockAuthorizationManager = mock(AuthorizationManager.class);
given(mockAuthorizationManager.authorize(any(), any())).willCallRealMethod();
AuthorizationFilter filter = new AuthorizationFilter(mockAuthorizationManager);
TestingAuthenticationToken authenticationToken = new TestingAuthenticationToken("user", "password");
@ -134,14 +130,14 @@ public class AuthorizationFilterTests {
FilterChain mockFilterChain = mock(FilterChain.class);
willThrow(new AccessDeniedException("Access Denied")).given(mockAuthorizationManager)
.check(any(), eq(mockRequest));
.authorize(any(), eq(mockRequest));
assertThatExceptionOfType(AccessDeniedException.class)
.isThrownBy(() -> filter.doFilter(mockRequest, mockResponse, mockFilterChain))
.withMessage("Access Denied");
ArgumentCaptor<Supplier<Authentication>> authenticationCaptor = ArgumentCaptor.forClass(Supplier.class);
verify(mockAuthorizationManager).check(authenticationCaptor.capture(), eq(mockRequest));
verify(mockAuthorizationManager).authorize(authenticationCaptor.capture(), eq(mockRequest));
Supplier<Authentication> authentication = authenticationCaptor.getValue();
assertThat(authentication.get()).isEqualTo(authenticationToken);
@ -190,7 +186,6 @@ public class AuthorizationFilterTests {
SecurityContextHolder.setContext(securityContext);
AuthorizationEventPublisher eventPublisher = mock(AuthorizationEventPublisher.class);
doCallRealMethod().when(eventPublisher).publishAuthorizationEvent(any(), any(), any(AuthorizationResult.class));
authorizationFilter.setAuthorizationEventPublisher(eventPublisher);
authorizationFilter.doFilter(mockRequest, mockResponse, mockFilterChain);
verify(eventPublisher).publishAuthorizationEvent(any(Supplier.class), any(HttpServletRequest.class),
@ -200,7 +195,6 @@ public class AuthorizationFilterTests {
@Test
public void doFilterWhenErrorThenDoFilter() throws Exception {
AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);
given(authorizationManager.authorize(any(), any())).willCallRealMethod();
AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
mockRequest.setDispatcherType(DispatcherType.ERROR);
@ -209,7 +203,7 @@ public class AuthorizationFilterTests {
FilterChain mockFilterChain = mock(FilterChain.class);
authorizationFilter.doFilter(mockRequest, mockResponse, mockFilterChain);
verify(authorizationManager).check(any(Supplier.class), eq(mockRequest));
verify(authorizationManager).authorize(any(Supplier.class), eq(mockRequest));
}
@Test
@ -237,27 +231,24 @@ public class AuthorizationFilterTests {
@Test
public void doFilterWhenObserveOncePerRequestTrueAndNotAppliedThenInvoked() throws ServletException, IOException {
given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
this.filter.setObserveOncePerRequest(true);
this.filter.doFilter(this.request, this.response, this.chain);
verify(this.authorizationManager).check(any(), any());
verify(this.authorizationManager).authorize(any(), any());
}
@Test
public void doFilterWhenObserveOncePerRequestFalseAndIsAppliedThenInvoked() throws ServletException, IOException {
setIsAppliedTrue();
given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
this.filter.setObserveOncePerRequest(false);
this.filter.doFilter(this.request, this.response, this.chain);
verify(this.authorizationManager).check(any(), any());
verify(this.authorizationManager).authorize(any(), any());
}
@Test
public void doFilterWhenObserveOncePerRequestFalseAndNotAppliedThenInvoked() throws ServletException, IOException {
given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
this.filter.setObserveOncePerRequest(false);
this.filter.doFilter(this.request, this.response, this.chain);
verify(this.authorizationManager).check(any(), any());
verify(this.authorizationManager).authorize(any(), any());
}
@Test
@ -270,11 +261,10 @@ public class AuthorizationFilterTests {
@Test
public void doFilterWhenFilterErrorDispatchTrueAndIsErrorThenInvoked() throws ServletException, IOException {
given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
this.request.setDispatcherType(DispatcherType.ERROR);
this.filter.setFilterErrorDispatch(true);
this.filter.doFilter(this.request, this.response, this.chain);
verify(this.authorizationManager).check(any(), any());
verify(this.authorizationManager).authorize(any(), any());
}
@Test
@ -294,11 +284,10 @@ public class AuthorizationFilterTests {
@Test
public void doFilterWhenFilterAsyncDispatchTrueAndIsAsyncThenInvoked() throws ServletException, IOException {
given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
this.request.setDispatcherType(DispatcherType.ASYNC);
this.filter.setFilterAsyncDispatch(true);
this.filter.doFilter(this.request, this.response, this.chain);
verify(this.authorizationManager).check(any(), any());
verify(this.authorizationManager).authorize(any(), any());
}
@Test

56
web/src/test/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManagerTests.java
View File

@ -25,7 +25,7 @@ import org.springframework.security.authentication.TestAuthentication;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authorization.AuthenticatedAuthorizationManager;
import org.springframework.security.authorization.AuthorityAuthorizationManager;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.authorization.SingleResultAuthorizationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
@ -79,15 +79,15 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_USER");
AuthorizationDecision grant = manager.check(authentication, new MockHttpServletRequest(null, "/grant"));
AuthorizationResult grant = manager.authorize(authentication, new MockHttpServletRequest(null, "/grant"));
assertThat(grant).isNotNull();
assertThat(grant.isGranted()).isTrue();
AuthorizationDecision deny = manager.check(authentication, new MockHttpServletRequest(null, "/deny"));
AuthorizationResult deny = manager.authorize(authentication, new MockHttpServletRequest(null, "/deny"));
assertThat(deny).isNotNull();
assertThat(deny.isGranted()).isFalse();
AuthorizationDecision defaultDeny = manager.check(authentication,
AuthorizationResult defaultDeny = manager.authorize(authentication,
new MockHttpServletRequest(null, "/unmapped"));
assertThat(defaultDeny).isNotNull();
assertThat(defaultDeny.isGranted()).isFalse();
@ -108,16 +108,16 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_USER");
AuthorizationDecision grant = manager.check(authentication, new MockHttpServletRequest(null, "/grant"));
AuthorizationResult grant = manager.authorize(authentication, new MockHttpServletRequest(null, "/grant"));
assertThat(grant).isNotNull();
assertThat(grant.isGranted()).isTrue();
AuthorizationDecision afterAny = manager.check(authentication, new MockHttpServletRequest(null, "/afterAny"));
AuthorizationResult afterAny = manager.authorize(authentication, new MockHttpServletRequest(null, "/afterAny"));
assertThat(afterAny).isNotNull();
assertThat(afterAny.isGranted()).isFalse();
AuthorizationDecision unmapped = manager.check(authentication, new MockHttpServletRequest(null, "/unmapped"));
AuthorizationResult unmapped = manager.authorize(authentication, new MockHttpServletRequest(null, "/unmapped"));
assertThat(unmapped).isNotNull();
assertThat(unmapped.isGranted()).isFalse();
}
@ -180,7 +180,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
.anyRequest()
.permitAll()
.build();
AuthorizationDecision decision = manager.check(TestAuthentication::anonymousUser, null);
AuthorizationResult decision = manager.authorize(TestAuthentication::anonymousUser, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -191,7 +191,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
.anyRequest()
.denyAll()
.build();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedAdmin, null);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedAdmin, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -202,7 +202,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
.anyRequest()
.authenticated()
.build();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, null);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -213,7 +213,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
.anyRequest()
.authenticated()
.build();
AuthorizationDecision decision = manager.check(TestAuthentication::anonymousUser, null);
AuthorizationResult decision = manager.authorize(TestAuthentication::anonymousUser, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -224,7 +224,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
.anyRequest()
.fullyAuthenticated()
.build();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, null);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -235,7 +235,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
.anyRequest()
.fullyAuthenticated()
.build();
AuthorizationDecision decision = manager.check(TestAuthentication::anonymousUser, null);
AuthorizationResult decision = manager.authorize(TestAuthentication::anonymousUser, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -246,7 +246,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
.anyRequest()
.fullyAuthenticated()
.build();
AuthorizationDecision decision = manager.check(TestAuthentication::rememberMeUser, null);
AuthorizationResult decision = manager.authorize(TestAuthentication::rememberMeUser, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -257,7 +257,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
.anyRequest()
.rememberMe()
.build();
AuthorizationDecision decision = manager.check(TestAuthentication::rememberMeUser, null);
AuthorizationResult decision = manager.authorize(TestAuthentication::rememberMeUser, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -268,7 +268,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
.anyRequest()
.rememberMe()
.build();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, null);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -279,7 +279,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
.anyRequest()
.anonymous()
.build();
AuthorizationDecision decision = manager.check(TestAuthentication::anonymousUser, null);
AuthorizationResult decision = manager.authorize(TestAuthentication::anonymousUser, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -290,7 +290,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
.anyRequest()
.anonymous()
.build();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, null);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -301,7 +301,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
.anyRequest()
.hasRole("ADMIN")
.build();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, null);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -312,7 +312,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
.anyRequest()
.hasRole("ADMIN")
.build();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedAdmin, null);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedAdmin, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -323,7 +323,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
.anyRequest()
.hasAnyRole("USER", "ADMIN")
.build();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, null);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -334,7 +334,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
.anyRequest()
.hasAnyRole("USER", "ADMIN")
.build();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedAdmin, null);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedAdmin, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -345,7 +345,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
.anyRequest()
.hasAnyRole("USER", "ADMIN")
.build();
AuthorizationDecision decision = manager.check(TestAuthentication::anonymousUser, null);
AuthorizationResult decision = manager.authorize(TestAuthentication::anonymousUser, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -356,7 +356,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
.anyRequest()
.hasAuthority("ROLE_ADMIN")
.build();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, null);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
@ -367,7 +367,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
.anyRequest()
.hasAuthority("ROLE_ADMIN")
.build();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedAdmin, null);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedAdmin, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -378,7 +378,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
.anyRequest()
.hasAnyAuthority("ROLE_USER", "ROLE_ADMIN")
.build();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, null);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -389,7 +389,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
.anyRequest()
.hasAnyAuthority("ROLE_USER", "ROLE_ADMIN")
.build();
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedAdmin, null);
AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedAdmin, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@ -400,7 +400,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
.anyRequest()
.hasAnyRole("USER", "ADMIN")
.build();
AuthorizationDecision decision = manager.check(TestAuthentication::anonymousUser, null);
AuthorizationResult decision = manager.authorize(TestAuthentication::anonymousUser, null);
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}

8
web/src/test/java/org/springframework/security/web/server/authorization/AuthorizationWebFilterTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2017 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -27,6 +27,7 @@ import reactor.test.publisher.PublisherProbe;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.core.context.ReactiveSecurityContextHolder;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextImpl;
@ -113,8 +114,9 @@ public class AuthorizationWebFilterTests {
public void filterWhenGrantedAndDoeAccessAuthenticationThenChainSubscribedAndSecurityContextSubscribed() {
PublisherProbe<SecurityContext> context = PublisherProbe.empty();
given(this.chain.filter(this.exchange)).willReturn(this.chainResult.mono());
AuthorizationWebFilter filter = new AuthorizationWebFilter((a,
e) -> a.map((auth) -> new AuthorizationDecision(true)).defaultIfEmpty(new AuthorizationDecision(true)));
AuthorizationWebFilter filter = new AuthorizationWebFilter(
(a, e) -> a.map((auth) -> (AuthorizationResult) new AuthorizationDecision(true))
.defaultIfEmpty(new AuthorizationDecision(true)));
Mono<Void> result = filter.filter(this.exchange, this.chain)
.contextWrite(ReactiveSecurityContextHolder.withSecurityContext(context.mono()));
StepVerifier.create(result).verifyComplete();

10
web/src/test/java/org/springframework/security/web/server/authorization/DelegatingReactiveAuthorizationManagerTests.java
View File

@ -79,10 +79,9 @@ public class DelegatingReactiveAuthorizationManagerTests {
@Test
public void checkWhenFirstMatchesThenNoMoreMatchersAndNoMoreDelegatesInvoked() {
given(this.match1.matches(any())).willReturn(ServerWebExchangeMatcher.MatchResult.match());
given(this.delegate1.check(eq(this.authentication), any(AuthorizationContext.class)))
given(this.delegate1.authorize(eq(this.authentication), any(AuthorizationContext.class)))
.willReturn(Mono.just(this.decision));
given(this.delegate1.authorize(eq(this.authentication), any(AuthorizationContext.class))).willCallRealMethod();
assertThat(this.manager.check(this.authentication, this.exchange).block()).isEqualTo(this.decision);
assertThat(this.manager.authorize(this.authentication, this.exchange).block()).isEqualTo(this.decision);
verifyNoMoreInteractions(this.match2, this.delegate2);
}
@ -90,10 +89,9 @@ public class DelegatingReactiveAuthorizationManagerTests {
public void checkWhenSecondMatchesThenNoMoreMatchersAndNoMoreDelegatesInvoked() {
given(this.match1.matches(any())).willReturn(ServerWebExchangeMatcher.MatchResult.notMatch());
given(this.match2.matches(any())).willReturn(ServerWebExchangeMatcher.MatchResult.match());
given(this.delegate2.check(eq(this.authentication), any(AuthorizationContext.class)))
given(this.delegate2.authorize(eq(this.authentication), any(AuthorizationContext.class)))
.willReturn(Mono.just(this.decision));
given(this.delegate2.authorize(eq(this.authentication), any(AuthorizationContext.class))).willCallRealMethod();
assertThat(this.manager.check(this.authentication, this.exchange).block()).isEqualTo(this.decision);
assertThat(this.manager.authorize(this.authentication, this.exchange).block()).isEqualTo(this.decision);
verifyNoMoreInteractions(this.delegate1);
}

10
web/src/test/java/org/springframework/security/web/server/authorization/IpAddressReactiveAuthorizationManagerTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -38,7 +38,7 @@ public class IpAddressReactiveAuthorizationManagerTests {
public void checkWhenHasIpv6AddressThenReturnTrue() throws UnknownHostException {
IpAddressReactiveAuthorizationManager v6manager = IpAddressReactiveAuthorizationManager
.hasIpAddress("fe80::21f:5bff:fe33:bd68");
boolean granted = v6manager.check(null, context("fe80::21f:5bff:fe33:bd68")).block().isGranted();
boolean granted = v6manager.authorize(null, context("fe80::21f:5bff:fe33:bd68")).block().isGranted();
assertThat(granted).isTrue();
}
@ -46,7 +46,7 @@ public class IpAddressReactiveAuthorizationManagerTests {
public void checkWhenHasIpv6AddressThenReturnFalse() throws UnknownHostException {
IpAddressReactiveAuthorizationManager v6manager = IpAddressReactiveAuthorizationManager
.hasIpAddress("fe80::21f:5bff:fe33:bd68");
boolean granted = v6manager.check(null, context("fe80::1c9a:7cfd:29a8:a91e")).block().isGranted();
boolean granted = v6manager.authorize(null, context("fe80::1c9a:7cfd:29a8:a91e")).block().isGranted();
assertThat(granted).isFalse();
}
@ -54,7 +54,7 @@ public class IpAddressReactiveAuthorizationManagerTests {
public void checkWhenHasIpv4AddressThenReturnTrue() throws UnknownHostException {
IpAddressReactiveAuthorizationManager v4manager = IpAddressReactiveAuthorizationManager
.hasIpAddress("192.168.1.104");
boolean granted = v4manager.check(null, context("192.168.1.104")).block().isGranted();
boolean granted = v4manager.authorize(null, context("192.168.1.104")).block().isGranted();
assertThat(granted).isTrue();
}
@ -62,7 +62,7 @@ public class IpAddressReactiveAuthorizationManagerTests {
public void checkWhenHasIpv4AddressThenReturnFalse() throws UnknownHostException {
IpAddressReactiveAuthorizationManager v4manager = IpAddressReactiveAuthorizationManager
.hasIpAddress("192.168.1.104");
boolean granted = v4manager.check(null, context("192.168.100.15")).block().isGranted();
boolean granted = v4manager.authorize(null, context("192.168.100.15")).block().isGranted();
assertThat(granted).isFalse();
}