EnableMethodSecurity annotation does not get imported when defined as a meta-annotation

Closes gh-12870
2023-05-02 02:46:41 +03:00 · 2023-05-02 02:46:41 +03:00 · c5461b17de
parent dd469ac2a0
commit c5461b17de
3 changed files with 71 additions and 3 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecuritySelector.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecuritySelector.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -41,7 +41,8 @@ final class MethodSecuritySelector implements ImportSelector {

 	@Override
 	public String[] selectImports(@NonNull AnnotationMetadata importMetadata) {
-		if (!importMetadata.hasAnnotation(EnableMethodSecurity.class.getName())) {
+		if (!importMetadata.hasAnnotation(EnableMethodSecurity.class.getName())
+				&& !importMetadata.hasMetaAnnotation(EnableMethodSecurity.class.getName())) {
 			return new String[0];
 		}
 		EnableMethodSecurity annotation = importMetadata.getAnnotations().get(EnableMethodSecurity.class).synthesize();
--- a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/EnableCustomMethodSecurity.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/EnableCustomMethodSecurity.java
@ -0,0 +1,41 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.method.configuration;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+import org.springframework.context.annotation.AdviceMode;
+import org.springframework.core.annotation.AliasFor;
+
+/**
+ * @author Evgeniy Cheban
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@Target(ElementType.TYPE)
+@EnableMethodSecurity
+public @interface EnableCustomMethodSecurity {
+
+	@AliasFor(annotation = EnableMethodSecurity.class, attribute = "proxyTargetClass")
+	boolean proxyTargetClass() default false;
+
+	@AliasFor(annotation = EnableMethodSecurity.class, attribute = "mode")
+	AdviceMode mode() default AdviceMode.PROXY;
+
+}
--- a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -92,6 +92,21 @@ public class PrePostMethodSecurityConfigurationTests {
 	@Autowired(required = false)
 	BusinessService businessService;

+	@WithMockUser
+	@Test
+	public void customMethodSecurityPreAuthorizeAdminWhenRoleUserThenAccessDeniedException() {
+		this.spring.register(CustomMethodSecurityServiceConfig.class).autowire();
+		assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(this.methodSecurityService::preAuthorizeAdmin)
+				.withMessage("Access Denied");
+	}
+
+	@WithMockUser(roles = "ADMIN")
+	@Test
+	public void customMethodSecurityPreAuthorizeAdminWhenRoleAdminThenPasses() {
+		this.spring.register(CustomMethodSecurityServiceConfig.class).autowire();
+		this.methodSecurityService.preAuthorizeAdmin();
+	}
+
 	@WithMockUser(roles = "ADMIN")
 	@Test
 	public void preAuthorizeWhenRoleAdminThenAccessDeniedException() {
@ -418,6 +433,17 @@ public class PrePostMethodSecurityConfigurationTests {
 		assertThat(this.spring.getContext().containsBean("annotationSecurityAspect$0")).isFalse();
 	}

+	@Configuration
+	@EnableCustomMethodSecurity
+	static class CustomMethodSecurityServiceConfig {
+
+		@Bean
+		MethodSecurityService methodSecurityService() {
+			return new MethodSecurityServiceImpl();
+		}
+
+	}
+
 	@Configuration
 	@EnableMethodSecurity
 	static class MethodSecurityServiceConfig {