root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 9 Packages Projects Releases Wiki Activity

EnableMethodSecurity annotation does not get imported when defined as a meta-annotation 

Closes gh-12870
This commit is contained in:
Evgeniy Cheban 2023-05-02 02:46:41 +03:00 committed by Marcus Hert Da Coregio
parent dd469ac2a0
commit c5461b17de
3 changed files with 71 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecuritySelector.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2022 the original author or authors. * Copyright 2002-2023 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -41,7 +41,8 @@ final class MethodSecuritySelector implements ImportSelector {
@Override @Override
public String[] selectImports(@NonNull AnnotationMetadata importMetadata) { public String[] selectImports(@NonNull AnnotationMetadata importMetadata) {
if (!importMetadata.hasAnnotation(EnableMethodSecurity.class.getName())) { if (!importMetadata.hasAnnotation(EnableMethodSecurity.class.getName())
&& !importMetadata.hasMetaAnnotation(EnableMethodSecurity.class.getName())) {
return new String[0]; return new String[0];
} }
EnableMethodSecurity annotation = importMetadata.getAnnotations().get(EnableMethodSecurity.class).synthesize(); EnableMethodSecurity annotation = importMetadata.getAnnotations().get(EnableMethodSecurity.class).synthesize();

41
config/src/test/java/org/springframework/security/config/annotation/method/configuration/EnableCustomMethodSecurity.java Normal file
View File

@ -0,0 +1,41 @@
/*
* Copyright 2002-2023 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.annotation.method.configuration;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import org.springframework.context.annotation.AdviceMode;
import org.springframework.core.annotation.AliasFor;
/**
* @author Evgeniy Cheban
*/
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.TYPE)
@EnableMethodSecurity
public @interface EnableCustomMethodSecurity {
@AliasFor(annotation = EnableMethodSecurity.class, attribute = "proxyTargetClass")
boolean proxyTargetClass() default false;
@AliasFor(annotation = EnableMethodSecurity.class, attribute = "mode")
AdviceMode mode() default AdviceMode.PROXY;
}

28
config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2022 the original author or authors. * Copyright 2002-2023 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -92,6 +92,21 @@ public class PrePostMethodSecurityConfigurationTests {
@Autowired(required = false) @Autowired(required = false)
BusinessService businessService; BusinessService businessService;
@WithMockUser
@Test
public void customMethodSecurityPreAuthorizeAdminWhenRoleUserThenAccessDeniedException() {
this.spring.register(CustomMethodSecurityServiceConfig.class).autowire();
assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(this.methodSecurityService::preAuthorizeAdmin)
.withMessage("Access Denied");
}
@WithMockUser(roles = "ADMIN")
@Test
public void customMethodSecurityPreAuthorizeAdminWhenRoleAdminThenPasses() {
this.spring.register(CustomMethodSecurityServiceConfig.class).autowire();
this.methodSecurityService.preAuthorizeAdmin();
}
@WithMockUser(roles = "ADMIN") @WithMockUser(roles = "ADMIN")
@Test @Test
public void preAuthorizeWhenRoleAdminThenAccessDeniedException() { public void preAuthorizeWhenRoleAdminThenAccessDeniedException() {
@ -418,6 +433,17 @@ public class PrePostMethodSecurityConfigurationTests {
assertThat(this.spring.getContext().containsBean("annotationSecurityAspect$0")).isFalse(); assertThat(this.spring.getContext().containsBean("annotationSecurityAspect$0")).isFalse();
} }
@Configuration
@EnableCustomMethodSecurity
static class CustomMethodSecurityServiceConfig {
@Bean
MethodSecurityService methodSecurityService() {
return new MethodSecurityServiceImpl();
}
}
@Configuration @Configuration
@EnableMethodSecurity @EnableMethodSecurity
static class MethodSecurityServiceConfig { static class MethodSecurityServiceConfig {