SEC-2332: GlobalMethodSecurityConfiguration includes proper voters

Previously GlobalMethodSecurityConfiguration did not include the correct voters. This updates the code and the tests to ensure that the proper voters are added. Note this got past testing previously due to all the voters abstaining, so tests were added for ensuring that methods could also be invoked sucessfully using the configured annotation.
2013-09-18 18:27:12 -05:00 · 2013-09-18 18:27:12 -05:00 · c5c1419521
parent d33b9e2854
commit c5c1419521
4 changed files with 31 additions and 2 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java
@ -40,6 +40,7 @@ import org.springframework.security.access.AccessDecisionManager;
 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.AfterInvocationProvider;
 import org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource;
+import org.springframework.security.access.annotation.Jsr250Voter;
 import org.springframework.security.access.annotation.SecuredAnnotationSecurityMetadataSource;
 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
 import org.springframework.security.access.expression.method.ExpressionBasedAnnotationAttributeFactory;
@ -178,9 +179,13 @@ public class GlobalMethodSecurityConfiguration implements ImportAware {
        List<AccessDecisionVoter> decisionVoters = new ArrayList<AccessDecisionVoter>();
        ExpressionBasedPreInvocationAdvice expressionAdvice = new ExpressionBasedPreInvocationAdvice();
        expressionAdvice.setExpressionHandler(getExpressionHandler());
-
-        decisionVoters.add(new PreInvocationAuthorizationAdviceVoter(
+        if(prePostEnabled()) {
+            decisionVoters.add(new PreInvocationAuthorizationAdviceVoter(
                expressionAdvice));
+        }
+        if(jsr250Enabled()) {
+            decisionVoters.add(new Jsr250Voter());
+        }
        decisionVoters.add(new RoleVoter());
        decisionVoters.add(new AuthenticatedVoter());
        return new AffirmativeBased(decisionVoters);
--- a/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/MethodSecurityService.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/MethodSecurityService.groovy
@ -16,6 +16,7 @@
 package org.springframework.security.config.annotation.method.configuration;

 import javax.annotation.security.DenyAll
+import javax.annotation.security.PermitAll;

 import org.springframework.security.access.annotation.Secured
 import org.springframework.security.access.prepost.PostAuthorize;
@ -34,9 +35,15 @@ public interface MethodSecurityService {
    @Secured("ROLE_ADMIN")
    public String secured();

+    @Secured("ROLE_USER")
+    public String securedUser();
+
    @DenyAll
    public String jsr250();

+    @PermitAll
+    public String jsr250PermitAll();
+
    @Secured(["ROLE_USER","RUN_AS_SUPER"])
    public Authentication runAs();

--- a/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/MethodSecurityServiceImpl.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/MethodSecurityServiceImpl.groovy
@ -35,11 +35,21 @@ public class MethodSecurityServiceImpl implements MethodSecurityService {
        return null;
    }

+    @Override
+    public String securedUser() {
+        return null;
+    }
+
    @Override
    public String jsr250() {
        return null;
    }

+    @Override
+    public String jsr250PermitAll() {
+        return null;
+    }
+
    @Override
    public Authentication runAs() {
        return SecurityContextHolder.getContext().getAuthentication();
--- a/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/NamespaceGlobalMethodSecurityTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/NamespaceGlobalMethodSecurityTests.groovy
@ -134,6 +134,10 @@ public class NamespaceGlobalMethodSecurityTests extends BaseSpringSpec {
            service.jsr250()
        then: "access is denied"
            thrown(AccessDeniedException)
+        when: "@PermitAll method invoked"
+            String jsr250PermitAll = service.jsr250PermitAll()
+        then: "access is allowed"
+            jsr250PermitAll == null
    }

    @EnableGlobalMethodSecurity(jsr250Enabled = true)
@ -345,6 +349,9 @@ public class NamespaceGlobalMethodSecurityTests extends BaseSpringSpec {
            service.secured()
        then:
            thrown(AccessDeniedException)
+        and: "service with ROLE_USER allowed"
+            service.securedUser() == null
+        and:
            service.preAuthorize() == null
            service.jsr250() == null
    }