Publish OAuth2MethodSecurityExpressionHandler Bean

Closes gh-336

Author: jzheaux

spring-security-oauth2-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/OAuth2AutoConfiguration.java

@@ -22,7 +22,7 @@
 import org.springframework.boot.autoconfigure.security.oauth2.authserver.OAuth2AuthorizationServerConfiguration;
 import org.springframework.boot.autoconfigure.security.oauth2.client.ClientProperties;
 import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2RestOperationsConfiguration;
-import org.springframework.boot.autoconfigure.security.oauth2.method.OAuth2MethodSecurityConfiguration;
+import org.springframework.boot.autoconfigure.security.oauth2.method.OAuth2MethodSecurityExpressionHandlerConfiguration;
 import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerConfiguration;
 import org.springframework.boot.autoconfigure.security.oauth2.resource.ResourceServerProperties;
 import org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration;
@@ -42,7 +42,7 @@
  */
 @Configuration
 @ConditionalOnClass({ OAuth2AccessToken.class, WebMvcConfigurer.class })
-@Import({ OAuth2AuthorizationServerConfiguration.class, OAuth2MethodSecurityConfiguration.class,
+@Import({ OAuth2AuthorizationServerConfiguration.class, OAuth2MethodSecurityExpressionHandlerConfiguration.class,
 		OAuth2ResourceServerConfiguration.class, OAuth2RestOperationsConfiguration.class })
 @AutoConfigureBefore(WebMvcAutoConfiguration.class)
 @EnableConfigurationProperties({ OAuth2ClientProperties.class, ClientProperties.class })

spring-security-oauth2-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/method/OAuth2MethodSecurityConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2017 the original author or authors.
+ * Copyright 2012-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -33,8 +33,8 @@
 import org.springframework.security.oauth2.provider.expression.OAuth2MethodSecurityExpressionHandler;
 
 /**
- * Auto-configure an expression handler for method-level security (if the user already has
- * {@code @EnableGlobalMethodSecurity}).
+ * Replace any {@link DefaultMethodSecurityExpressionHandler} in the application context
+ * with an {@link OAuth2MethodSecurityExpressionHandler}.
  *
  * @author Greg Turnquist
  * @author Dave Syer

spring-security-oauth2-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/method/OAuth2MethodSecurityExpressionHandlerConfiguration.java

@@ -0,0 +1,71 @@
+/*
+ * Copyright 2012-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.autoconfigure.security.oauth2.method;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.access.PermissionEvaluator;
+import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
+import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
+import org.springframework.security.authentication.AuthenticationTrustResolver;
+import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;
+import org.springframework.security.config.core.GrantedAuthorityDefaults;
+import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.provider.expression.OAuth2MethodSecurityExpressionHandler;
+
+/**
+ * Auto-configure an expression handler for method-level security (if the application is
+ * already annotated with {@code @EnableGlobalMethodSecurity}).
+ *
+ * @author Josh Cummings
+ * @since 2.6
+ */
+@Configuration(proxyBeanMethods = false)
+@ConditionalOnClass({ OAuth2AccessToken.class })
+@ConditionalOnBean(GlobalMethodSecurityConfiguration.class)
+public class OAuth2MethodSecurityExpressionHandlerConfiguration {
+
+	@Bean
+	@ConditionalOnMissingBean(MethodSecurityExpressionHandler.class)
+	MethodSecurityExpressionHandler methodSecurityExpressionHandler(@Autowired ApplicationContext context,
+			@Autowired(required = false) PermissionEvaluator permissionEvaluator,
+			@Autowired(required = false) RoleHierarchy roleHierarchy,
+			@Autowired(required = false) AuthenticationTrustResolver trustResolver,
+			@Autowired(required = false) GrantedAuthorityDefaults grantedAuthorityDefaults) {
+		OAuth2MethodSecurityExpressionHandler expressionHandler = new OAuth2MethodSecurityExpressionHandler();
+		expressionHandler.setApplicationContext(context);
+		if (permissionEvaluator != null) {
+			expressionHandler.setPermissionEvaluator(permissionEvaluator);
+		}
+		if (roleHierarchy != null) {
+			expressionHandler.setRoleHierarchy(roleHierarchy);
+		}
+		if (trustResolver != null) {
+			expressionHandler.setTrustResolver(trustResolver);
+		}
+		if (grantedAuthorityDefaults != null) {
+			expressionHandler.setDefaultRolePrefix(grantedAuthorityDefaults.getRolePrefix());
+		}
+		return expressionHandler;
+	}
+
+}

spring-security-oauth2-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/OAuth2AutoConfigurationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2019 the original author or authors.
+ * Copyright 2012-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,11 +27,11 @@
 import org.springframework.aop.support.AopUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.http.HttpMessageConvertersAutoConfiguration;
-import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
 import org.springframework.boot.autoconfigure.security.oauth2.authserver.OAuth2AuthorizationServerConfiguration;
-import org.springframework.boot.autoconfigure.security.oauth2.method.OAuth2MethodSecurityConfiguration;
+import org.springframework.boot.autoconfigure.security.oauth2.method.OAuth2MethodSecurityExpressionHandlerConfiguration;
 import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerConfiguration;
 import org.springframework.boot.autoconfigure.security.oauth2.resource.ResourceServerProperties;
+import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
 import org.springframework.boot.autoconfigure.web.servlet.DispatcherServletAutoConfiguration;
 import org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration;
 import org.springframework.boot.context.properties.source.ConfigurationPropertySources;
@@ -127,7 +127,7 @@ public void testDefaultConfiguration() {
 		this.context.refresh();
 		this.context.getBean(AUTHORIZATION_SERVER_CONFIG);
 		this.context.getBean(RESOURCE_SERVER_CONFIG);
-		this.context.getBean(OAuth2MethodSecurityConfiguration.class);
+		this.context.getBean(OAuth2MethodSecurityExpressionHandlerConfiguration.class);
 		ClientDetails config = this.context.getBean(BaseClientDetails.class);
 		AuthorizationEndpoint endpoint = this.context.getBean(AuthorizationEndpoint.class);
 		UserApprovalHandler handler = (UserApprovalHandler) ReflectionTestUtils.getField(endpoint,
@@ -308,7 +308,7 @@ public void testDefaultPrePostSecurityAnnotations() {
 		this.context = new AnnotationConfigServletWebServerApplicationContext();
 		this.context.register(AuthorizationAndResourceServerConfiguration.class, MinimalSecureWebApplication.class);
 		this.context.refresh();
-		this.context.getBean(OAuth2MethodSecurityConfiguration.class);
+		this.context.getBean(OAuth2MethodSecurityExpressionHandlerConfiguration.class);
 		ClientDetails config = this.context.getBean(ClientDetails.class);
 		DelegatingMethodSecurityMetadataSource source = this.context
 				.getBean(DelegatingMethodSecurityMetadataSource.class);
@@ -324,7 +324,7 @@ public void testClassicSecurityAnnotationOverride() {
 		this.context = new AnnotationConfigServletWebServerApplicationContext();
 		this.context.register(SecuredEnabledConfiguration.class, MinimalSecureWebApplication.class);
 		this.context.refresh();
-		this.context.getBean(OAuth2MethodSecurityConfiguration.class);
+		this.context.getBean(OAuth2MethodSecurityExpressionHandlerConfiguration.class);
 		ClientDetails config = this.context.getBean(ClientDetails.class);
 		DelegatingMethodSecurityMetadataSource source = this.context
 				.getBean(DelegatingMethodSecurityMetadataSource.class);
@@ -340,7 +340,7 @@ public void testJsr250SecurityAnnotationOverride() {
 		this.context = new AnnotationConfigServletWebServerApplicationContext();
 		this.context.register(Jsr250EnabledConfiguration.class, MinimalSecureWebApplication.class);
 		this.context.refresh();
-		this.context.getBean(OAuth2MethodSecurityConfiguration.class);
+		this.context.getBean(OAuth2MethodSecurityExpressionHandlerConfiguration.class);
 		ClientDetails config = this.context.getBean(ClientDetails.class);
 		DelegatingMethodSecurityMetadataSource source = this.context
 				.getBean(DelegatingMethodSecurityMetadataSource.class);