Support custom MethodSecurityExpressionHandler

kse-music · kse-music · commit 83632611d821 · 2024-09-04T10:41:12.000+08:00
Closes gh-15715
diff --git a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveAuthorizationManagerMethodSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveAuthorizationManagerMethodSecurityConfiguration.java
@@ -34,6 +34,7 @@
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Fallback;
 import org.springframework.context.annotation.Role;
 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
 import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
@@ -114,6 +115,7 @@ static MethodInterceptor postAuthorizeAuthorizationMethodInterceptor(
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
+	@Fallback
 	static DefaultMethodSecurityExpressionHandler methodSecurityExpressionHandler(
 			@Autowired(required = false) GrantedAuthorityDefaults grantedAuthorityDefaults) {
 		DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler();
diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostReactiveMethodSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostReactiveMethodSecurityConfigurationTests.java
@@ -16,14 +16,21 @@
 
 package org.springframework.security.config.annotation.method.configuration;
 
+import java.io.Serializable;
+
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import reactor.test.StepVerifier;
 
+import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Role;
+import org.springframework.security.access.PermissionEvaluator;
+import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.test.context.annotation.SecurityTestExecutionListeners;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
@@ -201,6 +208,14 @@ void preAuthorizeWhenAllowedAndHandlerWithCustomAnnotationUsingBeanThenInvokeMet
 		StepVerifier.create(service.preAuthorizeWithMaskAnnotationUsingBean()).expectNext("ok").verifyComplete();
 	}
 
+	@Test
+	@WithMockUser(roles = "ADMIN")
+	public void customMethodSecurityExpressionHandler() {
+		this.spring.register(MethodSecurityServiceEnabledConfig.class, PermissionEvaluatorConfig.class).autowire();
+		ReactiveMethodSecurityService service = this.spring.getContext().getBean(ReactiveMethodSecurityService.class);
+		StepVerifier.create(service.preAuthorizeHasPermission("Hello")).expectNext("ok").verifyComplete();
+	}
+
 	@Configuration
 	@EnableReactiveMethodSecurity
 	static class MethodSecurityServiceEnabledConfig {
@@ -212,4 +227,29 @@ ReactiveMethodSecurityService methodSecurityService() {
 
 	}
 
+	@Configuration
+	static class PermissionEvaluatorConfig {
+
+		@Bean
+		@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
+		static DefaultMethodSecurityExpressionHandler methodSecurityExpressionHandler() {
+			DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler();
+			handler.setPermissionEvaluator(new PermissionEvaluator() {
+				@Override
+				public boolean hasPermission(Authentication authentication, Object targetDomainObject,
+						Object permission) {
+					return true;
+				}
+
+				@Override
+				public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType,
+						Object permission) {
+					return true;
+				}
+			});
+			return handler;
+		}
+
+	}
+
 }
diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityService.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityService.java
@@ -101,6 +101,9 @@ public interface ReactiveMethodSecurityService {
 	@HandleAuthorizationDenied(handlerClass = MethodAuthorizationDeniedHandler.class)
 	Mono<String> checkCustomResult(boolean result);
 
+	@PreAuthorize("hasPermission('#kgName', 'read')")
+	Mono<String> preAuthorizeHasPermission(String kgName);
+
 	class StarMaskingHandler implements MethodAuthorizationDeniedHandler {
 
 		@Override
diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityServiceImpl.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityServiceImpl.java
@@ -88,4 +88,9 @@ public Mono<String> checkCustomResult(boolean result) {
 		return Mono.just("ok");
 	}
 
+	@Override
+	public Mono<String> preAuthorizeHasPermission(String kgName) {
+		return Mono.just("ok");
+	}
+
 }

Original file line number	Diff line number	Diff line change
`@@ -88,4 +88,9 @@ public Mono<String> checkCustomResult(boolean result) {`
`88`	`88`	`return Mono.just("ok");`
`89`	`89`	`}`
`90`	`90`
	`91`	`+ @Override`
	`92`	`+ public Mono<String> preAuthorizeHasPermission(String kgName) {`
	`93`	`+ return Mono.just("ok");`
	`94`	`+ }`
	`95`	`+`
`91`	`96`	`}`