diff --git a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/Jsr250MethodSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/Jsr250MethodSecurityConfiguration.java index c7bee6a7252..39567ddfdca 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/Jsr250MethodSecurityConfiguration.java +++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/Jsr250MethodSecurityConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -30,6 +30,7 @@ import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy; import org.springframework.security.access.hierarchicalroles.RoleHierarchy; import org.springframework.security.authorization.AuthoritiesAuthorizationManager; +import org.springframework.security.authorization.AuthorizationEventPublisher; import org.springframework.security.authorization.AuthorizationManager; import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor; import org.springframework.security.authorization.method.Jsr250AuthorizationManager; @@ -56,6 +57,7 @@ final class Jsr250MethodSecurityConfiguration implements ImportAware { static MethodInterceptor jsr250AuthorizationMethodInterceptor( ObjectProvider defaultsProvider, ObjectProvider strategyProvider, + ObjectProvider eventPublisherProvider, ObjectProvider registryProvider, ObjectProvider roleHierarchyProvider, Jsr250MethodSecurityConfiguration configuration) { Jsr250AuthorizationManager jsr250 = new Jsr250AuthorizationManager(); @@ -72,6 +74,7 @@ static MethodInterceptor jsr250AuthorizationMethodInterceptor( .jsr250(manager); interceptor.setOrder(interceptor.getOrder() + configuration.interceptorOrderOffset); interceptor.setSecurityContextHolderStrategy(strategy); + eventPublisherProvider.ifAvailable(interceptor::setAuthorizationEventPublisher); return interceptor; } diff --git a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/SecuredMethodSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/SecuredMethodSecurityConfiguration.java index 78ea66606cc..a1909388781 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/SecuredMethodSecurityConfiguration.java +++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/SecuredMethodSecurityConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -31,6 +31,7 @@ import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy; import org.springframework.security.access.hierarchicalroles.RoleHierarchy; import org.springframework.security.authorization.AuthoritiesAuthorizationManager; +import org.springframework.security.authorization.AuthorizationEventPublisher; import org.springframework.security.authorization.AuthorizationManager; import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor; import org.springframework.security.authorization.method.SecuredAuthorizationManager; @@ -55,6 +56,7 @@ final class SecuredMethodSecurityConfiguration implements ImportAware { @Role(BeanDefinition.ROLE_INFRASTRUCTURE) static MethodInterceptor securedAuthorizationMethodInterceptor( ObjectProvider strategyProvider, + ObjectProvider eventPublisherProvider, ObjectProvider registryProvider, ObjectProvider roleHierarchyProvider, SecuredMethodSecurityConfiguration configuration) { SecuredAuthorizationManager secured = new SecuredAuthorizationManager(); @@ -70,6 +72,7 @@ static MethodInterceptor securedAuthorizationMethodInterceptor( .secured(manager); interceptor.setOrder(interceptor.getOrder() + configuration.interceptorOrderOffset); interceptor.setSecurityContextHolderStrategy(strategy); + eventPublisherProvider.ifAvailable(interceptor::setAuthorizationEventPublisher); return interceptor; } diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java index 746fb13785b..77988ed102e 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -442,7 +442,6 @@ public void configureWhenAspectJThenRegistersAspects() { assertThat(this.spring.getContext().containsBean("annotationSecurityAspect$0")).isFalse(); } - // gh-13572 @Test public void configureWhenBeanOverridingDisallowedThenWorks() { this.spring.register(MethodSecurityServiceConfig.class, BusinessServiceConfig.class) @@ -468,6 +467,30 @@ public void methodSecurityUserWhenRoleHierarchyBeanAvailableThenUses() { this.methodSecurityService.jsr250RolesAllowedUser(); } + @WithMockUser(roles = "ADMIN") + @Test + public void methodSecurityAdminWhenAuthorizationEventPublisherBeanAvailableThenUses() { + this.spring + .register(RoleHierarchyConfig.class, MethodSecurityServiceConfig.class, + AuthorizationEventPublisherConfig.class) + .autowire(); + this.methodSecurityService.preAuthorizeUser(); + this.methodSecurityService.securedUser(); + this.methodSecurityService.jsr250RolesAllowedUser(); + } + + @WithMockUser + @Test + public void methodSecurityUserWhenAuthorizationEventPublisherBeanAvailableThenUses() { + this.spring + .register(RoleHierarchyConfig.class, MethodSecurityServiceConfig.class, + AuthorizationEventPublisherConfig.class) + .autowire(); + this.methodSecurityService.preAuthorizeUser(); + this.methodSecurityService.securedUser(); + this.methodSecurityService.jsr250RolesAllowedUser(); + } + @Test public void allAnnotationsWhenAdviceBeforeOffsetPreFilterThenReturnsFilteredList() { this.spring.register(ReturnBeforeOffsetPreFilterConfig.class).autowire();