Revert "Support SpEL Returning AuthorizationDecision"
This reverts commit 77f2977c55.
This commit is contained in:
@@ -18,8 +18,6 @@ package org.springframework.security.config.annotation.method.configuration;
|
||||
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.security.authorization.AuthorizationDecision;
|
||||
import org.springframework.security.authorization.AuthorizationResult;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.stereotype.Component;
|
||||
|
||||
@@ -47,20 +45,4 @@ public class Authz {
|
||||
return message != null && message.contains(authentication.getName());
|
||||
}
|
||||
|
||||
public AuthorizationResult checkResult(boolean result) {
|
||||
return new AuthzResult(result);
|
||||
}
|
||||
|
||||
public Mono<AuthorizationResult> checkReactiveResult(boolean result) {
|
||||
return Mono.just(checkResult(result));
|
||||
}
|
||||
|
||||
public static class AuthzResult extends AuthorizationDecision {
|
||||
|
||||
public AuthzResult(boolean granted) {
|
||||
super(granted);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -173,11 +173,6 @@ public interface MethodSecurityService {
|
||||
@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = UserFallbackDeniedHandler.class)
|
||||
UserRecordWithEmailProtected getUserWithFallbackWhenUnauthorized();
|
||||
|
||||
@PreAuthorize(value = "@authz.checkResult(#result)", handlerClass = MethodAuthorizationDeniedHandler.class)
|
||||
@PostAuthorize(value = "@authz.checkResult(!#result)",
|
||||
postProcessorClass = MethodAuthorizationDeniedPostProcessor.class)
|
||||
String checkCustomResult(boolean result);
|
||||
|
||||
class StarMaskingHandler implements MethodAuthorizationDeniedHandler {
|
||||
|
||||
@Override
|
||||
|
||||
@@ -28,14 +28,4 @@ public class MethodSecurityServiceConfig {
|
||||
return new MethodSecurityServiceImpl();
|
||||
}
|
||||
|
||||
@Bean
|
||||
ReactiveMethodSecurityService reactiveService() {
|
||||
return new ReactiveMethodSecurityServiceImpl();
|
||||
}
|
||||
|
||||
@Bean
|
||||
Authz authz() {
|
||||
return new Authz();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -197,9 +197,4 @@ public class MethodSecurityServiceImpl implements MethodSecurityService {
|
||||
return new UserRecordWithEmailProtected("username", "useremail@example.com");
|
||||
}
|
||||
|
||||
@Override
|
||||
public String checkCustomResult(boolean result) {
|
||||
return "ok";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -66,8 +66,6 @@ import org.springframework.security.authorization.method.AuthorizationAdvisorPro
|
||||
import org.springframework.security.authorization.method.AuthorizationInterceptorsOrder;
|
||||
import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor;
|
||||
import org.springframework.security.authorization.method.AuthorizeReturnObject;
|
||||
import org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler;
|
||||
import org.springframework.security.authorization.method.MethodAuthorizationDeniedPostProcessor;
|
||||
import org.springframework.security.authorization.method.MethodInvocationResult;
|
||||
import org.springframework.security.authorization.method.PrePostTemplateDefaults;
|
||||
import org.springframework.security.config.Customizer;
|
||||
@@ -94,8 +92,6 @@ import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.Mockito.atLeastOnce;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.verifyNoInteractions;
|
||||
import static org.mockito.Mockito.verifyNoMoreInteractions;
|
||||
|
||||
/**
|
||||
* Tests for {@link PrePostMethodSecurityConfiguration}.
|
||||
@@ -929,23 +925,6 @@ public class PrePostMethodSecurityConfigurationTests {
|
||||
assertThat(user.name()).isEqualTo("Protected");
|
||||
}
|
||||
|
||||
@Test
|
||||
@WithMockUser
|
||||
void getUserWhenNotAuthorizedThenHandlerUsesCustomAuthorizationDecision() {
|
||||
this.spring.register(MethodSecurityServiceConfig.class, CustomResultConfig.class).autowire();
|
||||
MethodSecurityService service = this.spring.getContext().getBean(MethodSecurityService.class);
|
||||
MethodAuthorizationDeniedHandler handler = this.spring.getContext()
|
||||
.getBean(MethodAuthorizationDeniedHandler.class);
|
||||
MethodAuthorizationDeniedPostProcessor postProcessor = this.spring.getContext()
|
||||
.getBean(MethodAuthorizationDeniedPostProcessor.class);
|
||||
assertThat(service.checkCustomResult(false)).isNull();
|
||||
verify(handler).handle(any(), any(Authz.AuthzResult.class));
|
||||
verifyNoInteractions(postProcessor);
|
||||
assertThat(service.checkCustomResult(true)).isNull();
|
||||
verify(postProcessor).postProcessResult(any(), any(Authz.AuthzResult.class));
|
||||
verifyNoMoreInteractions(handler);
|
||||
}
|
||||
|
||||
private static Consumer<ConfigurableWebApplicationContext> disallowBeanOverriding() {
|
||||
return (context) -> ((AnnotationConfigWebApplicationContext) context).setAllowBeanDefinitionOverriding(false);
|
||||
}
|
||||
@@ -1470,23 +1449,4 @@ public class PrePostMethodSecurityConfigurationTests {
|
||||
|
||||
}
|
||||
|
||||
@EnableMethodSecurity
|
||||
static class CustomResultConfig {
|
||||
|
||||
MethodAuthorizationDeniedHandler handler = mock(MethodAuthorizationDeniedHandler.class);
|
||||
|
||||
MethodAuthorizationDeniedPostProcessor postProcessor = mock(MethodAuthorizationDeniedPostProcessor.class);
|
||||
|
||||
@Bean
|
||||
MethodAuthorizationDeniedHandler methodAuthorizationDeniedHandler() {
|
||||
return this.handler;
|
||||
}
|
||||
|
||||
@Bean
|
||||
MethodAuthorizationDeniedPostProcessor methodAuthorizationDeniedPostProcessor() {
|
||||
return this.postProcessor;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -47,8 +47,6 @@ import org.springframework.security.authentication.TestAuthentication;
|
||||
import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory;
|
||||
import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.TargetVisitor;
|
||||
import org.springframework.security.authorization.method.AuthorizeReturnObject;
|
||||
import org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler;
|
||||
import org.springframework.security.authorization.method.MethodAuthorizationDeniedPostProcessor;
|
||||
import org.springframework.security.config.Customizer;
|
||||
import org.springframework.security.config.core.GrantedAuthorityDefaults;
|
||||
import org.springframework.security.config.test.SpringTestContext;
|
||||
@@ -56,14 +54,8 @@ import org.springframework.security.config.test.SpringTestContextExtension;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.context.ReactiveSecurityContextHolder;
|
||||
import org.springframework.security.core.userdetails.User;
|
||||
import org.springframework.security.test.context.support.WithMockUser;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.verifyNoInteractions;
|
||||
import static org.mockito.Mockito.verifyNoMoreInteractions;
|
||||
|
||||
/**
|
||||
* @author Tadaya Tsuyukubo
|
||||
@@ -73,7 +65,7 @@ public class ReactiveMethodSecurityConfigurationTests {
|
||||
|
||||
public final SpringTestContext spring = new SpringTestContext(this);
|
||||
|
||||
@Autowired(required = false)
|
||||
@Autowired
|
||||
DefaultMethodSecurityExpressionHandler methodSecurityExpressionHandler;
|
||||
|
||||
@Test
|
||||
@@ -220,23 +212,6 @@ public class ReactiveMethodSecurityConfigurationTests {
|
||||
.verifyError(AccessDeniedException.class);
|
||||
}
|
||||
|
||||
@Test
|
||||
@WithMockUser
|
||||
void getUserWhenNotAuthorizedThenHandlerUsesCustomAuthorizationDecision() {
|
||||
this.spring.register(MethodSecurityServiceConfig.class, CustomResultConfig.class).autowire();
|
||||
ReactiveMethodSecurityService service = this.spring.getContext().getBean(ReactiveMethodSecurityService.class);
|
||||
MethodAuthorizationDeniedHandler handler = this.spring.getContext()
|
||||
.getBean(MethodAuthorizationDeniedHandler.class);
|
||||
MethodAuthorizationDeniedPostProcessor postProcessor = this.spring.getContext()
|
||||
.getBean(MethodAuthorizationDeniedPostProcessor.class);
|
||||
assertThat(service.checkCustomResult(false).block()).isNull();
|
||||
verify(handler).handle(any(), any(Authz.AuthzResult.class));
|
||||
verifyNoInteractions(postProcessor);
|
||||
assertThat(service.checkCustomResult(true).block()).isNull();
|
||||
verify(postProcessor).postProcessResult(any(), any(Authz.AuthzResult.class));
|
||||
verifyNoMoreInteractions(handler);
|
||||
}
|
||||
|
||||
private static Consumer<User.UserBuilder> authorities(String... authorities) {
|
||||
return (builder) -> builder.authorities(authorities);
|
||||
}
|
||||
@@ -378,23 +353,4 @@ public class ReactiveMethodSecurityConfigurationTests {
|
||||
|
||||
}
|
||||
|
||||
@EnableReactiveMethodSecurity
|
||||
static class CustomResultConfig {
|
||||
|
||||
MethodAuthorizationDeniedHandler handler = mock(MethodAuthorizationDeniedHandler.class);
|
||||
|
||||
MethodAuthorizationDeniedPostProcessor postProcessor = mock(MethodAuthorizationDeniedPostProcessor.class);
|
||||
|
||||
@Bean
|
||||
MethodAuthorizationDeniedHandler methodAuthorizationDeniedHandler() {
|
||||
return this.handler;
|
||||
}
|
||||
|
||||
@Bean
|
||||
MethodAuthorizationDeniedPostProcessor methodAuthorizationDeniedPostProcessor() {
|
||||
return this.postProcessor;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -85,11 +85,6 @@ public interface ReactiveMethodSecurityService {
|
||||
@Mask(expression = "@myMasker.getMask(returnObject)")
|
||||
Mono<String> postAuthorizeWithMaskAnnotationUsingBean();
|
||||
|
||||
@PreAuthorize(value = "@authz.checkReactiveResult(#result)", handlerClass = MethodAuthorizationDeniedHandler.class)
|
||||
@PostAuthorize(value = "@authz.checkReactiveResult(!#result)",
|
||||
postProcessorClass = MethodAuthorizationDeniedPostProcessor.class)
|
||||
Mono<String> checkCustomResult(boolean result);
|
||||
|
||||
class StarMaskingHandler implements MethodAuthorizationDeniedHandler {
|
||||
|
||||
@Override
|
||||
|
||||
@@ -82,9 +82,4 @@ public class ReactiveMethodSecurityServiceImpl implements ReactiveMethodSecurity
|
||||
return Mono.just("ok");
|
||||
}
|
||||
|
||||
@Override
|
||||
public Mono<String> checkCustomResult(boolean result) {
|
||||
return Mono.just("ok");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user