Polish AuthorizationManager#authorize
Issue gh-14843
This commit is contained in:
Josh Cummings
+2
@@ -139,7 +139,9 @@ public final class AuthorityAuthorizationManager<T> implements AuthorizationMana
|
||||
* @param authentication the {@link Supplier} of the {@link Authentication} to check
|
||||
* @param object the {@link T} object to check
|
||||
* @return an {@link AuthorizationDecision}
|
||||
* @deprecated please use {@link #authorize(Supplier, Object)} instead
|
||||
*/
|
||||
@Deprecated
|
||||
@Override
|
||||
public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
|
||||
return this.delegate.check(authentication, this.authorities);
|
||||
|
||||
+52
-30
@@ -18,6 +18,9 @@ package org.springframework.security.authorization;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.function.Supplier;
|
||||
|
||||
import org.springframework.security.core.Authentication;
|
||||
|
||||
/**
|
||||
* A factory class to create an {@link AuthorizationManager} instances.
|
||||
@@ -55,22 +58,22 @@ public final class AuthorizationManagers {
|
||||
@SafeVarargs
|
||||
public static <T> AuthorizationManager<T> anyOf(AuthorizationDecision allAbstainDefaultDecision,
|
||||
AuthorizationManager<T>... managers) {
|
||||
return (authentication, object) -> {
|
||||
List<AuthorizationDecision> decisions = new ArrayList<>();
|
||||
return (AuthorizationManagerCheckAdapter<T>) (authentication, object) -> {
|
||||
List<AuthorizationResult> results = new ArrayList<>();
|
||||
for (AuthorizationManager<T> manager : managers) {
|
||||
AuthorizationDecision decision = manager.check(authentication, object);
|
||||
if (decision == null) {
|
||||
AuthorizationResult result = manager.authorize(authentication, object);
|
||||
if (result == null) {
|
||||
continue;
|
||||
}
|
||||
if (decision.isGranted()) {
|
||||
return decision;
|
||||
if (result.isGranted()) {
|
||||
return result;
|
||||
}
|
||||
decisions.add(decision);
|
||||
results.add(result);
|
||||
}
|
||||
if (decisions.isEmpty()) {
|
||||
if (results.isEmpty()) {
|
||||
return allAbstainDefaultDecision;
|
||||
}
|
||||
return new CompositeAuthorizationDecision(false, decisions);
|
||||
return new CompositeAuthorizationDecision(false, results);
|
||||
};
|
||||
}
|
||||
|
||||
@@ -101,22 +104,22 @@ public final class AuthorizationManagers {
|
||||
@SafeVarargs
|
||||
public static <T> AuthorizationManager<T> allOf(AuthorizationDecision allAbstainDefaultDecision,
|
||||
AuthorizationManager<T>... managers) {
|
||||
return (authentication, object) -> {
|
||||
List<AuthorizationDecision> decisions = new ArrayList<>();
|
||||
return (AuthorizationManagerCheckAdapter<T>) (authentication, object) -> {
|
||||
List<AuthorizationResult> results = new ArrayList<>();
|
||||
for (AuthorizationManager<T> manager : managers) {
|
||||
AuthorizationDecision decision = manager.check(authentication, object);
|
||||
if (decision == null) {
|
||||
AuthorizationResult result = manager.authorize(authentication, object);
|
||||
if (result == null) {
|
||||
continue;
|
||||
}
|
||||
if (!decision.isGranted()) {
|
||||
return decision;
|
||||
if (!result.isGranted()) {
|
||||
return result;
|
||||
}
|
||||
decisions.add(decision);
|
||||
results.add(result);
|
||||
}
|
||||
if (decisions.isEmpty()) {
|
||||
if (results.isEmpty()) {
|
||||
return allAbstainDefaultDecision;
|
||||
}
|
||||
return new CompositeAuthorizationDecision(true, decisions);
|
||||
return new CompositeAuthorizationDecision(true, results);
|
||||
};
|
||||
}
|
||||
|
||||
@@ -131,11 +134,11 @@ public final class AuthorizationManagers {
|
||||
*/
|
||||
public static <T> AuthorizationManager<T> not(AuthorizationManager<T> manager) {
|
||||
return (authentication, object) -> {
|
||||
AuthorizationDecision decision = manager.check(authentication, object);
|
||||
if (decision == null) {
|
||||
AuthorizationResult result = manager.authorize(authentication, object);
|
||||
if (result == null) {
|
||||
return null;
|
||||
}
|
||||
return new NotAuthorizationDecision(decision);
|
||||
return new NotAuthorizationDecision(result);
|
||||
};
|
||||
}
|
||||
|
||||
@@ -144,34 +147,53 @@ public final class AuthorizationManagers {
|
||||
|
||||
private static final class CompositeAuthorizationDecision extends AuthorizationDecision {
|
||||
|
||||
private final List<AuthorizationDecision> decisions;
|
||||
private final List<AuthorizationResult> results;
|
||||
|
||||
private CompositeAuthorizationDecision(boolean granted, List<AuthorizationDecision> decisions) {
|
||||
private CompositeAuthorizationDecision(boolean granted, List<AuthorizationResult> results) {
|
||||
super(granted);
|
||||
this.decisions = decisions;
|
||||
this.results = results;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return "CompositeAuthorizationDecision [decisions=" + this.decisions + ']';
|
||||
return "CompositeAuthorizationDecision [results=" + this.results + ']';
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
private static final class NotAuthorizationDecision extends AuthorizationDecision {
|
||||
|
||||
private final AuthorizationDecision decision;
|
||||
private final AuthorizationResult result;
|
||||
|
||||
private NotAuthorizationDecision(AuthorizationDecision decision) {
|
||||
super(!decision.isGranted());
|
||||
this.decision = decision;
|
||||
private NotAuthorizationDecision(AuthorizationResult result) {
|
||||
super(!result.isGranted());
|
||||
this.result = result;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return "NotAuthorizationDecision [decision=" + this.decision + ']';
|
||||
return "NotAuthorizationDecision [result=" + this.result + ']';
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
private interface AuthorizationManagerCheckAdapter<T> extends AuthorizationManager<T> {
|
||||
|
||||
@Override
|
||||
default AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
|
||||
AuthorizationResult result = authorize(authentication, object);
|
||||
if (result == null) {
|
||||
return null;
|
||||
}
|
||||
if (result instanceof AuthorizationDecision decision) {
|
||||
return decision;
|
||||
}
|
||||
throw new IllegalArgumentException(
|
||||
"please call #authorize or ensure that the result is of type AuthorizationDecision");
|
||||
}
|
||||
|
||||
AuthorizationResult authorize(Supplier<Authentication> authentication, T object);
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
+8
-7
@@ -33,8 +33,6 @@ public class AuthorizationObservationContext<T> extends Observation.Context {
|
||||
|
||||
private final T object;
|
||||
|
||||
private AuthorizationDecision decision;
|
||||
|
||||
private AuthorizationResult authorizationResult;
|
||||
|
||||
public AuthorizationObservationContext(T object) {
|
||||
@@ -77,9 +75,14 @@ public class AuthorizationObservationContext<T> extends Observation.Context {
|
||||
*/
|
||||
@Deprecated
|
||||
public AuthorizationDecision getDecision() {
|
||||
Assert.isInstanceOf(AuthorizationDecision.class, this.authorizationResult,
|
||||
if (this.authorizationResult == null) {
|
||||
return null;
|
||||
}
|
||||
if (this.authorizationResult instanceof AuthorizationDecision decision) {
|
||||
return decision;
|
||||
}
|
||||
throw new IllegalArgumentException(
|
||||
"Please call getAuthorizationResult instead. If you must call getDecision, please ensure that the result you provide is of type AuthorizationDecision");
|
||||
return (AuthorizationDecision) this.authorizationResult;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -89,9 +92,7 @@ public class AuthorizationObservationContext<T> extends Observation.Context {
|
||||
*/
|
||||
@Deprecated
|
||||
public void setDecision(AuthorizationDecision decision) {
|
||||
Assert.isInstanceOf(AuthorizationDecision.class, decision,
|
||||
"Please call setAuthorizationResult instead. If you must call getDecision, please ensure that the result you provide is of type AuthorizationDecision");
|
||||
this.decision = decision;
|
||||
this.authorizationResult = decision;
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
+4
@@ -61,6 +61,10 @@ public final class ObservationAuthorizationManager<T>
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @deprecated please use {@link #authorize(Supplier, Object)} instead
|
||||
*/
|
||||
@Deprecated
|
||||
@Override
|
||||
public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
|
||||
AuthorizationObservationContext<T> context = new AuthorizationObservationContext<>(object);
|
||||
|
||||
+4
@@ -56,6 +56,10 @@ public final class ObservationReactiveAuthorizationManager<T>
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @deprecated please use {@link #authorize(Mono, Object)} instead
|
||||
*/
|
||||
@Deprecated
|
||||
@Override
|
||||
public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object) {
|
||||
AuthorizationObservationContext<T> context = new AuthorizationObservationContext<>(object);
|
||||
|
||||
+8
-8
@@ -182,22 +182,22 @@ public final class AuthorizationManagerAfterMethodInterceptor implements Authori
|
||||
private Object attemptAuthorization(MethodInvocation mi, Object result) {
|
||||
this.logger.debug(LogMessage.of(() -> "Authorizing method invocation " + mi));
|
||||
MethodInvocationResult object = new MethodInvocationResult(mi, result);
|
||||
AuthorizationResult decision = this.authorizationManager.authorize(this::getAuthentication, object);
|
||||
this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, object, decision);
|
||||
if (decision != null && !decision.isGranted()) {
|
||||
AuthorizationResult authorizationResult = this.authorizationManager.authorize(this::getAuthentication, object);
|
||||
this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, object, authorizationResult);
|
||||
if (authorizationResult != null && !authorizationResult.isGranted()) {
|
||||
this.logger.debug(LogMessage.of(() -> "Failed to authorize " + mi + " with authorization manager "
|
||||
+ this.authorizationManager + " and decision " + decision));
|
||||
return handlePostInvocationDenied(object, decision);
|
||||
+ this.authorizationManager + " and authorizationResult " + authorizationResult));
|
||||
return handlePostInvocationDenied(object, authorizationResult);
|
||||
}
|
||||
this.logger.debug(LogMessage.of(() -> "Authorized method invocation " + mi));
|
||||
return result;
|
||||
}
|
||||
|
||||
private Object handlePostInvocationDenied(MethodInvocationResult mi, AuthorizationResult decision) {
|
||||
private Object handlePostInvocationDenied(MethodInvocationResult mi, AuthorizationResult result) {
|
||||
if (this.authorizationManager instanceof MethodAuthorizationDeniedHandler deniedHandler) {
|
||||
return deniedHandler.handleDeniedInvocationResult(mi, decision);
|
||||
return deniedHandler.handleDeniedInvocationResult(mi, result);
|
||||
}
|
||||
return this.defaultHandler.handleDeniedInvocationResult(mi, decision);
|
||||
return this.defaultHandler.handleDeniedInvocationResult(mi, result);
|
||||
}
|
||||
|
||||
private Authentication getAuthentication() {
|
||||
|
||||
+9
-9
@@ -246,18 +246,18 @@ public final class AuthorizationManagerBeforeMethodInterceptor implements Author
|
||||
|
||||
private Object attemptAuthorization(MethodInvocation mi) throws Throwable {
|
||||
this.logger.debug(LogMessage.of(() -> "Authorizing method invocation " + mi));
|
||||
AuthorizationResult decision;
|
||||
AuthorizationResult result;
|
||||
try {
|
||||
decision = this.authorizationManager.authorize(this::getAuthentication, mi);
|
||||
result = this.authorizationManager.authorize(this::getAuthentication, mi);
|
||||
}
|
||||
catch (AuthorizationDeniedException denied) {
|
||||
return handle(mi, denied);
|
||||
}
|
||||
this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, mi, decision);
|
||||
if (decision != null && !decision.isGranted()) {
|
||||
this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, mi, result);
|
||||
if (result != null && !result.isGranted()) {
|
||||
this.logger.debug(LogMessage.of(() -> "Failed to authorize " + mi + " with authorization manager "
|
||||
+ this.authorizationManager + " and decision " + decision));
|
||||
return handle(mi, decision);
|
||||
+ this.authorizationManager + " and result " + result));
|
||||
return handle(mi, result);
|
||||
}
|
||||
this.logger.debug(LogMessage.of(() -> "Authorized method invocation " + mi));
|
||||
return proceed(mi);
|
||||
@@ -282,11 +282,11 @@ public final class AuthorizationManagerBeforeMethodInterceptor implements Author
|
||||
return this.defaultHandler.handleDeniedInvocation(mi, denied);
|
||||
}
|
||||
|
||||
private Object handle(MethodInvocation mi, AuthorizationResult decision) {
|
||||
private Object handle(MethodInvocation mi, AuthorizationResult result) {
|
||||
if (this.authorizationManager instanceof MethodAuthorizationDeniedHandler handler) {
|
||||
return handler.handleDeniedInvocation(mi, decision);
|
||||
return handler.handleDeniedInvocation(mi, result);
|
||||
}
|
||||
return this.defaultHandler.handleDeniedInvocation(mi, decision);
|
||||
return this.defaultHandler.handleDeniedInvocation(mi, result);
|
||||
}
|
||||
|
||||
private Authentication getAuthentication() {
|
||||
|
||||
+25
-2
@@ -33,6 +33,7 @@ import org.springframework.lang.NonNull;
|
||||
import org.springframework.security.authorization.AuthoritiesAuthorizationManager;
|
||||
import org.springframework.security.authorization.AuthorizationDecision;
|
||||
import org.springframework.security.authorization.AuthorizationManager;
|
||||
import org.springframework.security.authorization.AuthorizationResult;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.annotation.SecurityAnnotationScanner;
|
||||
import org.springframework.security.core.annotation.SecurityAnnotationScanners;
|
||||
@@ -86,7 +87,9 @@ public final class Jsr250AuthorizationManager implements AuthorizationManager<Me
|
||||
* @param methodInvocation the {@link MethodInvocation} to check
|
||||
* @return an {@link AuthorizationDecision} or null if the JSR-250 security
|
||||
* annotations is not present
|
||||
* @deprecated please use {@link #authorize(Supplier, Object)} instead
|
||||
*/
|
||||
@Deprecated
|
||||
@Override
|
||||
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation methodInvocation) {
|
||||
AuthorizationManager<MethodInvocation> delegate = this.registry.getManager(methodInvocation);
|
||||
@@ -109,8 +112,9 @@ public final class Jsr250AuthorizationManager implements AuthorizationManager<Me
|
||||
return (a, o) -> new AuthorizationDecision(true);
|
||||
}
|
||||
if (annotation instanceof RolesAllowed rolesAllowed) {
|
||||
return (a, o) -> Jsr250AuthorizationManager.this.authoritiesAuthorizationManager.check(a,
|
||||
getAllowedRolesWithPrefix(rolesAllowed));
|
||||
return (AuthorizationManagerCheckAdapter<MethodInvocation>) (a,
|
||||
o) -> Jsr250AuthorizationManager.this.authoritiesAuthorizationManager.authorize(a,
|
||||
getAllowedRolesWithPrefix(rolesAllowed));
|
||||
}
|
||||
return NULL_MANAGER;
|
||||
}
|
||||
@@ -130,4 +134,23 @@ public final class Jsr250AuthorizationManager implements AuthorizationManager<Me
|
||||
|
||||
}
|
||||
|
||||
private interface AuthorizationManagerCheckAdapter<T> extends AuthorizationManager<T> {
|
||||
|
||||
@Override
|
||||
default AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
|
||||
AuthorizationResult result = authorize(authentication, object);
|
||||
if (result == null) {
|
||||
return null;
|
||||
}
|
||||
if (result instanceof AuthorizationDecision decision) {
|
||||
return decision;
|
||||
}
|
||||
throw new IllegalArgumentException(
|
||||
"please call #authorize or ensure that the result is of type AuthorizationDecision");
|
||||
}
|
||||
|
||||
AuthorizationResult authorize(Supplier<Authentication> authentication, T object);
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
+2
@@ -73,7 +73,9 @@ public final class SecuredAuthorizationManager implements AuthorizationManager<M
|
||||
* @param mi the {@link MethodInvocation} to check
|
||||
* @return an {@link AuthorizationDecision} or null if the {@link Secured} annotation
|
||||
* is not present
|
||||
* @deprecated please use {@link #authorize(Supplier, Object)} instead
|
||||
*/
|
||||
@Deprecated
|
||||
@Override
|
||||
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation mi) {
|
||||
Set<String> authorities = getAuthorities(mi);
|
||||
|
||||
+3
@@ -38,6 +38,8 @@ import org.springframework.security.core.Authentication;
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.BDDMockito.given;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.verify;
|
||||
|
||||
@@ -78,6 +80,7 @@ public class Jsr250AuthorizationManagerTests {
|
||||
@Test
|
||||
public void setAuthoritiesAuthorizationManagerWhenNotNullThenVerifyUsage() throws Exception {
|
||||
AuthorizationManager<Collection<String>> authoritiesAuthorizationManager = mock(AuthorizationManager.class);
|
||||
given(authoritiesAuthorizationManager.authorize(any(), any())).willCallRealMethod();
|
||||
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
|
||||
manager.setAuthoritiesAuthorizationManager(authoritiesAuthorizationManager);
|
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(),
|
||||
|
||||
Reference in New Issue
Block a user