Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add hasAll(Roles|Authorities) to SecurityExpressionRoot

Browse Source 
This adds support for hasAllRoles and hasAllAuthorities to method security
expressions.

Issue gh-17932
This commit is contained in:
Rob Winch
2025-09-19 09:33:50 -05:00
parent bce8049815
commit 9eaadcc70d
7 changed files with 89 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
config/src/test/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityService.java
+6
View File
@@ -93,6 +93,12 @@ public interface MethodSecurityService {
@PreAuthorize("hasRole('USER')")
void preAuthorizeUser();
@PreAuthorize("hasAllRoles('USER', 'ADMIN')")
void hasAllRolesUserAdmin();
@PreAuthorize("hasAllAuthorities('ROLE_USER', 'ROLE_ADMIN')")
void hasAllAuthoritiesRoleUserRoleAdmin();
@PreAuthorize("hasPermission(#object,'read')")
String hasPermission(String object);
config/src/test/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityServiceImpl.java
+8
View File
@@ -203,4 +203,12 @@ public class MethodSecurityServiceImpl implements MethodSecurityService {
return "ok";
}
@Override
public void hasAllRolesUserAdmin() {
}
@Override
public void hasAllAuthoritiesRoleUserRoleAdmin() {
}
}
config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java
+46
View File
@@ -282,6 +282,52 @@ public class PrePostMethodSecurityConfigurationTests {
verify(strategy, atLeastOnce()).getContext();
}
@WithMockUser(roles = { "ADMIN", "USER" })
@Test
public void hasAllAuthoritiesRoleUserRoleAdminWhenGranted() {
this.spring.register(MethodSecurityServiceConfig.class).autowire();
this.methodSecurityService.hasAllAuthoritiesRoleUserRoleAdmin();
}
@WithMockUser(roles = { "USER" })
@Test
public void hasAllAuthoritiesRoleUserRoleAdminWhenMissingOneThenDenied() {
this.spring.register(MethodSecurityServiceConfig.class).autowire();
assertThatExceptionOfType(AccessDeniedException.class)
.isThrownBy(this.methodSecurityService::hasAllAuthoritiesRoleUserRoleAdmin);
}
@WithMockUser(roles = { "OTHER" })
@Test
public void hasAllAuthoritiesRoleUserRoleAdminWhenAllThenDenied() {
this.spring.register(MethodSecurityServiceConfig.class).autowire();
assertThatExceptionOfType(AccessDeniedException.class)
.isThrownBy(this.methodSecurityService::hasAllAuthoritiesRoleUserRoleAdmin);
}
@WithMockUser(roles = { "ADMIN", "USER" })
@Test
public void hasAllRolesRoleUserRoleAdminWhenGranted() {
this.spring.register(MethodSecurityServiceConfig.class).autowire();
this.methodSecurityService.hasAllRolesUserAdmin();
}
@WithMockUser(roles = { "USER" })
@Test
public void hasAllRolesRoleUserRoleAdminWhenMissingOneThenDenied() {
this.spring.register(MethodSecurityServiceConfig.class).autowire();
assertThatExceptionOfType(AccessDeniedException.class)
.isThrownBy(this.methodSecurityService::hasAllRolesUserAdmin);
}
@WithMockUser(roles = { "OTHER" })
@Test
public void hasAllRolesRoleUserRoleAdminWhenAllThenDenied() {
this.spring.register(MethodSecurityServiceConfig.class).autowire();
assertThatExceptionOfType(AccessDeniedException.class)
.isThrownBy(this.methodSecurityService::hasAllRolesUserAdmin);
}
@WithMockUser(authorities = "PREFIX_ADMIN")
@Test
public void preAuthorizeAdminWhenRoleAdminAndCustomPrefixThenPasses() {