SEC-1392: Mark PermissionEvaluator and MethodSecurityExpressionHandler as AopInfrastructure beans to prevent them being advised and causing premature use of MethodSecurityMetadataSource before it is initialized properly.
This commit is contained in:
Luke Taylor
+14
@@ -269,6 +269,20 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
|
||||
assertEquals("bob", result[0]);
|
||||
}
|
||||
|
||||
// SEC-1392
|
||||
@Test
|
||||
public void customPermissionEvaluatorIsSupported() throws Exception {
|
||||
setContext(
|
||||
"<global-method-security pre-post-annotations='enabled'>" +
|
||||
" <expression-handler ref='expressionHandler'/>" +
|
||||
"</global-method-security>" +
|
||||
"<b:bean id='expressionHandler' class='org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler'>" +
|
||||
" <b:property name='permissionEvaluator' ref='myPermissionEvaluator'/>" +
|
||||
"</b:bean>" +
|
||||
"<b:bean id='myPermissionEvaluator' class='org.springframework.security.config.method.TestPermissionEvaluator'/>" +
|
||||
AUTH_PROVIDER_XML);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void runAsManagerIsSetCorrectly() throws Exception {
|
||||
StaticApplicationContext parent = new StaticApplicationContext();
|
||||
|
||||
+19
@@ -0,0 +1,19 @@
|
||||
package org.springframework.security.config.method;
|
||||
|
||||
import java.io.Serializable;
|
||||
|
||||
import org.springframework.security.access.PermissionEvaluator;
|
||||
import org.springframework.security.core.Authentication;
|
||||
|
||||
public class TestPermissionEvaluator implements PermissionEvaluator {
|
||||
|
||||
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
|
||||
return false;
|
||||
}
|
||||
|
||||
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType,
|
||||
Object permission) {
|
||||
return false;
|
||||
}
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user