Add Method Security

Author: jzheaux

config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java

@@ -21,20 +21,25 @@
 import java.util.List;
 import java.util.function.Supplier;
 
-import org.jspecify.annotations.Nullable;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.authorization.AuthenticatedAuthorizationManager;
 import org.springframework.security.authorization.AuthorityAuthorizationDecision;
+import org.springframework.security.authorization.AuthorityAuthorizationManager;
+import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationManagers;
 import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.ObjectPostProcessor;
 import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
@@ -47,10 +52,9 @@
 import org.springframework.security.core.context.SecurityContextChangedListener;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
+import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
-import org.springframework.security.crypto.password.NoOpPasswordEncoder;
-import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders;
 import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors;
@@ -65,6 +69,8 @@
 import org.springframework.security.web.authentication.ott.RedirectOneTimeTokenGenerationSuccessHandler;
 import org.springframework.security.web.savedrequest.RequestCache;
 import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
 import static org.hamcrest.Matchers.containsString;
@@ -78,6 +84,7 @@
 import static org.springframework.security.config.annotation.SecurityContextChangedListenerArgumentMatchers.setAuthentication;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.logout;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
 import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
@@ -409,57 +416,58 @@ public void configureWhenPortResolverBeanThenPortResolverUsed() throws Exception
 
 	@Test
 	void requestWhenUnauthenticatedThenRequiresTwoSteps() throws Exception {
-		this.spring.register(MfaDslConfig.class).autowire();
+		this.spring.register(MfaDslConfig.class, UserConfig.class).autowire();
 		UserDetails user = PasswordEncodedUser.user();
-		this.mockMvc.perform(get("/profile").with(SecurityMockMvcRequestPostProcessors.user(user)))
+		this.mockMvc.perform(get("/profile").with(user(user)))
 			.andExpect(status().is3xxRedirection())
 			.andExpect(redirectedUrl("http://localhost/login"));
 		this.mockMvc
-			.perform(post("/ott/generate").param("username", "user")
-				.with(SecurityMockMvcRequestPostProcessors.user(user))
+			.perform(post("/ott/generate").param("username", "rod")
+				.with(user(user))
 				.with(SecurityMockMvcRequestPostProcessors.csrf()))
 			.andExpect(status().is3xxRedirection())
 			.andExpect(redirectedUrl("/ott/sent"));
 		this.mockMvc
-			.perform(post("/login").param("username", user.getUsername())
-				.param("password", user.getPassword())
+			.perform(post("/login").param("username", "rod")
+				.param("password", "password")
 				.with(SecurityMockMvcRequestPostProcessors.csrf()))
 			.andExpect(status().is3xxRedirection())
 			.andExpect(redirectedUrl("/"));
 		user = PasswordEncodedUser.withUserDetails(user).authorities("profile:read", "FACTOR_OTT").build();
-		this.mockMvc.perform(get("/profile").with(SecurityMockMvcRequestPostProcessors.user(user)))
+		this.mockMvc.perform(get("/profile").with(user(user)))
 			.andExpect(status().is3xxRedirection())
 			.andExpect(redirectedUrl("http://localhost/login"));
 		user = PasswordEncodedUser.withUserDetails(user).authorities("profile:read", "FACTOR_PASSWORD").build();
-		this.mockMvc.perform(get("/profile").with(SecurityMockMvcRequestPostProcessors.user(user)))
+		this.mockMvc.perform(get("/profile").with(user(user)))
 			.andExpect(status().isOk())
 			.andExpect(content().string(containsString("/ott/generate")));
 		user = PasswordEncodedUser.withUserDetails(user)
 			.authorities("profile:read", "FACTOR_PASSWORD", "FACTOR_OTT")
 			.build();
-		this.mockMvc.perform(get("/profile").with(SecurityMockMvcRequestPostProcessors.user(user)))
-			.andExpect(status().isNotFound());
+		this.mockMvc.perform(get("/profile").with(user(user))).andExpect(status().isNotFound());
 	}
 
 	@Test
 	void requestWhenUnauthenticatedX509ThenRequiresTwoSteps() throws Exception {
-		this.spring.register(MfaDslX509Config.class).autowire();
-		this.mockMvc.perform(get("/")).andExpect(status().isForbidden());
+		this.spring.register(MfaDslX509Config.class, UserConfig.class, BasicController.class).autowire();
+		this.mockMvc.perform(get("/profile")).andExpect(status().isForbidden());
+		this.mockMvc.perform(get("/profile").with(user(User.withUsername("rod").authorities("profile:read").build())))
+			.andExpect(status().isForbidden());
 		this.mockMvc.perform(get("/login")).andExpect(status().isOk());
-		this.mockMvc.perform(get("/").with(SecurityMockMvcRequestPostProcessors.x509("rod.cer")))
+		this.mockMvc.perform(get("/profile").with(SecurityMockMvcRequestPostProcessors.x509("rod.cer")))
 			.andExpect(status().is3xxRedirection())
 			.andExpect(redirectedUrl("http://localhost/login"));
-		UserDetails user = PasswordEncodedUser.withUsername("rod")
-			.password("password")
-			.authorities("AUTHN_FORM")
-			.build();
 		this.mockMvc
-			.perform(post("/login").param("username", user.getUsername())
-				.param("password", user.getPassword())
+			.perform(post("/login").param("username", "rod")
+				.param("password", "password")
 				.with(SecurityMockMvcRequestPostProcessors.x509("rod.cer"))
 				.with(SecurityMockMvcRequestPostProcessors.csrf()))
 			.andExpect(status().is3xxRedirection())
 			.andExpect(redirectedUrl("/"));
+		UserDetails authorized = PasswordEncodedUser.withUsername("rod")
+			.authorities("profile:read", "FACTOR_X509", "FACTOR_PASSWORD")
+			.build();
+		this.mockMvc.perform(get("/profile").with(user(authorized))).andExpect(status().isOk());
 	}
 
 	@Configuration
@@ -832,75 +840,101 @@ public <O> O postProcess(O object) {
 	static class MfaDslConfig {
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http, AuthorizationManagerFactory authz) throws Exception {
 			// @formatter:off
 			http
 				.formLogin(Customizer.withDefaults())
 				.oneTimeTokenLogin(Customizer.withDefaults())
 				.authorizeHttpRequests((authorize) -> authorize
-					.requestMatchers("/profile").access(
-						new HasAllAuthoritiesAuthorizationManager<>("profile:read", "FACTOR_PASSWORD", "FACTOR_OTT")
-					)
-					.anyRequest().access(new HasAllAuthoritiesAuthorizationManager<>("FACTOR_PASSWORD", "FACTOR_OTT"))
+					.requestMatchers("/profile").access(authz.hasAuthority("profile:read"))
+					.anyRequest().access(authz.authenticated())
 				);
 			return http.build();
 			// @formatter:on
 		}
 
 		@Bean
-		UserDetailsService users() {
-			return new InMemoryUserDetailsManager(PasswordEncodedUser.user());
+		OneTimeTokenGenerationSuccessHandler tokenGenerationSuccessHandler() {
+			return new RedirectOneTimeTokenGenerationSuccessHandler("/ott/sent");
 		}
 
 		@Bean
-		PasswordEncoder encoder() {
-			return NoOpPasswordEncoder.getInstance();
-		}
-
-		@Bean
-		OneTimeTokenGenerationSuccessHandler tokenGenerationSuccessHandler() {
-			return new RedirectOneTimeTokenGenerationSuccessHandler("/ott/sent");
+		AuthorizationManagerFactory authz() {
+			return new AuthorizationManagerFactory("FACTOR_PASSWORD", "FACTOR_OTT");
 		}
 
 	}
 
 	@Configuration
 	@EnableWebSecurity
+	@EnableMethodSecurity
 	static class MfaDslX509Config {
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http, AuthorizationManagerFactory authz) throws Exception {
 			// @formatter:off
 			http
-				.formLogin(Customizer.withDefaults())
 				.x509(Customizer.withDefaults())
+				.formLogin(Customizer.withDefaults())
 				.authorizeHttpRequests((authorize) -> authorize
-					.anyRequest().access(
-						new HasAllAuthoritiesAuthorizationManager<>("FACTOR_X509", "FACTOR_PASSWORD")
-					)
+					.anyRequest().access(authz.authenticated())
 				);
 			return http.build();
 			// @formatter:on
 		}
 
 		@Bean
-		UserDetailsService users() {
-			return new InMemoryUserDetailsManager(
-					PasswordEncodedUser.withUsername("rod").password("{noop}password").build());
+		AuthorizationManagerFactory authz() {
+			return new AuthorizationManagerFactory("FACTOR_X509", "FACTOR_PASSWORD");
+		}
+
+	}
+
+	@Configuration
+	static class UserConfig {
+
+		@Bean
+		UserDetails rod() {
+			return PasswordEncodedUser.withUsername("rod").password("password").build();
+		}
+
+		@Bean
+		UserDetailsService users(UserDetails user) {
+			return new InMemoryUserDetailsManager(user);
 		}
 
 	}
 
-	private static final class HasAllAuthoritiesAuthorizationManager<C> implements AuthorizationManager<C> {
+	@RestController
+	static class BasicController {
+
+		@GetMapping("/profile")
+		@PreAuthorize("@authz.hasAuthority('profile:read')")
+		String profile() {
+			return "profile";
+		}
+
+	}
+
+	public static class AuthorizationManagerFactory {
 
 		private final Collection<String> authorities;
 
-		private HasAllAuthoritiesAuthorizationManager(String... authorities) {
+		AuthorizationManagerFactory(String... authorities) {
 			this.authorities = List.of(authorities);
 		}
 
-		@Override
-		public @Nullable AuthorizationResult authorize(Supplier<Authentication> authentication, C object) {
+		public <T> AuthorizationManager<T> authenticated() {
+			AuthenticatedAuthorizationManager<T> authenticated = AuthenticatedAuthorizationManager.authenticated();
+			return AuthorizationManagers.allOf(new AuthorizationDecision(false), this::factors, authenticated);
+		}
+
+		public <T> AuthorizationManager<T> hasAuthority(String authority) {
+			AuthorityAuthorizationManager<T> authorized = AuthorityAuthorizationManager.hasAuthority(authority);
+			return AuthorizationManagers.allOf(new AuthorizationDecision(false), this::factors, authorized);
+		}
+
+		private <T> AuthorizationResult factors(Supplier<Authentication> authentication, T context) {
 			List<String> authorities = authentication.get()
 				.getAuthorities()
 				.stream()

core/src/main/java/org/springframework/security/authorization/method/ExpressionUtils.java

@@ -16,23 +16,38 @@
 
 package org.springframework.security.authorization.method;
 
+import java.util.function.Supplier;
+
 import org.jspecify.annotations.Nullable;
 
 import org.springframework.expression.EvaluationContext;
 import org.springframework.expression.EvaluationException;
 import org.springframework.expression.Expression;
 import org.springframework.security.authorization.AuthorizationDeniedException;
+import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.authorization.ExpressionAuthorizationDecision;
+import org.springframework.security.core.Authentication;
+import org.springframework.util.Assert;
 
 final class ExpressionUtils {
 
 	private ExpressionUtils() {
 	}
 
 	static @Nullable AuthorizationResult evaluate(Expression expr, EvaluationContext ctx) {
+		return evaluate(expr, ctx, null, null);
+	}
+
+	static <T> @Nullable AuthorizationResult evaluate(Expression expr, EvaluationContext ctx,
+			@Nullable Supplier<Authentication> authentication, @Nullable T context) {
 		try {
 			Object result = expr.getValue(ctx);
+			if (result instanceof AuthorizationManager<?> manager) {
+				Assert.notNull(authentication, "authentication supplier cannot be null");
+				Assert.notNull(context, "context cannot be null");
+				return ((AuthorizationManager<T>) manager).authorize(authentication, context);
+			}
 			if (result instanceof AuthorizationResult decision) {
 				return decision;
 			}

core/src/main/java/org/springframework/security/authorization/method/PostAuthorizeAuthorizationManager.java

@@ -95,7 +95,7 @@ public void setApplicationContext(ApplicationContext context) {
 		MethodSecurityExpressionHandler expressionHandler = this.registry.getExpressionHandler();
 		EvaluationContext ctx = expressionHandler.createEvaluationContext(authentication, mi.getMethodInvocation());
 		expressionHandler.setReturnObject(mi.getResult(), ctx);
-		return ExpressionUtils.evaluate(attribute.getExpression(), ctx);
+		return ExpressionUtils.evaluate(attribute.getExpression(), ctx, authentication, mi);
 	}
 
 	@Override

core/src/main/java/org/springframework/security/authorization/method/PreAuthorizeAuthorizationManager.java

@@ -85,7 +85,7 @@ public void setApplicationContext(ApplicationContext context) {
 			return null;
 		}
 		EvaluationContext ctx = this.registry.getExpressionHandler().createEvaluationContext(authentication, mi);
-		return ExpressionUtils.evaluate(attribute.getExpression(), ctx);
+		return ExpressionUtils.evaluate(attribute.getExpression(), ctx, authentication, mi);
 	}
 
 	@Override