Add Security Hint AOT Processing

This API allows for hint registration based on Spring Security's
infrastructural beans

Author: jzheaux

config/spring-security-config.gradle

@@ -21,6 +21,7 @@ dependencies {
 	api 'org.springframework:spring-context'
 	api 'org.springframework:spring-core'
 
+	optional project(':spring-security-data')
 	optional project(':spring-security-ldap')
 	optional project(':spring-security-messaging')
 	optional project(path: ':spring-security-saml2-service-provider')

config/src/main/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyConfiguration.java

@@ -26,6 +26,9 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Role;
+import org.springframework.security.aot.hint.AuthorizeReturnObjectHintsRegistrar;
+import org.springframework.security.aot.hint.SecurityHintsRegistrar;
+import org.springframework.security.authorization.AuthorizationProxyFactory;
 import org.springframework.security.authorization.method.AuthorizationAdvisor;
 import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory;
 import org.springframework.security.authorization.method.AuthorizeReturnObjectMethodInterceptor;
@@ -54,4 +57,13 @@ static MethodInterceptor authorizeReturnObjectMethodInterceptor(ObjectProvider<A
 		return interceptor;
 	}
 
+	@Bean
+	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
+	static SecurityHintsRegistrar authorizeReturnObjectHintsRegistrar(AuthorizationProxyFactory proxyFactory,
+			ObjectProvider<Customizer<AuthorizeReturnObjectHintsRegistrar>> customizers) {
+		AuthorizeReturnObjectHintsRegistrar registrar = new AuthorizeReturnObjectHintsRegistrar(proxyFactory);
+		customizers.forEach((c) -> c.customize(registrar));
+		return registrar;
+	}
+
 }

config/src/main/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyDataConfiguration.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.method.configuration;
+
+import org.springframework.aop.framework.AopInfrastructureBean;
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Role;
+import org.springframework.security.aot.hint.SecurityHintsRegistrar;
+import org.springframework.security.authorization.AuthorizationProxyFactory;
+import org.springframework.security.data.aot.hint.AuthorizeReturnObjectDataHintsRegistrar;
+
+@Configuration(proxyBeanMethods = false)
+final class AuthorizationProxyDataConfiguration implements AopInfrastructureBean {
+
+	@Bean
+	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
+	static SecurityHintsRegistrar authorizeReturnObjectDataHintsRegistrar(AuthorizationProxyFactory proxyFactory) {
+		return new AuthorizeReturnObjectDataHintsRegistrar(proxyFactory);
+	}
+
+}

config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecuritySelector.java

@@ -26,6 +26,7 @@
 import org.springframework.context.annotation.ImportSelector;
 import org.springframework.core.type.AnnotationMetadata;
 import org.springframework.lang.NonNull;
+import org.springframework.util.ClassUtils;
 
 /**
  * Dynamically determines which imports to include using the {@link EnableMethodSecurity}
@@ -37,6 +38,9 @@
  */
 final class MethodSecuritySelector implements ImportSelector {
 
+	private static final boolean isDataPresent = ClassUtils
+		.isPresent("org.springframework.security.data.aot.hint.AuthorizeReturnObjectDataHintsRegistrar", null);
+
 	private final ImportSelector autoProxy = new AutoProxyRegistrarSelector();
 
 	@Override
@@ -57,6 +61,9 @@ public String[] selectImports(@NonNull AnnotationMetadata importMetadata) {
 			imports.add(Jsr250MethodSecurityConfiguration.class.getName());
 		}
 		imports.add(AuthorizationProxyConfiguration.class.getName());
+		if (isDataPresent) {
+			imports.add(AuthorizationProxyDataConfiguration.class.getName());
+		}
 		return imports.toArray(new String[0]);
 	}
 

config/src/test/java/org/springframework/security/config/annotation/method/configuration/aot/EnableMethodSecurityAotTests.java

@@ -0,0 +1,107 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.method.configuration.aot;
+
+import java.util.ArrayList;
+import java.util.Collection;
+
+import javax.sql.DataSource;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import org.springframework.aot.generate.GenerationContext;
+import org.springframework.aot.hint.RuntimeHints;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.aot.BeanFactoryInitializationCode;
+import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.data.jpa.repository.config.EnableJpaRepositories;
+import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder;
+import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseType;
+import org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean;
+import org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter;
+import org.springframework.security.aot.hint.SecurityHintsAotProcessor;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+import org.springframework.security.config.test.SpringTestContext;
+import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.mock;
+
+/**
+ * AOT Tests for {@code PrePostMethodSecurityConfiguration}.
+ *
+ * @author Evgeniy Cheban
+ * @author Josh Cummings
+ */
+@ExtendWith({ SpringExtension.class, SpringTestContextExtension.class })
+public class EnableMethodSecurityAotTests {
+
+	public final SpringTestContext spring = new SpringTestContext(this);
+
+	private final RuntimeHints hints = new RuntimeHints();
+
+	private final GenerationContext context = mock(GenerationContext.class);
+
+	private final BeanFactoryInitializationCode code = mock(BeanFactoryInitializationCode.class);
+
+	private final SecurityHintsAotProcessor proxy = new SecurityHintsAotProcessor();
+
+	@Autowired
+	ConfigurableListableBeanFactory beanFactory;
+
+	@Test
+	void findsAllNeededClassesToProxy() {
+		this.spring.register(AppConfig.class).autowire();
+		given(this.context.getRuntimeHints()).willReturn(this.hints);
+		this.proxy.processAheadOfTime(this.beanFactory).applyTo(this.context, this.code);
+		Collection<String> canonicalNames = new ArrayList<>();
+		this.hints.reflection().typeHints().forEach((hint) -> canonicalNames.add(hint.getType().getCanonicalName()));
+		assertThat(canonicalNames).contains(
+				"org.springframework.security.config.annotation.method.configuration.aot.Message$$SpringCGLIB$$0",
+				"org.springframework.security.config.annotation.method.configuration.aot.User$$SpringCGLIB$$0");
+	}
+
+	@Configuration
+	@EnableMethodSecurity
+	@EnableJpaRepositories
+	static class AppConfig {
+
+		@Bean
+		DataSource dataSource() {
+			EmbeddedDatabaseBuilder builder = new EmbeddedDatabaseBuilder();
+			return builder.setType(EmbeddedDatabaseType.HSQL).build();
+		}
+
+		@Bean
+		LocalContainerEntityManagerFactoryBean entityManagerFactory() {
+			HibernateJpaVendorAdapter vendorAdapter = new HibernateJpaVendorAdapter();
+			vendorAdapter.setGenerateDdl(true);
+			LocalContainerEntityManagerFactoryBean factory = new LocalContainerEntityManagerFactoryBean();
+			factory.setJpaVendorAdapter(vendorAdapter);
+			factory.setPackagesToScan("org.springframework.security.config.annotation.method.configuration.aot");
+			factory.setDataSource(dataSource());
+			return factory;
+		}
+
+	}
+
+}

config/src/test/java/org/springframework/security/config/annotation/method/configuration/aot/Message.java

@@ -0,0 +1,89 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.method.configuration.aot;
+
+import java.time.Instant;
+
+import jakarta.persistence.Entity;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.ManyToOne;
+
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.authorization.method.AuthorizeReturnObject;
+
+@Entity
+public class Message {
+
+	@Id
+	@GeneratedValue(strategy = GenerationType.AUTO)
+	private Long id;
+
+	private String text;
+
+	private String summary;
+
+	private Instant created = Instant.now();
+
+	@ManyToOne
+	private User to;
+
+	@AuthorizeReturnObject
+	public User getTo() {
+		return this.to;
+	}
+
+	public void setTo(User to) {
+		this.to = to;
+	}
+
+	public Long getId() {
+		return this.id;
+	}
+
+	public void setId(Long id) {
+		this.id = id;
+	}
+
+	public Instant getCreated() {
+		return this.created;
+	}
+
+	public void setCreated(Instant created) {
+		this.created = created;
+	}
+
+	@PreAuthorize("hasAuthority('message:read')")
+	public String getText() {
+		return this.text;
+	}
+
+	public void setText(String text) {
+		this.text = text;
+	}
+
+	@PreAuthorize("hasAuthority('message:read')")
+	public String getSummary() {
+		return this.summary;
+	}
+
+	public void setSummary(String summary) {
+		this.summary = summary;
+	}
+
+}

config/src/test/java/org/springframework/security/config/annotation/method/configuration/aot/MessageRepository.java

@@ -0,0 +1,38 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.method.configuration.aot;
+
+import java.util.List;
+
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.CrudRepository;
+import org.springframework.security.authorization.method.AuthorizeReturnObject;
+import org.springframework.stereotype.Repository;
+
+/**
+ * A repository for accessing {@link Message}s.
+ *
+ * @author Rob Winch
+ */
+@Repository
+@AuthorizeReturnObject
+public interface MessageRepository extends CrudRepository<Message, Long> {
+
+	@Query("select m from Message m where m.to.id = ?#{ authentication.name }")
+	List<Message> findAll();
+
+}