Add Value-Type Ignore Support

Issue gh-14597

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyConfiguration.java

@@ -30,16 +30,19 @@
 import org.springframework.security.authorization.AuthorizationAdvisorProxyFactory;
 import org.springframework.security.authorization.method.AuthorizationAdvisor;
 import org.springframework.security.authorization.method.AuthorizeReturnObjectMethodInterceptor;
+import org.springframework.security.config.Customizer;
 
 @Configuration(proxyBeanMethods = false)
 final class AuthorizationProxyConfiguration implements AopInfrastructureBean {
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
-	static AuthorizationAdvisorProxyFactory authorizationProxyFactory(ObjectProvider<AuthorizationAdvisor> provider) {
+	static AuthorizationAdvisorProxyFactory authorizationProxyFactory(ObjectProvider<AuthorizationAdvisor> provider,
+			ObjectProvider<Customizer<AuthorizationAdvisorProxyFactory>> customizers) {
 		List<AuthorizationAdvisor> advisors = new ArrayList<>();
 		provider.forEach(advisors::add);
-		AuthorizationAdvisorProxyFactory factory = new AuthorizationAdvisorProxyFactory();
+		AuthorizationAdvisorProxyFactory factory = AuthorizationAdvisorProxyFactory.withDefaults();
+		customizers.forEach((c) -> c.customize(factory));
 		factory.setAdvisors(advisors);
 		return factory;
 	}

config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveAuthorizationProxyConfiguration.java

@@ -27,28 +27,30 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Role;
-import org.springframework.security.authorization.ReactiveAuthorizationAdvisorProxyFactory;
+import org.springframework.security.authorization.AuthorizationAdvisorProxyFactory;
 import org.springframework.security.authorization.method.AuthorizationAdvisor;
 import org.springframework.security.authorization.method.AuthorizeReturnObjectMethodInterceptor;
+import org.springframework.security.config.Customizer;
 
 @Configuration(proxyBeanMethods = false)
 final class ReactiveAuthorizationProxyConfiguration implements AopInfrastructureBean {
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
-	static ReactiveAuthorizationAdvisorProxyFactory authorizationProxyFactory(
-			ObjectProvider<AuthorizationAdvisor> provider) {
+	static AuthorizationAdvisorProxyFactory authorizationProxyFactory(ObjectProvider<AuthorizationAdvisor> provider,
+			ObjectProvider<Customizer<AuthorizationAdvisorProxyFactory>> customizers) {
 		List<AuthorizationAdvisor> advisors = new ArrayList<>();
 		provider.forEach(advisors::add);
-		ReactiveAuthorizationAdvisorProxyFactory factory = new ReactiveAuthorizationAdvisorProxyFactory();
+		AuthorizationAdvisorProxyFactory factory = AuthorizationAdvisorProxyFactory.withReactiveDefaults();
+		customizers.forEach((c) -> c.customize(factory));
 		factory.setAdvisors(advisors);
 		return factory;
 	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	static MethodInterceptor authorizeReturnObjectMethodInterceptor(ObjectProvider<AuthorizationAdvisor> provider,
-			ReactiveAuthorizationAdvisorProxyFactory authorizationProxyFactory) {
+			AuthorizationAdvisorProxyFactory authorizationProxyFactory) {
 		AuthorizeReturnObjectMethodInterceptor interceptor = new AuthorizeReturnObjectMethodInterceptor(
 				authorizationProxyFactory);
 		List<AuthorizationAdvisor> advisors = new ArrayList<>();

config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java

@@ -58,6 +58,7 @@
 import org.springframework.security.access.prepost.PostFilter;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.access.prepost.PreFilter;
+import org.springframework.security.authorization.AuthorizationAdvisorProxyFactory;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationEventPublisher;
 import org.springframework.security.authorization.AuthorizationManager;
@@ -66,6 +67,7 @@
 import org.springframework.security.authorization.method.AuthorizeReturnObject;
 import org.springframework.security.authorization.method.MethodInvocationResult;
 import org.springframework.security.authorization.method.PrePostTemplateDefaults;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
 import org.springframework.security.config.test.SpringTestContext;
@@ -1143,6 +1145,12 @@ List<String> resultsContainDave(List<String> list) {
 	@Configuration
 	static class AuthorizeResultConfig {
 
+		@Bean
+		@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
+		static Customizer<AuthorizationAdvisorProxyFactory> skipValueTypes() {
+			return (f) -> f.setTargetVisitor(AuthorizationAdvisorProxyFactory.DEFAULT_VISITOR_SKIP_VALUE_TYPES);
+		}
+
 		@Bean
 		FlightRepository flights() {
 			FlightRepository flights = new FlightRepository();
@@ -1186,6 +1194,7 @@ void remove(String id) {
 
 	}
 
+	@AuthorizeReturnObject
 	static class Flight {
 
 		private final String id;
@@ -1216,7 +1225,6 @@ Integer getSeats() {
 			return this.seats;
 		}
 
-		@AuthorizeReturnObject
 		@PostAuthorize("hasAuthority('seating:read')")
 		@PostFilter("filterObject.name != 'Kevin Mitnick'")
 		List<Passenger> getPassengers() {

config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityConfigurationTests.java

@@ -30,8 +30,10 @@
 import reactor.test.StepVerifier;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Role;
 import org.springframework.expression.EvaluationContext;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.expression.SecurityExpressionRoot;
@@ -42,7 +44,9 @@
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.access.prepost.PreFilter;
 import org.springframework.security.authentication.TestAuthentication;
+import org.springframework.security.authorization.AuthorizationAdvisorProxyFactory;
 import org.springframework.security.authorization.method.AuthorizeReturnObject;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
@@ -238,6 +242,13 @@ public void bar(String param) {
 	@Configuration
 	static class AuthorizeResultConfig {
 
+		@Bean
+		@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
+		static Customizer<AuthorizationAdvisorProxyFactory> skipValueTypes() {
+			return (factory) -> factory
+				.setTargetVisitor(AuthorizationAdvisorProxyFactory.DEFAULT_VISITOR_SKIP_VALUE_TYPES);
+		}
+
 		@Bean
 		FlightRepository flights() {
 			FlightRepository flights = new FlightRepository();
@@ -282,6 +293,7 @@ Mono<Void> remove(String id) {
 
 	}
 
+	@AuthorizeReturnObject
 	static class Flight {
 
 		private final String id;
@@ -312,7 +324,6 @@ Mono<Integer> getSeats() {
 			return Mono.just(this.seats);
 		}
 
-		@AuthorizeReturnObject
 		@PostAuthorize("hasAnyAuthority('seating:read', 'airplane:read')")
 		@PostFilter("@isNotKevin.apply(filterObject)")
 		Flux<Passenger> getPassengers() {