Use PermissionEvaluator

kse-music · kse-music · commit 8469ddfb339a · 2024-09-01T08:59:06.000+08:00
Closes gh-15715
diff --git a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveAuthorizationManagerMethodSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveAuthorizationManagerMethodSecurityConfiguration.java
@@ -35,6 +35,7 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Role;
+import org.springframework.security.access.PermissionEvaluator;
 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
 import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
 import org.springframework.security.authentication.ReactiveAuthenticationManager;
@@ -115,11 +116,13 @@ static MethodInterceptor postAuthorizeAuthorizationMethodInterceptor(
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	static DefaultMethodSecurityExpressionHandler methodSecurityExpressionHandler(
-			@Autowired(required = false) GrantedAuthorityDefaults grantedAuthorityDefaults) {
+			@Autowired(required = false) GrantedAuthorityDefaults grantedAuthorityDefaults,
+			ObjectProvider<PermissionEvaluator> permissionEvaluator) {
 		DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler();
 		if (grantedAuthorityDefaults != null) {
 			handler.setDefaultRolePrefix(grantedAuthorityDefaults.getRolePrefix());
 		}
+		permissionEvaluator.ifAvailable(handler::setPermissionEvaluator);
 		return handler;
 	}
 
diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostReactiveMethodSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostReactiveMethodSecurityConfigurationTests.java
@@ -16,18 +16,23 @@
 
 package org.springframework.security.config.annotation.method.configuration;
 
+import java.io.Serializable;
+
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import reactor.test.StepVerifier;
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.access.PermissionEvaluator;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.test.context.annotation.SecurityTestExecutionListeners;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 
+
 @ExtendWith({ SpringExtension.class, SpringTestContextExtension.class })
 @SecurityTestExecutionListeners
 public class PrePostReactiveMethodSecurityConfigurationTests {
@@ -201,6 +206,14 @@ void preAuthorizeWhenAllowedAndHandlerWithCustomAnnotationUsingBeanThenInvokeMet
 		StepVerifier.create(service.preAuthorizeWithMaskAnnotationUsingBean()).expectNext("ok").verifyComplete();
 	}
 
+	@Test
+	@WithMockUser(roles = "ADMIN")
+	public void methodSecurityExpressionHandlerWhenPermissionEvaluatorBeanAvailableThenUses() {
+		this.spring.register(MethodSecurityServiceEnabledConfig.class, PermissionEvaluatorConfig.class).autowire();
+		ReactiveMethodSecurityService service = this.spring.getContext().getBean(ReactiveMethodSecurityService.class);
+		StepVerifier.create(service.preAuthorizeHasPermission("Hello")).expectNext("ok").verifyComplete();
+	}
+
 	@Configuration
 	@EnableReactiveMethodSecurity
 	static class MethodSecurityServiceEnabledConfig {
@@ -212,4 +225,24 @@ ReactiveMethodSecurityService methodSecurityService() {
 
 	}
 
+	@Configuration
+	static class PermissionEvaluatorConfig {
+
+		@Bean
+		PermissionEvaluator permissionEvaluator() {
+			return new PermissionEvaluator() {
+				@Override
+				public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
+					return true;
+				}
+
+				@Override
+				public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
+					return true;
+				}
+			};
+		}
+
+	}
+
 }
diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityService.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityService.java
@@ -101,6 +101,9 @@ public interface ReactiveMethodSecurityService {
 	@HandleAuthorizationDenied(handlerClass = MethodAuthorizationDeniedHandler.class)
 	Mono<String> checkCustomResult(boolean result);
 
+	@PreAuthorize("hasPermission('#kgName', 'read')")
+	Mono<String> preAuthorizeHasPermission(String kgName);
+
 	class StarMaskingHandler implements MethodAuthorizationDeniedHandler {
 
 		@Override
diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityServiceImpl.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityServiceImpl.java
@@ -88,4 +88,8 @@ public Mono<String> checkCustomResult(boolean result) {
 		return Mono.just("ok");
 	}
 
+	@Override
+	public Mono<String> preAuthorizeHasPermission(String kgName) {
+		return Mono.just("ok");
+	}
 }

Original file line number	Diff line number	Diff line change
`@@ -88,4 +88,8 @@ public Mono<String> checkCustomResult(boolean result) {`
`88`	`88`	`return Mono.just("ok");`
`89`	`89`	`}`
`90`	`90`
	`91`	`+ @Override`
	`92`	`+ public Mono<String> preAuthorizeHasPermission(String kgName) {`
	`93`	`+ return Mono.just("ok");`
	`94`	`+ }`
`91`	`95`	`}`