Support SpEL Returning AuthorizationDecision

Closes gh-14599

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/method/configuration/DeferringObservationAuthorizationManager.java

@@ -19,18 +19,30 @@
 import java.util.function.Supplier;
 
 import io.micrometer.observation.ObservationRegistry;
+import org.aopalliance.intercept.MethodInvocation;
 
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.authorization.ObservationAuthorizationManager;
+import org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler;
+import org.springframework.security.authorization.method.MethodAuthorizationDeniedPostProcessor;
+import org.springframework.security.authorization.method.MethodInvocationResult;
+import org.springframework.security.authorization.method.ThrowingMethodAuthorizationDeniedHandler;
+import org.springframework.security.authorization.method.ThrowingMethodAuthorizationDeniedPostProcessor;
 import org.springframework.security.core.Authentication;
 import org.springframework.util.function.SingletonSupplier;
 
-final class DeferringObservationAuthorizationManager<T> implements AuthorizationManager<T> {
+final class DeferringObservationAuthorizationManager<T>
+		implements AuthorizationManager<T>, MethodAuthorizationDeniedHandler, MethodAuthorizationDeniedPostProcessor {
 
 	private final Supplier<AuthorizationManager<T>> delegate;
 
+	private MethodAuthorizationDeniedHandler handler = new ThrowingMethodAuthorizationDeniedHandler();
+
+	private MethodAuthorizationDeniedPostProcessor postProcessor = new ThrowingMethodAuthorizationDeniedPostProcessor();
+
 	DeferringObservationAuthorizationManager(ObjectProvider<ObservationRegistry> provider,
 			AuthorizationManager<T> delegate) {
 		this.delegate = SingletonSupplier.of(() -> {
@@ -40,11 +52,28 @@ final class DeferringObservationAuthorizationManager<T> implements Authorization
 			}
 			return new ObservationAuthorizationManager<>(registry, delegate);
 		});
+		if (delegate instanceof MethodAuthorizationDeniedHandler h) {
+			this.handler = h;
+		}
+		if (delegate instanceof MethodAuthorizationDeniedPostProcessor p) {
+			this.postProcessor = p;
+		}
 	}
 
 	@Override
 	public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
 		return this.delegate.get().check(authentication, object);
 	}
 
+	@Override
+	public Object handle(MethodInvocation methodInvocation, AuthorizationResult authorizationResult) {
+		return this.handler.handle(methodInvocation, authorizationResult);
+	}
+
+	@Override
+	public Object postProcessResult(MethodInvocationResult methodInvocationResult,
+			AuthorizationResult authorizationResult) {
+		return this.postProcessor.postProcessResult(methodInvocationResult, authorizationResult);
+	}
+
 }

config/src/main/java/org/springframework/security/config/annotation/method/configuration/DeferringObservationReactiveAuthorizationManager.java

@@ -19,19 +19,31 @@
 import java.util.function.Supplier;
 
 import io.micrometer.observation.ObservationRegistry;
+import org.aopalliance.intercept.MethodInvocation;
 import reactor.core.publisher.Mono;
 
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.authorization.ObservationReactiveAuthorizationManager;
 import org.springframework.security.authorization.ReactiveAuthorizationManager;
+import org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler;
+import org.springframework.security.authorization.method.MethodAuthorizationDeniedPostProcessor;
+import org.springframework.security.authorization.method.MethodInvocationResult;
+import org.springframework.security.authorization.method.ThrowingMethodAuthorizationDeniedHandler;
+import org.springframework.security.authorization.method.ThrowingMethodAuthorizationDeniedPostProcessor;
 import org.springframework.security.core.Authentication;
 import org.springframework.util.function.SingletonSupplier;
 
-final class DeferringObservationReactiveAuthorizationManager<T> implements ReactiveAuthorizationManager<T> {
+final class DeferringObservationReactiveAuthorizationManager<T> implements ReactiveAuthorizationManager<T>,
+		MethodAuthorizationDeniedHandler, MethodAuthorizationDeniedPostProcessor {
 
 	private final Supplier<ReactiveAuthorizationManager<T>> delegate;
 
+	private MethodAuthorizationDeniedHandler handler = new ThrowingMethodAuthorizationDeniedHandler();
+
+	private MethodAuthorizationDeniedPostProcessor postProcessor = new ThrowingMethodAuthorizationDeniedPostProcessor();
+
 	DeferringObservationReactiveAuthorizationManager(ObjectProvider<ObservationRegistry> provider,
 			ReactiveAuthorizationManager<T> delegate) {
 		this.delegate = SingletonSupplier.of(() -> {
@@ -41,11 +53,28 @@ final class DeferringObservationReactiveAuthorizationManager<T> implements React
 			}
 			return new ObservationReactiveAuthorizationManager<>(registry, delegate);
 		});
+		if (delegate instanceof MethodAuthorizationDeniedHandler h) {
+			this.handler = h;
+		}
+		if (delegate instanceof MethodAuthorizationDeniedPostProcessor p) {
+			this.postProcessor = p;
+		}
 	}
 
 	@Override
 	public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object) {
 		return this.delegate.get().check(authentication, object);
 	}
 
+	@Override
+	public Object handle(MethodInvocation methodInvocation, AuthorizationResult authorizationResult) {
+		return this.handler.handle(methodInvocation, authorizationResult);
+	}
+
+	@Override
+	public Object postProcessResult(MethodInvocationResult methodInvocationResult,
+			AuthorizationResult authorizationResult) {
+		return this.postProcessor.postProcessResult(methodInvocationResult, authorizationResult);
+	}
+
 }

config/src/test/java/org/springframework/security/config/annotation/method/configuration/Authz.java

@@ -18,6 +18,8 @@
 
 import reactor.core.publisher.Mono;
 
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.core.Authentication;
 import org.springframework.stereotype.Component;
 
@@ -45,4 +47,20 @@ public boolean check(Authentication authentication, String message) {
 		return message != null && message.contains(authentication.getName());
 	}
 
+	public AuthorizationResult checkResult(boolean result) {
+		return new AuthzResult(result);
+	}
+
+	public Mono<AuthorizationResult> checkReactiveResult(boolean result) {
+		return Mono.just(checkResult(result));
+	}
+
+	public static class AuthzResult extends AuthorizationDecision {
+
+		public AuthzResult(boolean granted) {
+			super(granted);
+		}
+
+	}
+
 }

config/src/test/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityService.java

@@ -173,6 +173,11 @@ public interface MethodSecurityService {
 	@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = UserFallbackDeniedHandler.class)
 	UserRecordWithEmailProtected getUserWithFallbackWhenUnauthorized();
 
+	@PreAuthorize(value = "@authz.checkResult(#result)", handlerClass = MethodAuthorizationDeniedHandler.class)
+	@PostAuthorize(value = "@authz.checkResult(!#result)",
+			postProcessorClass = MethodAuthorizationDeniedPostProcessor.class)
+	String checkCustomResult(boolean result);
+
 	class StarMaskingHandler implements MethodAuthorizationDeniedHandler {
 
 		@Override

config/src/test/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityServiceConfig.java

@@ -28,4 +28,14 @@ MethodSecurityService service() {
 		return new MethodSecurityServiceImpl();
 	}
 
+	@Bean
+	ReactiveMethodSecurityService reactiveService() {
+		return new ReactiveMethodSecurityServiceImpl();
+	}
+
+	@Bean
+	Authz authz() {
+		return new Authz();
+	}
+
 }

config/src/test/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityServiceImpl.java

@@ -197,4 +197,9 @@ public UserRecordWithEmailProtected getUserWithFallbackWhenUnauthorized() {
 		return new UserRecordWithEmailProtected("username", "[email protected]");
 	}
 
+	@Override
+	public String checkCustomResult(boolean result) {
+		return "ok";
+	}
+
 }

config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java

@@ -66,6 +66,8 @@
 import org.springframework.security.authorization.method.AuthorizationInterceptorsOrder;
 import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor;
 import org.springframework.security.authorization.method.AuthorizeReturnObject;
+import org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler;
+import org.springframework.security.authorization.method.MethodAuthorizationDeniedPostProcessor;
 import org.springframework.security.authorization.method.MethodInvocationResult;
 import org.springframework.security.authorization.method.PrePostTemplateDefaults;
 import org.springframework.security.config.Customizer;
@@ -92,6 +94,8 @@
 import static org.mockito.Mockito.atLeastOnce;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoInteractions;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
 
 /**
  * Tests for {@link PrePostMethodSecurityConfiguration}.
@@ -925,6 +929,23 @@ void getUserWhenNotAuthorizedAndHandlerFallbackValueThenReturnFallbackValue() {
 		assertThat(user.name()).isEqualTo("Protected");
 	}
 
+	@Test
+	@WithMockUser
+	void getUserWhenNotAuthorizedThenHandlerUsesCustomAuthorizationDecision() {
+		this.spring.register(MethodSecurityServiceConfig.class, CustomResultConfig.class).autowire();
+		MethodSecurityService service = this.spring.getContext().getBean(MethodSecurityService.class);
+		MethodAuthorizationDeniedHandler handler = this.spring.getContext()
+			.getBean(MethodAuthorizationDeniedHandler.class);
+		MethodAuthorizationDeniedPostProcessor postProcessor = this.spring.getContext()
+			.getBean(MethodAuthorizationDeniedPostProcessor.class);
+		assertThat(service.checkCustomResult(false)).isNull();
+		verify(handler).handle(any(), any(Authz.AuthzResult.class));
+		verifyNoInteractions(postProcessor);
+		assertThat(service.checkCustomResult(true)).isNull();
+		verify(postProcessor).postProcessResult(any(), any(Authz.AuthzResult.class));
+		verifyNoMoreInteractions(handler);
+	}
+
 	private static Consumer<ConfigurableWebApplicationContext> disallowBeanOverriding() {
 		return (context) -> ((AnnotationConfigWebApplicationContext) context).setAllowBeanDefinitionOverriding(false);
 	}
@@ -1449,4 +1470,23 @@ public String getName() {
 
 	}
 
+	@EnableMethodSecurity
+	static class CustomResultConfig {
+
+		MethodAuthorizationDeniedHandler handler = mock(MethodAuthorizationDeniedHandler.class);
+
+		MethodAuthorizationDeniedPostProcessor postProcessor = mock(MethodAuthorizationDeniedPostProcessor.class);
+
+		@Bean
+		MethodAuthorizationDeniedHandler methodAuthorizationDeniedHandler() {
+			return this.handler;
+		}
+
+		@Bean
+		MethodAuthorizationDeniedPostProcessor methodAuthorizationDeniedPostProcessor() {
+			return this.postProcessor;
+		}
+
+	}
+
 }

config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityConfigurationTests.java

@@ -47,15 +47,23 @@
 import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory;
 import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.TargetVisitor;
 import org.springframework.security.authorization.method.AuthorizeReturnObject;
+import org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler;
+import org.springframework.security.authorization.method.MethodAuthorizationDeniedPostProcessor;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.ReactiveSecurityContextHolder;
 import org.springframework.security.core.userdetails.User;
+import org.springframework.security.test.context.support.WithMockUser;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoInteractions;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
 
 /**
  * @author Tadaya Tsuyukubo
@@ -65,7 +73,7 @@ public class ReactiveMethodSecurityConfigurationTests {
 
 	public final SpringTestContext spring = new SpringTestContext(this);
 
-	@Autowired
+	@Autowired(required = false)
 	DefaultMethodSecurityExpressionHandler methodSecurityExpressionHandler;
 
 	@Test
@@ -212,6 +220,23 @@ public void findAllWhenNestedPreAuthorizeThenAuthorizes() {
 			.verifyError(AccessDeniedException.class);
 	}
 
+	@Test
+	@WithMockUser
+	void getUserWhenNotAuthorizedThenHandlerUsesCustomAuthorizationDecision() {
+		this.spring.register(MethodSecurityServiceConfig.class, CustomResultConfig.class).autowire();
+		ReactiveMethodSecurityService service = this.spring.getContext().getBean(ReactiveMethodSecurityService.class);
+		MethodAuthorizationDeniedHandler handler = this.spring.getContext()
+			.getBean(MethodAuthorizationDeniedHandler.class);
+		MethodAuthorizationDeniedPostProcessor postProcessor = this.spring.getContext()
+			.getBean(MethodAuthorizationDeniedPostProcessor.class);
+		assertThat(service.checkCustomResult(false).block()).isNull();
+		verify(handler).handle(any(), any(Authz.AuthzResult.class));
+		verifyNoInteractions(postProcessor);
+		assertThat(service.checkCustomResult(true).block()).isNull();
+		verify(postProcessor).postProcessResult(any(), any(Authz.AuthzResult.class));
+		verifyNoMoreInteractions(handler);
+	}
+
 	private static Consumer<User.UserBuilder> authorities(String... authorities) {
 		return (builder) -> builder.authorities(authorities);
 	}
@@ -353,4 +378,23 @@ public Mono<String> getName() {
 
 	}
 
+	@EnableReactiveMethodSecurity
+	static class CustomResultConfig {
+
+		MethodAuthorizationDeniedHandler handler = mock(MethodAuthorizationDeniedHandler.class);
+
+		MethodAuthorizationDeniedPostProcessor postProcessor = mock(MethodAuthorizationDeniedPostProcessor.class);
+
+		@Bean
+		MethodAuthorizationDeniedHandler methodAuthorizationDeniedHandler() {
+			return this.handler;
+		}
+
+		@Bean
+		MethodAuthorizationDeniedPostProcessor methodAuthorizationDeniedPostProcessor() {
+			return this.postProcessor;
+		}
+
+	}
+
 }

config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityService.java

@@ -85,6 +85,11 @@ public interface ReactiveMethodSecurityService {
 	@Mask(expression = "@myMasker.getMask(returnObject)")
 	Mono<String> postAuthorizeWithMaskAnnotationUsingBean();
 
+	@PreAuthorize(value = "@authz.checkReactiveResult(#result)", handlerClass = MethodAuthorizationDeniedHandler.class)
+	@PostAuthorize(value = "@authz.checkReactiveResult(!#result)",
+			postProcessorClass = MethodAuthorizationDeniedPostProcessor.class)
+	Mono<String> checkCustomResult(boolean result);
+
 	class StarMaskingHandler implements MethodAuthorizationDeniedHandler {
 
 		@Override

config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityServiceImpl.java

@@ -82,4 +82,9 @@ public Mono<String> postAuthorizeWithMaskAnnotationUsingBean() {
 		return Mono.just("ok");
 	}
 
+	@Override
+	public Mono<String> checkCustomResult(boolean result) {
+		return Mono.just("ok");
+	}
+
 }