Use lock for preventing ConcurrentModificationException

Signed-off-by: Tran Ngoc Nhan <[email protected]>

Author: ngocnhan-tran1996

core/src/main/java/org/springframework/security/authorization/method/AuthorizationAdvisorProxyFactory.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -35,6 +35,7 @@
 import java.util.SortedSet;
 import java.util.TreeMap;
 import java.util.TreeSet;
+import java.util.concurrent.locks.ReentrantLock;
 import java.util.function.Supplier;
 import java.util.stream.Stream;
 
@@ -77,6 +78,7 @@
  * </pre>
  *
  * @author Josh Cummings
+ * @author Ngoc Nhan
  * @since 6.3
  */
 public final class AuthorizationAdvisorProxyFactory
@@ -97,6 +99,8 @@ public final class AuthorizationAdvisorProxyFactory
 
 	private TargetVisitor visitor = DEFAULT_VISITOR;
 
+	private final ReentrantLock reentrantLock = new ReentrantLock();
+
 	/**
 	 * Construct an {@link AuthorizationAdvisorProxyFactory} with the provided advisors.
 	 *
@@ -165,7 +169,13 @@ public static AuthorizationAdvisorProxyFactory withReactiveDefaults() {
 	 */
 	@Override
 	public Object proxy(Object target) {
-		AnnotationAwareOrderComparator.sort(this.advisors);
+		try {
+			this.reentrantLock.lock();
+			AnnotationAwareOrderComparator.sort(this.advisors);
+		}
+		finally {
+			this.reentrantLock.unlock();
+		}
 		if (target == null) {
 			return null;
 		}
@@ -178,9 +188,7 @@ public Object proxy(Object target) {
 		}
 		ProxyFactory factory = new ProxyFactory(target);
 		factory.addAdvisors(this.authorizationProxy);
-		for (Advisor advisor : this.advisors) {
-			factory.addAdvisors(advisor);
-		}
+		factory.addAdvisors(this.advisors.toArray(Advisor[]::new));
 		factory.addInterface(AuthorizationProxy.class);
 		factory.setOpaque(true);
 		factory.setProxyTargetClass(!Modifier.isFinal(target.getClass().getModifiers()));

core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -31,6 +31,7 @@
 import java.util.SortedSet;
 import java.util.TreeMap;
 import java.util.TreeSet;
+import java.util.concurrent.CompletableFuture;
 import java.util.function.Supplier;
 import java.util.stream.Stream;
 
@@ -52,6 +53,7 @@
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.assertj.core.api.Assertions.assertThatNoException;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.BDDMockito.given;
 import static org.mockito.Mockito.atLeastOnce;
@@ -360,6 +362,19 @@ public void proxyWhenDefaultsThenInstanceOfAuthorizationProxy() {
 		assertThat(target).isSameAs(this.flight);
 	}
 
+	@Test
+	public void asyncProxyWhenDefaultsThenNoException() {
+		AuthorizationAdvisorProxyFactory factory = AuthorizationAdvisorProxyFactory.withDefaults();
+		List<CompletableFuture<Void>> futures = new ArrayList<>();
+
+		for (int i = 0; i < 1000; i++) {
+			CompletableFuture<Void> future = CompletableFuture.runAsync(() -> proxy(factory, this.flight));
+			futures.add(future);
+		}
+
+		assertThatNoException().isThrownBy(() -> futures.forEach(CompletableFuture::join));
+	}
+
 	private Authentication authenticated(String user, String... authorities) {
 		return TestAuthentication.authenticated(TestAuthentication.withUsername(user).authorities(authorities).build());
 	}