Address Feedback

- Changed to template delimiters
- Don't synthesize unnecessarily

Author: jzheaux

config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java

@@ -41,7 +41,6 @@
 import org.springframework.context.annotation.Import;
 import org.springframework.context.annotation.Role;
 import org.springframework.core.annotation.AnnotationConfigurationException;
-import org.springframework.expression.spel.SpelParseException;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.PermissionEvaluator;
 import org.springframework.security.access.annotation.BusinessService;
@@ -614,7 +613,7 @@ public void methodRoleWhenPreAuthorizeMetaAnnotationHardcodedParameterThenPasses
 	public void methodWhenParameterizedAnnotationThenFails() {
 		this.spring.register(MetaAnnotationPlaceholderConfig.class).autowire();
 		MetaAnnotationService service = this.spring.getContext().getBean(MetaAnnotationService.class);
-		assertThatExceptionOfType(SpelParseException.class)
+		assertThatExceptionOfType(IllegalArgumentException.class)
 			.isThrownBy(service::placeholdersOnlyResolvedByMetaAnnotations);
 	}
 
@@ -988,7 +987,7 @@ boolean hasUserRole() {
 			return true;
 		}
 
-		@PreAuthorize("hasRole(${role})")
+		@PreAuthorize("hasRole({role})")
 		void placeholdersOnlyResolvedByMetaAnnotations() {
 		}
 
@@ -1015,15 +1014,15 @@ List<String> resultsContainDave(List<String> list) {
 	}
 
 	@Retention(RetentionPolicy.RUNTIME)
-	@PreAuthorize("hasRole(${role})")
+	@PreAuthorize("hasRole({role})")
 	@interface RequireRole {
 
 		String role();
 
 	}
 
 	@Retention(RetentionPolicy.RUNTIME)
-	@PreAuthorize("hasAuthority('SCOPE_${claim}') || hasAnyRole(${roles})")
+	@PreAuthorize("hasAuthority('SCOPE_{claim}') || hasAnyRole({roles})")
 	@interface HasClaim {
 
 		String claim();
@@ -1033,23 +1032,23 @@ List<String> resultsContainDave(List<String> list) {
 	}
 
 	@Retention(RetentionPolicy.RUNTIME)
-	@PostAuthorize("returnObject.startsWith('${value}')")
+	@PostAuthorize("returnObject.startsWith('{value}')")
 	@interface ResultStartsWith {
 
 		String value();
 
 	}
 
 	@Retention(RetentionPolicy.RUNTIME)
-	@PreFilter("filterObject.contains('${value}')")
+	@PreFilter("filterObject.contains('{value}')")
 	@interface ParameterContains {
 
 		String value();
 
 	}
 
 	@Retention(RetentionPolicy.RUNTIME)
-	@PostFilter("filterObject.contains('${value}')")
+	@PostFilter("filterObject.contains('{value}')")
 	@interface ResultContains {
 
 		String value();

core/src/main/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtils.java

@@ -20,6 +20,7 @@
 import java.lang.reflect.AnnotatedElement;
 import java.lang.reflect.Method;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.function.Function;
@@ -29,9 +30,8 @@
 import org.springframework.core.annotation.MergedAnnotations;
 import org.springframework.core.annotation.MergedAnnotations.SearchStrategy;
 import org.springframework.core.annotation.RepeatableContainers;
-import org.springframework.core.env.MapPropertySource;
-import org.springframework.core.env.MutablePropertySources;
-import org.springframework.core.env.PropertySourcesPropertyResolver;
+import org.springframework.core.convert.support.DefaultConversionService;
+import org.springframework.util.PropertyPlaceholderHelper;
 
 /**
  * A collection of utility methods that check for, and error on, conflicting annotations.
@@ -58,17 +58,22 @@ final class AuthorizationAnnotationUtils {
 
 	static <A extends Annotation> Function<AnnotatedElement, A> withPlaceholderResolver(Class<A> type) {
 		Function<MergedAnnotation<A>, A> map = (mergedAnnotation) -> {
-			A annotation = mergedAnnotation.synthesize();
 			if (mergedAnnotation.getMetaSource() == null) {
-				return annotation;
+				return mergedAnnotation.synthesize();
 			}
+			PropertyPlaceholderHelper helper = new PropertyPlaceholderHelper("{", "}");
 			String expression = (String) mergedAnnotation.asMap().get("value");
-			MutablePropertySources propertySources = new MutablePropertySources();
 			Map<String, Object> annotationProperties = mergedAnnotation.getMetaSource().asMap();
-			propertySources.addFirst(new MapPropertySource("annotation", annotationProperties));
-			PropertySourcesPropertyResolver propertyResolver = new PropertySourcesPropertyResolver(propertySources);
+			Map<String, String> stringProperties = new HashMap<>();
+			for (Map.Entry<String, Object> property : annotationProperties.entrySet()) {
+				String key = property.getKey();
+				Object value = property.getValue();
+				String asString = (value instanceof String) ? (String) value
+						: DefaultConversionService.getSharedInstance().convert(value, String.class);
+				stringProperties.put(key, asString);
+			}
 			AnnotatedElement annotatedElement = (AnnotatedElement) mergedAnnotation.getSource();
-			String value = propertyResolver.resolvePlaceholders(expression);
+			String value = helper.replacePlaceholders(expression, stringProperties::get);
 			return MergedAnnotation.of(annotatedElement, type, Collections.singletonMap("value", value)).synthesize();
 		};
 		return (annotatedElement) -> findDistinctAnnotation(annotatedElement, type, map);

docs/modules/ROOT/pages/servlet/authorization/method-security.adoc

@@ -911,7 +911,7 @@ Java::
 ----
 @Target({ ElementType.METHOD, ElementType.TYPE })
 @Retention(RetentionPolicy.RUNTIME)
-@PreAuthorize("hasRole('${value}')")
+@PreAuthorize("hasRole('{value}')")
 public @interface HasRole {
 	String value();
 }
@@ -923,7 +923,7 @@ Kotlin::
 ----
 @Target(ElementType.METHOD, ElementType.TYPE)
 @Retention(RetentionPolicy.RUNTIME)
-@PreAuthorize("hasRole('${value}')")
+@PreAuthorize("hasRole('{value}')")
 annotation class IsAdmin(val value: String)
 ----
 ======
@@ -971,7 +971,7 @@ Java::
 ----
 @Target({ ElementType.METHOD, ElementType.TYPE })
 @Retention(RetentionPolicy.RUNTIME)
-@PreAuthorize("hasAnyRole(${roles})")
+@PreAuthorize("hasAnyRole({roles})")
 public @interface HasAnyRole {
 	String roles();
 }
@@ -983,7 +983,7 @@ Kotlin::
 ----
 @Target(ElementType.METHOD, ElementType.TYPE)
 @Retention(RetentionPolicy.RUNTIME)
-@PreAuthorize("hasAnyRole(${roles})")
+@PreAuthorize("hasAnyRole({roles})")
 annotation class HasAnyRole(val roles: Array<String>)
 ----
 ======