Add AuthorizationProxyFactory Reactive Support

Issue gh-14596

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveAuthorizationManagerMethodSecurityConfiguration.java

@@ -16,9 +16,18 @@
 
 package org.springframework.security.config.annotation.method.configuration;
 
+import java.util.function.Consumer;
+import java.util.function.Supplier;
+
 import io.micrometer.observation.ObservationRegistry;
+import org.aopalliance.aop.Advice;
+import org.aopalliance.intercept.MethodInterceptor;
 import org.aopalliance.intercept.MethodInvocation;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
 
+import org.springframework.aop.Pointcut;
+import org.springframework.aop.framework.AopInfrastructureBean;
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.config.BeanDefinition;
@@ -29,6 +38,7 @@
 import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
 import org.springframework.security.authentication.ReactiveAuthenticationManager;
 import org.springframework.security.authorization.ReactiveAuthorizationManager;
+import org.springframework.security.authorization.method.AuthorizationAdvisor;
 import org.springframework.security.authorization.method.AuthorizationManagerAfterReactiveMethodInterceptor;
 import org.springframework.security.authorization.method.AuthorizationManagerBeforeReactiveMethodInterceptor;
 import org.springframework.security.authorization.method.MethodInvocationResult;
@@ -38,6 +48,7 @@
 import org.springframework.security.authorization.method.PreFilterAuthorizationReactiveMethodInterceptor;
 import org.springframework.security.authorization.method.PrePostTemplateDefaults;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
+import org.springframework.util.function.SingletonSupplier;
 
 /**
  * Configuration for a {@link ReactiveAuthenticationManager} based Method Security.
@@ -46,54 +57,56 @@
  * @since 5.8
  */
 @Configuration(proxyBeanMethods = false)
-final class ReactiveAuthorizationManagerMethodSecurityConfiguration {
+final class ReactiveAuthorizationManagerMethodSecurityConfiguration implements AopInfrastructureBean {
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
-	static PreFilterAuthorizationReactiveMethodInterceptor preFilterInterceptor(
-			MethodSecurityExpressionHandler expressionHandler,
+	static MethodInterceptor preFilterAuthorizationMethodInterceptor(MethodSecurityExpressionHandler expressionHandler,
 			ObjectProvider<PrePostTemplateDefaults> defaultsObjectProvider) {
 		PreFilterAuthorizationReactiveMethodInterceptor interceptor = new PreFilterAuthorizationReactiveMethodInterceptor(
 				expressionHandler);
-		defaultsObjectProvider.ifAvailable(interceptor::setTemplateDefaults);
-		return interceptor;
+		return new DeferringMethodInterceptor<>(interceptor,
+				(i) -> defaultsObjectProvider.ifAvailable(i::setTemplateDefaults));
 	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
-	static AuthorizationManagerBeforeReactiveMethodInterceptor preAuthorizeInterceptor(
+	static MethodInterceptor preAuthorizeAuthorizationMethodInterceptor(
 			MethodSecurityExpressionHandler expressionHandler,
 			ObjectProvider<PrePostTemplateDefaults> defaultsObjectProvider,
 			ObjectProvider<ObservationRegistry> registryProvider) {
 		PreAuthorizeReactiveAuthorizationManager manager = new PreAuthorizeReactiveAuthorizationManager(
 				expressionHandler);
-		defaultsObjectProvider.ifAvailable(manager::setTemplateDefaults);
 		ReactiveAuthorizationManager<MethodInvocation> authorizationManager = manager(manager, registryProvider);
-		return AuthorizationManagerBeforeReactiveMethodInterceptor.preAuthorize(authorizationManager);
+		AuthorizationAdvisor interceptor = AuthorizationManagerBeforeReactiveMethodInterceptor
+			.preAuthorize(authorizationManager);
+		return new DeferringMethodInterceptor<>(interceptor,
+				(i) -> defaultsObjectProvider.ifAvailable(manager::setTemplateDefaults));
 	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
-	static PostFilterAuthorizationReactiveMethodInterceptor postFilterInterceptor(
-			MethodSecurityExpressionHandler expressionHandler,
+	static MethodInterceptor postFilterAuthorizationMethodInterceptor(MethodSecurityExpressionHandler expressionHandler,
 			ObjectProvider<PrePostTemplateDefaults> defaultsObjectProvider) {
 		PostFilterAuthorizationReactiveMethodInterceptor interceptor = new PostFilterAuthorizationReactiveMethodInterceptor(
 				expressionHandler);
-		defaultsObjectProvider.ifAvailable(interceptor::setTemplateDefaults);
-		return interceptor;
+		return new DeferringMethodInterceptor<>(interceptor,
+				(i) -> defaultsObjectProvider.ifAvailable(i::setTemplateDefaults));
 	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
-	static AuthorizationManagerAfterReactiveMethodInterceptor postAuthorizeInterceptor(
+	static MethodInterceptor postAuthorizeAuthorizationMethodInterceptor(
 			MethodSecurityExpressionHandler expressionHandler,
 			ObjectProvider<PrePostTemplateDefaults> defaultsObjectProvider,
 			ObjectProvider<ObservationRegistry> registryProvider) {
 		PostAuthorizeReactiveAuthorizationManager manager = new PostAuthorizeReactiveAuthorizationManager(
 				expressionHandler);
 		ReactiveAuthorizationManager<MethodInvocationResult> authorizationManager = manager(manager, registryProvider);
-		defaultsObjectProvider.ifAvailable(manager::setTemplateDefaults);
-		return AuthorizationManagerAfterReactiveMethodInterceptor.postAuthorize(authorizationManager);
+		AuthorizationAdvisor interceptor = AuthorizationManagerAfterReactiveMethodInterceptor
+			.postAuthorize(authorizationManager);
+		return new DeferringMethodInterceptor<>(interceptor,
+				(i) -> defaultsObjectProvider.ifAvailable(manager::setTemplateDefaults));
 	}
 
 	@Bean
@@ -112,4 +125,50 @@ static <T> ReactiveAuthorizationManager<T> manager(ReactiveAuthorizationManager<
 		return new DeferringObservationReactiveAuthorizationManager<>(registryProvider, delegate);
 	}
 
+	private static final class DeferringMethodInterceptor<M extends AuthorizationAdvisor>
+			implements AuthorizationAdvisor {
+
+		private final Pointcut pointcut;
+
+		private final int order;
+
+		private final Supplier<M> delegate;
+
+		DeferringMethodInterceptor(M delegate, Consumer<M> supplier) {
+			this.pointcut = delegate.getPointcut();
+			this.order = delegate.getOrder();
+			this.delegate = SingletonSupplier.of(() -> {
+				supplier.accept(delegate);
+				return delegate;
+			});
+		}
+
+		@Nullable
+		@Override
+		public Object invoke(@NotNull MethodInvocation invocation) throws Throwable {
+			return this.delegate.get().invoke(invocation);
+		}
+
+		@Override
+		public Pointcut getPointcut() {
+			return this.pointcut;
+		}
+
+		@Override
+		public Advice getAdvice() {
+			return this;
+		}
+
+		@Override
+		public int getOrder() {
+			return this.order;
+		}
+
+		@Override
+		public boolean isPerInstance() {
+			return true;
+		}
+
+	}
+
 }

config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveAuthorizationProxyConfiguration.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.method.configuration;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.springframework.aop.framework.AopInfrastructureBean;
+import org.springframework.beans.factory.ObjectProvider;
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Role;
+import org.springframework.security.authorization.ReactiveAuthorizationAdvisorProxyFactory;
+import org.springframework.security.authorization.method.AuthorizationAdvisor;
+
+@Configuration(proxyBeanMethods = false)
+final class ReactiveAuthorizationProxyConfiguration implements AopInfrastructureBean {
+
+	@Bean
+	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
+	static ReactiveAuthorizationAdvisorProxyFactory authorizationProxyFactory(
+			ObjectProvider<AuthorizationAdvisor> provider) {
+		List<AuthorizationAdvisor> advisors = new ArrayList<>();
+		provider.forEach(advisors::add);
+		ReactiveAuthorizationAdvisorProxyFactory factory = new ReactiveAuthorizationAdvisorProxyFactory();
+		factory.setAdvisors(advisors);
+		return factory;
+	}
+
+}

config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecuritySelector.java

@@ -51,13 +51,15 @@ public String[] selectImports(AnnotationMetadata importMetadata) {
 		else {
 			imports.add(ReactiveMethodSecurityConfiguration.class.getName());
 		}
+		imports.add(ReactiveAuthorizationProxyConfiguration.class.getName());
 		return imports.toArray(new String[0]);
 	}
 
 	private static final class AutoProxyRegistrarSelector
 			extends AdviceModeImportSelector<EnableReactiveMethodSecurity> {
 
-		private static final String[] IMPORTS = new String[] { AutoProxyRegistrar.class.getName() };
+		private static final String[] IMPORTS = new String[] { AutoProxyRegistrar.class.getName(),
+				MethodSecurityAdvisorRegistrar.class.getName() };
 
 		@Override
 		protected String[] selectImports(@NonNull AdviceMode adviceMode) {

config/src/test/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyConfigurationTests.java

@@ -18,15 +18,20 @@
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
+import reactor.core.publisher.Mono;
+import reactor.test.StepVerifier;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.prepost.PostAuthorize;
 import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.authentication.TestAuthentication;
 import org.springframework.security.authorization.AuthorizationProxyFactory;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.ReactiveSecurityContextHolder;
 import org.springframework.security.test.context.annotation.SecurityTestExecutionListeners;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
@@ -69,12 +74,42 @@ public void proxyWhenPreAuthorizedThenAllows() {
 		assertThat(toaster.extractBread()).isEqualTo("yummy");
 	}
 
+	@Test
+	public void proxyReactiveWhenNotPreAuthorizedThenDenies() {
+		this.spring.register(ReactiveDefaultsConfig.class).autowire();
+		Toaster toaster = (Toaster) this.proxyFactory.proxy(new Toaster());
+		Authentication user = TestAuthentication.authenticatedUser();
+		StepVerifier
+			.create(toaster.reactiveMakeToast().contextWrite(ReactiveSecurityContextHolder.withAuthentication(user)))
+			.verifyError(AccessDeniedException.class);
+		StepVerifier
+			.create(toaster.reactiveExtractBread().contextWrite(ReactiveSecurityContextHolder.withAuthentication(user)))
+			.verifyError(AccessDeniedException.class);
+	}
+
+	@Test
+	public void proxyReactiveWhenPreAuthorizedThenAllows() {
+		this.spring.register(ReactiveDefaultsConfig.class).autowire();
+		Toaster toaster = (Toaster) this.proxyFactory.proxy(new Toaster());
+		Authentication admin = TestAuthentication.authenticatedAdmin();
+		StepVerifier
+			.create(toaster.reactiveMakeToast().contextWrite(ReactiveSecurityContextHolder.withAuthentication(admin)))
+			.expectNext()
+			.verifyComplete();
+	}
+
 	@EnableMethodSecurity
 	@Configuration
 	static class DefaultsConfig {
 
 	}
 
+	@EnableReactiveMethodSecurity
+	@Configuration
+	static class ReactiveDefaultsConfig {
+
+	}
+
 	static class Toaster {
 
 		@PreAuthorize("hasRole('ADMIN')")
@@ -87,6 +122,16 @@ String extractBread() {
 			return "yummy";
 		}
 
+		@PreAuthorize("hasRole('ADMIN')")
+		Mono<Void> reactiveMakeToast() {
+			return Mono.empty();
+		}
+
+		@PostAuthorize("hasRole('ADMIN')")
+		Mono<String> reactiveExtractBread() {
+			return Mono.just("yummy");
+		}
+
 	}
 
 }