spring-projects · jzheaux · Sep 10, 2024 · Sep 1, 2024 · Sep 10, 2024 · Sep 10, 2024
diff --git a/...otation/method/configuration/ReactiveAuthorizationManagerMethodSecurityConfiguration.java b/...otation/method/configuration/ReactiveAuthorizationManagerMethodSecurityConfiguration.java
@@ -34,6 +34,7 @@
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Fallback;
 import org.springframework.context.annotation.Role;
 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
 import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
@@ -114,6 +115,7 @@ static MethodInterceptor postAuthorizeAuthorizationMethodInterceptor(
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
+	@Fallback
 	static DefaultMethodSecurityExpressionHandler methodSecurityExpressionHandler(
 			@Autowired(required = false) GrantedAuthorityDefaults grantedAuthorityDefaults) {
 		DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler();

diff --git a/...nfig/annotation/method/configuration/PrePostReactiveMethodSecurityConfigurationTests.java b/...nfig/annotation/method/configuration/PrePostReactiveMethodSecurityConfigurationTests.java
@@ -16,14 +16,22 @@
 
 package org.springframework.security.config.annotation.method.configuration;
 
+import java.io.Serializable;
+
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import reactor.test.StepVerifier;
 
+import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Role;
+import org.springframework.security.access.PermissionEvaluator;
+import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
+import org.springframework.security.authorization.AuthorizationDeniedException;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.test.context.annotation.SecurityTestExecutionListeners;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
@@ -201,6 +209,17 @@ void preAuthorizeWhenAllowedAndHandlerWithCustomAnnotationUsingBeanThenInvokeMet
 		StepVerifier.create(service.preAuthorizeWithMaskAnnotationUsingBean()).expectNext("ok").verifyComplete();
 	}
 
+	@Test
+	@WithMockUser(roles = "ADMIN")
+	public void customMethodSecurityExpressionHandler() {
+		this.spring.register(MethodSecurityServiceEnabledConfig.class, PermissionEvaluatorConfig.class).autowire();
+		ReactiveMethodSecurityService service = this.spring.getContext().getBean(ReactiveMethodSecurityService.class);
+		StepVerifier.create(service.preAuthorizeHasPermission("grant")).expectNext("ok").verifyComplete();
+		StepVerifier.create(service.preAuthorizeHasPermission("deny"))
+			.expectError(AuthorizationDeniedException.class)
+			.verify();
+	}
+
 	@Configuration
 	@EnableReactiveMethodSecurity
 	static class MethodSecurityServiceEnabledConfig {
@@ -212,4 +231,29 @@ ReactiveMethodSecurityService methodSecurityService() {
 
 	}
 
+	@Configuration
+	static class PermissionEvaluatorConfig {
+
+		@Bean
+		@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
+		static DefaultMethodSecurityExpressionHandler methodSecurityExpressionHandler() {
+			DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler();
+			handler.setPermissionEvaluator(new PermissionEvaluator() {
+				@Override
+				public boolean hasPermission(Authentication authentication, Object targetDomainObject,
+						Object permission) {
+					return "grant".equals(targetDomainObject);
+				}
+
+				@Override
+				public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType,
+						Object permission) {
+					throw new UnsupportedOperationException();
+				}
+			});
+			return handler;
+		}
+
+	}
+
 }
diff --git a/...mework/security/config/annotation/method/configuration/ReactiveMethodSecurityService.java b/...mework/security/config/annotation/method/configuration/ReactiveMethodSecurityService.java
@@ -101,6 +101,9 @@ public interface ReactiveMethodSecurityService {
 	@HandleAuthorizationDenied(handlerClass = MethodAuthorizationDeniedHandler.class)
 	Mono<String> checkCustomResult(boolean result);
 
+	@PreAuthorize("hasPermission(#kgName, 'read')")
+	Mono<String> preAuthorizeHasPermission(String kgName);
+
 	class StarMaskingHandler implements MethodAuthorizationDeniedHandler {
 
 		@Override

diff --git a/...rk/security/config/annotation/method/configuration/ReactiveMethodSecurityServiceImpl.java b/...rk/security/config/annotation/method/configuration/ReactiveMethodSecurityServiceImpl.java
@@ -88,4 +88,9 @@ public Mono<String> checkCustomResult(boolean result) {
 		return Mono.just("ok");
 	}
 
+	@Override
+	public Mono<String> preAuthorizeHasPermission(String kgName) {
+		return Mono.just("ok");
+	}
+
 }