From 2f3457e0cf08564cc37620bdf7570aaa8417bc8e Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Thu, 29 Feb 2024 14:14:21 -0700 Subject: [PATCH] Add AuthorizationResult Auto-Proxy Support Closes gh-14597 --- .../AuthorizationProxyConfiguration.java | 53 ++++++++ .../Jsr250MethodSecurityConfiguration.java | 3 +- .../MethodSecurityAdvisorRegistrar.java | 1 + .../configuration/MethodSecuritySelector.java | 1 + .../PrePostMethodSecurityConfiguration.java | 9 +- .../SecuredMethodSecurityConfiguration.java | 3 +- ...ePostMethodSecurityConfigurationTests.java | 115 ++++++++++++++++++ .../method/AuthorizationAdvisor.java | 27 ++++ .../AuthorizationInterceptorsOrder.java | 2 + ...rizationManagerAfterMethodInterceptor.java | 6 +- ...izationManagerBeforeMethodInterceptor.java | 6 +- .../AuthorizationProxyMethodInterceptor.java | 76 ++++++++++++ .../authorization/method/AuthorizeResult.java | 28 +++++ ...tFilterAuthorizationMethodInterceptor.java | 6 +- ...eFilterAuthorizationMethodInterceptor.java | 6 +- 15 files changed, 315 insertions(+), 27 deletions(-) create mode 100644 config/src/main/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyConfiguration.java create mode 100644 core/src/main/java/org/springframework/security/authorization/method/AuthorizationAdvisor.java create mode 100644 core/src/main/java/org/springframework/security/authorization/method/AuthorizationProxyMethodInterceptor.java create mode 100644 core/src/main/java/org/springframework/security/authorization/method/AuthorizeResult.java diff --git a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyConfiguration.java new file mode 100644 index 00000000000..ec424b7cfa0 --- /dev/null +++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyConfiguration.java @@ -0,0 +1,53 @@ +/* + * Copyright 2002-2024 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.config.annotation.method.configuration; + +import java.util.ArrayList; +import java.util.List; + +import org.aopalliance.intercept.MethodInterceptor; + +import org.springframework.aop.Advisor; +import org.springframework.aop.framework.AopInfrastructureBean; +import org.springframework.beans.factory.ObjectProvider; +import org.springframework.beans.factory.config.BeanDefinition; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Role; +import org.springframework.core.annotation.AnnotationAwareOrderComparator; +import org.springframework.security.authorization.method.AuthorizationAdvisor; +import org.springframework.security.authorization.method.AuthorizationProxyMethodInterceptor; +import org.springframework.security.authorization.object.AuthorizationProxyFactory; + +@Configuration(proxyBeanMethods = false) +public class AuthorizationProxyConfiguration implements AopInfrastructureBean { + + @Bean + static AuthorizationProxyFactory authorizationProxyFactory(ObjectProvider provider) { + List advisors = new ArrayList<>(); + provider.forEach(advisors::add); + AnnotationAwareOrderComparator.sort(advisors); + return new AuthorizationProxyFactory(advisors); + } + + @Bean + @Role(BeanDefinition.ROLE_INFRASTRUCTURE) + static MethodInterceptor authorizationProxyMethodInterceptor(AuthorizationProxyFactory authorizationProxyFactory) { + return new AuthorizationProxyMethodInterceptor(authorizationProxyFactory); + } + +} diff --git a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/Jsr250MethodSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/Jsr250MethodSecurityConfiguration.java index 39567ddfdca..45908fb549a 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/Jsr250MethodSecurityConfiguration.java +++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/Jsr250MethodSecurityConfiguration.java @@ -20,6 +20,7 @@ import org.aopalliance.intercept.MethodInterceptor; import org.aopalliance.intercept.MethodInvocation; +import org.springframework.aop.framework.AopInfrastructureBean; import org.springframework.beans.factory.ObjectProvider; import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.context.annotation.Bean; @@ -48,7 +49,7 @@ */ @Configuration(proxyBeanMethods = false) @Role(BeanDefinition.ROLE_INFRASTRUCTURE) -final class Jsr250MethodSecurityConfiguration implements ImportAware { +final class Jsr250MethodSecurityConfiguration implements ImportAware, AopInfrastructureBean { private int interceptorOrderOffset; diff --git a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityAdvisorRegistrar.java b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityAdvisorRegistrar.java index 409f6fa1ea2..2495188b866 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityAdvisorRegistrar.java +++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityAdvisorRegistrar.java @@ -33,6 +33,7 @@ public void registerBeanDefinitions(AnnotationMetadata importingClassMetadata, B registerAsAdvisor("postAuthorizeAuthorization", registry); registerAsAdvisor("securedAuthorization", registry); registerAsAdvisor("jsr250Authorization", registry); + registerAsAdvisor("authorizationProxy", registry); } private void registerAsAdvisor(String prefix, BeanDefinitionRegistry registry) { diff --git a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecuritySelector.java b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecuritySelector.java index 4b561360a73..928ed485484 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecuritySelector.java +++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecuritySelector.java @@ -56,6 +56,7 @@ public String[] selectImports(@NonNull AnnotationMetadata importMetadata) { if (annotation.jsr250Enabled()) { imports.add(Jsr250MethodSecurityConfiguration.class.getName()); } + imports.add(AuthorizationProxyConfiguration.class.getName()); return imports.toArray(new String[0]); } diff --git a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.java index 4c10dc4e5b6..7fea76850df 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.java +++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.java @@ -27,7 +27,6 @@ import org.jetbrains.annotations.Nullable; import org.springframework.aop.Pointcut; -import org.springframework.aop.PointcutAdvisor; import org.springframework.aop.framework.AopInfrastructureBean; import org.springframework.beans.factory.ObjectProvider; import org.springframework.beans.factory.config.BeanDefinition; @@ -36,7 +35,6 @@ import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.ImportAware; import org.springframework.context.annotation.Role; -import org.springframework.core.Ordered; import org.springframework.core.type.AnnotationMetadata; import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; @@ -44,6 +42,7 @@ import org.springframework.security.access.hierarchicalroles.RoleHierarchy; import org.springframework.security.authorization.AuthorizationEventPublisher; import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.method.AuthorizationAdvisor; import org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor; import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor; import org.springframework.security.authorization.method.PostAuthorizeAuthorizationManager; @@ -65,7 +64,7 @@ */ @Configuration(proxyBeanMethods = false) @Role(BeanDefinition.ROLE_INFRASTRUCTURE) -final class PrePostMethodSecurityConfiguration implements ImportAware { +final class PrePostMethodSecurityConfiguration implements ImportAware, AopInfrastructureBean { private int interceptorOrderOffset; @@ -175,8 +174,8 @@ public void setImportMetadata(AnnotationMetadata importMetadata) { this.interceptorOrderOffset = annotation.offset(); } - private static final class DeferringMethodInterceptor - implements Ordered, MethodInterceptor, PointcutAdvisor, AopInfrastructureBean { + private static final class DeferringMethodInterceptor + implements AuthorizationAdvisor { private final Pointcut pointcut; diff --git a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/SecuredMethodSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/SecuredMethodSecurityConfiguration.java index a1909388781..2b6a2e29280 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/SecuredMethodSecurityConfiguration.java +++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/SecuredMethodSecurityConfiguration.java @@ -20,6 +20,7 @@ import org.aopalliance.intercept.MethodInterceptor; import org.aopalliance.intercept.MethodInvocation; +import org.springframework.aop.framework.AopInfrastructureBean; import org.springframework.beans.factory.ObjectProvider; import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.context.annotation.Bean; @@ -48,7 +49,7 @@ */ @Configuration(proxyBeanMethods = false) @Role(BeanDefinition.ROLE_INFRASTRUCTURE) -final class SecuredMethodSecurityConfiguration implements ImportAware { +final class SecuredMethodSecurityConfiguration implements ImportAware, AopInfrastructureBean { private int interceptorOrderOffset; diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java index f653d3c5875..c47a85c5ff4 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java @@ -21,7 +21,10 @@ import java.lang.annotation.RetentionPolicy; import java.util.ArrayList; import java.util.Arrays; +import java.util.Iterator; import java.util.List; +import java.util.Map; +import java.util.concurrent.ConcurrentHashMap; import java.util.function.Consumer; import java.util.function.Supplier; @@ -60,6 +63,7 @@ import org.springframework.security.authorization.AuthorizationManager; import org.springframework.security.authorization.method.AuthorizationInterceptorsOrder; import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor; +import org.springframework.security.authorization.method.AuthorizeResult; import org.springframework.security.authorization.method.MethodInvocationResult; import org.springframework.security.authorization.method.PrePostTemplateDefaults; import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig; @@ -80,6 +84,7 @@ import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatExceptionOfType; +import static org.assertj.core.api.Assertions.assertThatNoException; import static org.mockito.ArgumentMatchers.any; import static org.mockito.Mockito.atLeastOnce; import static org.mockito.Mockito.mock; @@ -662,6 +667,44 @@ public void methodWhenPostFilterMetaAnnotationThenFilters() { .containsExactly("dave"); } + @Test + @WithMockUser(authorities = "airplane:read") + public void findByIdWhenAuthorizedResultThenAuthorizes() { + this.spring.register(AuthorizeResultConfig.class).autowire(); + FlightRepository flights = this.spring.getContext().getBean(FlightRepository.class); + Flight flight = flights.findById("1"); + assertThatNoException().isThrownBy(flight::getAltitude); + assertThatNoException().isThrownBy(flight::getSeats); + } + + @Test + @WithMockUser(authorities = "seating:read") + public void findByIdWhenUnauthorizedResultThenDenies() { + this.spring.register(AuthorizeResultConfig.class).autowire(); + FlightRepository flights = this.spring.getContext().getBean(FlightRepository.class); + Flight flight = flights.findById("1"); + assertThatNoException().isThrownBy(flight::getSeats); + assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(flight::getAltitude); + } + + @Test + @WithMockUser(authorities = "seating:read") + public void findAllWhenUnauthorizedResultThenDenies() { + this.spring.register(AuthorizeResultConfig.class).autowire(); + FlightRepository flights = this.spring.getContext().getBean(FlightRepository.class); + flights.findAll().forEachRemaining((flight) -> { + assertThatNoException().isThrownBy(flight::getSeats); + assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(flight::getAltitude); + }); + } + + @Test + public void removeWhenAuthorizedResultThenRemoves() { + this.spring.register(AuthorizeResultConfig.class).autowire(); + FlightRepository flights = this.spring.getContext().getBean(FlightRepository.class); + flights.remove("1"); + } + private static Consumer disallowBeanOverriding() { return (context) -> ((AnnotationConfigWebApplicationContext) context).setAllowBeanDefinitionOverriding(false); } @@ -1061,4 +1104,76 @@ List resultsContainDave(List list) { } + @EnableMethodSecurity + static class AuthorizeResultConfig { + + @Bean + FlightRepository flights() { + FlightRepository flights = new FlightRepository(); + flights.save(new Flight("1", 35000d, 35)); + flights.save(new Flight("2", 32000d, 72)); + return flights; + } + + @Bean + RoleHierarchy roleHierarchy() { + return RoleHierarchyImpl.withRolePrefix("").role("airplane:read").implies("seating:read").build(); + } + + } + + @AuthorizeResult + static class FlightRepository { + + private final Map flights = new ConcurrentHashMap<>(); + + Iterator findAll() { + return this.flights.values().iterator(); + } + + Flight findById(String id) { + return this.flights.get(id); + } + + Flight save(Flight flight) { + this.flights.put(flight.getId(), flight); + return flight; + } + + void remove(String id) { + this.flights.remove(id); + } + + } + + static class Flight { + + private final String id; + + private final Double altitude; + + private final Integer seats; + + Flight(String id, Double altitude, Integer seats) { + this.id = id; + this.altitude = altitude; + this.seats = seats; + } + + String getId() { + return this.id; + } + + @PreAuthorize("hasAuthority('airplane:read')") + Double getAltitude() { + return this.altitude; + } + + @PreAuthorize("hasAuthority('seating:read')") + Integer getSeats() { + return this.seats; + } + + } + } diff --git a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationAdvisor.java b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationAdvisor.java new file mode 100644 index 00000000000..2cd1a9d78a1 --- /dev/null +++ b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationAdvisor.java @@ -0,0 +1,27 @@ +/* + * Copyright 2002-2024 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.authorization.method; + +import org.aopalliance.intercept.MethodInterceptor; + +import org.springframework.aop.PointcutAdvisor; +import org.springframework.aop.framework.AopInfrastructureBean; +import org.springframework.core.Ordered; + +public interface AuthorizationAdvisor extends Ordered, MethodInterceptor, PointcutAdvisor, AopInfrastructureBean { + +} diff --git a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationInterceptorsOrder.java b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationInterceptorsOrder.java index da6a26bf6e0..4ab14d3db14 100644 --- a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationInterceptorsOrder.java +++ b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationInterceptorsOrder.java @@ -50,6 +50,8 @@ public enum AuthorizationInterceptorsOrder { */ POST_FILTER, + SECURE_RESULT, + LAST(Integer.MAX_VALUE); private static final int INTERVAL = 100; diff --git a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptor.java b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptor.java index ad1b7ec4a89..48361271d4b 100644 --- a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptor.java +++ b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptor.java @@ -25,9 +25,6 @@ import org.apache.commons.logging.LogFactory; import org.springframework.aop.Pointcut; -import org.springframework.aop.PointcutAdvisor; -import org.springframework.aop.framework.AopInfrastructureBean; -import org.springframework.core.Ordered; import org.springframework.core.log.LogMessage; import org.springframework.security.access.AccessDeniedException; import org.springframework.security.access.prepost.PostAuthorize; @@ -48,8 +45,7 @@ * @author Josh Cummings * @since 5.6 */ -public final class AuthorizationManagerAfterMethodInterceptor - implements Ordered, MethodInterceptor, PointcutAdvisor, AopInfrastructureBean { +public final class AuthorizationManagerAfterMethodInterceptor implements AuthorizationAdvisor { private Supplier securityContextHolderStrategy = SecurityContextHolder::getContextHolderStrategy; diff --git a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java index 0f38826d13b..4d84a55616d 100644 --- a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java +++ b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java @@ -28,9 +28,6 @@ import org.apache.commons.logging.LogFactory; import org.springframework.aop.Pointcut; -import org.springframework.aop.PointcutAdvisor; -import org.springframework.aop.framework.AopInfrastructureBean; -import org.springframework.core.Ordered; import org.springframework.core.log.LogMessage; import org.springframework.security.access.AccessDeniedException; import org.springframework.security.access.annotation.Secured; @@ -52,8 +49,7 @@ * @author Josh Cummings * @since 5.6 */ -public final class AuthorizationManagerBeforeMethodInterceptor - implements Ordered, MethodInterceptor, PointcutAdvisor, AopInfrastructureBean { +public final class AuthorizationManagerBeforeMethodInterceptor implements AuthorizationAdvisor { private Supplier securityContextHolderStrategy = SecurityContextHolder::getContextHolderStrategy; diff --git a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationProxyMethodInterceptor.java b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationProxyMethodInterceptor.java new file mode 100644 index 00000000000..685a52a2725 --- /dev/null +++ b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationProxyMethodInterceptor.java @@ -0,0 +1,76 @@ +/* + * Copyright 2002-2024 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.authorization.method; + +import org.aopalliance.aop.Advice; +import org.aopalliance.intercept.MethodInvocation; + +import org.springframework.aop.Pointcut; +import org.springframework.security.authorization.object.AuthorizationProxyFactory; +import org.springframework.util.Assert; + +public class AuthorizationProxyMethodInterceptor implements AuthorizationAdvisor { + + private final Pointcut pointcut; + + private final AuthorizationProxyFactory authorizationProxyFactory; + + private int order = AuthorizationInterceptorsOrder.SECURE_RESULT.getOrder(); + + public AuthorizationProxyMethodInterceptor(AuthorizationProxyFactory authorizationProxyFactory) { + Assert.notNull(authorizationProxyFactory, "authorizationManager cannot be null"); + this.pointcut = AuthorizationMethodPointcuts.forAnnotations(AuthorizeResult.class); + this.authorizationProxyFactory = authorizationProxyFactory.withAdvisors(this); + } + + @Override + public Object invoke(MethodInvocation mi) throws Throwable { + Object result = mi.proceed(); + if (result == null) { + return null; + } + return this.authorizationProxyFactory.proxy(result); + } + + @Override + public int getOrder() { + return this.order; + } + + public void setOrder(int order) { + this.order = order; + } + + /** + * {@inheritDoc} + */ + @Override + public Pointcut getPointcut() { + return this.pointcut; + } + + @Override + public Advice getAdvice() { + return this; + } + + @Override + public boolean isPerInstance() { + return true; + } + +} diff --git a/core/src/main/java/org/springframework/security/authorization/method/AuthorizeResult.java b/core/src/main/java/org/springframework/security/authorization/method/AuthorizeResult.java new file mode 100644 index 00000000000..160943de055 --- /dev/null +++ b/core/src/main/java/org/springframework/security/authorization/method/AuthorizeResult.java @@ -0,0 +1,28 @@ +/* + * Copyright 2002-2024 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.authorization.method; + +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +@Retention(RetentionPolicy.RUNTIME) +@Target({ ElementType.TYPE, ElementType.METHOD }) +public @interface AuthorizeResult { + +} diff --git a/core/src/main/java/org/springframework/security/authorization/method/PostFilterAuthorizationMethodInterceptor.java b/core/src/main/java/org/springframework/security/authorization/method/PostFilterAuthorizationMethodInterceptor.java index aadc75c0036..aa96de670da 100644 --- a/core/src/main/java/org/springframework/security/authorization/method/PostFilterAuthorizationMethodInterceptor.java +++ b/core/src/main/java/org/springframework/security/authorization/method/PostFilterAuthorizationMethodInterceptor.java @@ -23,9 +23,6 @@ import org.aopalliance.intercept.MethodInvocation; import org.springframework.aop.Pointcut; -import org.springframework.aop.PointcutAdvisor; -import org.springframework.aop.framework.AopInfrastructureBean; -import org.springframework.core.Ordered; import org.springframework.expression.EvaluationContext; import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; import org.springframework.security.access.prepost.PostFilter; @@ -43,8 +40,7 @@ * @author Josh Cummings * @since 5.6 */ -public final class PostFilterAuthorizationMethodInterceptor - implements Ordered, MethodInterceptor, PointcutAdvisor, AopInfrastructureBean { +public final class PostFilterAuthorizationMethodInterceptor implements AuthorizationAdvisor { private Supplier securityContextHolderStrategy = SecurityContextHolder::getContextHolderStrategy; diff --git a/core/src/main/java/org/springframework/security/authorization/method/PreFilterAuthorizationMethodInterceptor.java b/core/src/main/java/org/springframework/security/authorization/method/PreFilterAuthorizationMethodInterceptor.java index 39ae4e257ca..a00e22f2534 100644 --- a/core/src/main/java/org/springframework/security/authorization/method/PreFilterAuthorizationMethodInterceptor.java +++ b/core/src/main/java/org/springframework/security/authorization/method/PreFilterAuthorizationMethodInterceptor.java @@ -23,9 +23,6 @@ import org.aopalliance.intercept.MethodInvocation; import org.springframework.aop.Pointcut; -import org.springframework.aop.PointcutAdvisor; -import org.springframework.aop.framework.AopInfrastructureBean; -import org.springframework.core.Ordered; import org.springframework.expression.EvaluationContext; import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; import org.springframework.security.access.prepost.PreFilter; @@ -44,8 +41,7 @@ * @author Josh Cummings * @since 5.6 */ -public final class PreFilterAuthorizationMethodInterceptor - implements Ordered, MethodInterceptor, PointcutAdvisor, AopInfrastructureBean { +public final class PreFilterAuthorizationMethodInterceptor implements AuthorizationAdvisor { private Supplier securityContextHolderStrategy = SecurityContextHolder::getContextHolderStrategy;