Add SecurityObservationPredicate

config/src/main/java/org/springframework/security/config/annotation/method/configuration/Jsr250MethodSecurityConfiguration.java

@@ -18,7 +18,6 @@
 
 import java.util.function.Supplier;
 
-import io.micrometer.observation.ObservationRegistry;
 import org.aopalliance.intercept.MethodInterceptor;
 import org.aopalliance.intercept.MethodInvocation;
 
@@ -36,9 +35,9 @@
 import org.springframework.security.authorization.AuthoritiesAuthorizationManager;
 import org.springframework.security.authorization.AuthorizationEventPublisher;
 import org.springframework.security.authorization.AuthorizationManager;
-import org.springframework.security.authorization.ObservationAuthorizationManager;
 import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor;
 import org.springframework.security.authorization.method.Jsr250AuthorizationManager;
+import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
 
@@ -58,8 +57,15 @@ final class Jsr250MethodSecurityConfiguration implements ImportAware, AopInfrast
 
 	private final Jsr250AuthorizationManager authorizationManager = new Jsr250AuthorizationManager();
 
-	private AuthorizationManagerBeforeMethodInterceptor methodInterceptor = AuthorizationManagerBeforeMethodInterceptor
-		.jsr250(this.authorizationManager);
+	private final AuthorizationManagerBeforeMethodInterceptor methodInterceptor;
+
+	Jsr250MethodSecurityConfiguration(
+			ObjectProvider<ObjectPostProcessor<AuthorizationManager<MethodInvocation>>> postProcessors) {
+		ObjectPostProcessor<AuthorizationManager<MethodInvocation>> postProcessor = postProcessors
+			.getIfUnique(ObjectPostProcessor::noop);
+		AuthorizationManager<MethodInvocation> manager = postProcessor.postProcess(this.authorizationManager);
+		this.methodInterceptor = AuthorizationManagerBeforeMethodInterceptor.jsr250(manager);
+	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
@@ -95,16 +101,6 @@ void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityCont
 		this.methodInterceptor.setSecurityContextHolderStrategy(securityContextHolderStrategy);
 	}
 
-	@Autowired(required = false)
-	void setObservationRegistry(ObservationRegistry registry) {
-		if (registry.isNoop()) {
-			return;
-		}
-		AuthorizationManager<MethodInvocation> observed = new ObservationAuthorizationManager<>(registry,
-				this.authorizationManager);
-		this.methodInterceptor = AuthorizationManagerBeforeMethodInterceptor.secured(observed);
-	}
-
 	@Autowired(required = false)
 	void setEventPublisher(AuthorizationEventPublisher eventPublisher) {
 		this.methodInterceptor.setAuthorizationEventPublisher(eventPublisher);

config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecuritySelector.java

@@ -41,6 +41,9 @@ final class MethodSecuritySelector implements ImportSelector {
 	private static final boolean isDataPresent = ClassUtils
 		.isPresent("org.springframework.security.data.aot.hint.AuthorizeReturnObjectDataHintsRegistrar", null);
 
+	private static final boolean isObservabilityPresent = ClassUtils
+		.isPresent("io.micrometer.observation.ObservationRegistry", null);
+
 	private final ImportSelector autoProxy = new AutoProxyRegistrarSelector();
 
 	@Override
@@ -64,6 +67,10 @@ public String[] selectImports(@NonNull AnnotationMetadata importMetadata) {
 		if (isDataPresent) {
 			imports.add(AuthorizationProxyDataConfiguration.class.getName());
 		}
+		if (isObservabilityPresent) {
+			imports.add(
+					"org.springframework.security.config.annotation.observation.configuration.ObservationConfiguration");
+		}
 		return imports.toArray(new String[0]);
 	}
 

config/src/main/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.java

@@ -16,8 +16,8 @@
 
 package org.springframework.security.config.annotation.method.configuration;
 
-import io.micrometer.observation.ObservationRegistry;
 import org.aopalliance.intercept.MethodInterceptor;
+import org.aopalliance.intercept.MethodInvocation;
 
 import org.springframework.aop.Pointcut;
 import org.springframework.aop.framework.AopInfrastructureBean;
@@ -38,14 +38,16 @@
 import org.springframework.security.aot.hint.PrePostAuthorizeHintsRegistrar;
 import org.springframework.security.aot.hint.SecurityHintsRegistrar;
 import org.springframework.security.authorization.AuthorizationEventPublisher;
-import org.springframework.security.authorization.ObservationAuthorizationManager;
+import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor;
 import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor;
+import org.springframework.security.authorization.method.MethodInvocationResult;
 import org.springframework.security.authorization.method.PostAuthorizeAuthorizationManager;
 import org.springframework.security.authorization.method.PostFilterAuthorizationMethodInterceptor;
 import org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager;
 import org.springframework.security.authorization.method.PreFilterAuthorizationMethodInterceptor;
 import org.springframework.security.authorization.method.PrePostTemplateDefaults;
+import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
 import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
@@ -78,21 +80,29 @@ final class PrePostMethodSecurityConfiguration implements ImportAware, Applicati
 
 	private final PreFilterAuthorizationMethodInterceptor preFilterMethodInterceptor = new PreFilterAuthorizationMethodInterceptor();
 
-	private AuthorizationManagerBeforeMethodInterceptor preAuthorizeMethodInterceptor = AuthorizationManagerBeforeMethodInterceptor
-		.preAuthorize(this.preAuthorizeAuthorizationManager);
+	private final AuthorizationManagerBeforeMethodInterceptor preAuthorizeMethodInterceptor;
 
-	private AuthorizationManagerAfterMethodInterceptor postAuthorizeMethodInterceptor = AuthorizationManagerAfterMethodInterceptor
-		.postAuthorize(this.postAuthorizeAuthorizationManager);
+	private final AuthorizationManagerAfterMethodInterceptor postAuthorizeMethodInterceptor;
 
 	private final PostFilterAuthorizationMethodInterceptor postFilterMethodInterceptor = new PostFilterAuthorizationMethodInterceptor();
 
 	private final DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
 
-	{
+	PrePostMethodSecurityConfiguration(
+			ObjectProvider<ObjectPostProcessor<AuthorizationManager<MethodInvocation>>> preAuthorizeProcessor,
+			ObjectProvider<ObjectPostProcessor<AuthorizationManager<MethodInvocationResult>>> postAuthorizeProcessor) {
 		this.preFilterMethodInterceptor.setExpressionHandler(this.expressionHandler);
 		this.preAuthorizeAuthorizationManager.setExpressionHandler(this.expressionHandler);
 		this.postAuthorizeAuthorizationManager.setExpressionHandler(this.expressionHandler);
 		this.postFilterMethodInterceptor.setExpressionHandler(this.expressionHandler);
+		AuthorizationManager<MethodInvocation> preAuthorize = preAuthorizeProcessor
+			.getIfUnique(ObjectPostProcessor::noop)
+			.postProcess(this.preAuthorizeAuthorizationManager);
+		this.preAuthorizeMethodInterceptor = AuthorizationManagerBeforeMethodInterceptor.preAuthorize(preAuthorize);
+		AuthorizationManager<MethodInvocationResult> postAuthorize = postAuthorizeProcessor
+			.getIfUnique(ObjectPostProcessor::noop)
+			.postProcess(this.postAuthorizeAuthorizationManager);
+		this.postAuthorizeMethodInterceptor = AuthorizationManagerAfterMethodInterceptor.postAuthorize(postAuthorize);
 	}
 
 	@Override
@@ -144,17 +154,6 @@ void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityCont
 		this.postFilterMethodInterceptor.setSecurityContextHolderStrategy(securityContextHolderStrategy);
 	}
 
-	@Autowired(required = false)
-	void setObservationRegistry(ObservationRegistry registry) {
-		if (registry.isNoop()) {
-			return;
-		}
-		this.preAuthorizeMethodInterceptor = AuthorizationManagerBeforeMethodInterceptor
-			.preAuthorize(new ObservationAuthorizationManager<>(registry, this.preAuthorizeAuthorizationManager));
-		this.postAuthorizeMethodInterceptor = AuthorizationManagerAfterMethodInterceptor
-			.postAuthorize(new ObservationAuthorizationManager<>(registry, this.postAuthorizeAuthorizationManager));
-	}
-
 	@Autowired(required = false)
 	void setAuthorizationEventPublisher(AuthorizationEventPublisher publisher) {
 		this.preAuthorizeMethodInterceptor.setAuthorizationEventPublisher(publisher);

config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveAuthorizationManagerMethodSecurityConfiguration.java

@@ -16,8 +16,8 @@
 
 package org.springframework.security.config.annotation.method.configuration;
 
-import io.micrometer.observation.ObservationRegistry;
 import org.aopalliance.intercept.MethodInterceptor;
+import org.aopalliance.intercept.MethodInvocation;
 
 import org.springframework.aop.Pointcut;
 import org.springframework.aop.framework.AopInfrastructureBean;
@@ -34,14 +34,16 @@
 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
 import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
 import org.springframework.security.authentication.ReactiveAuthenticationManager;
-import org.springframework.security.authorization.ObservationReactiveAuthorizationManager;
+import org.springframework.security.authorization.ReactiveAuthorizationManager;
 import org.springframework.security.authorization.method.AuthorizationManagerAfterReactiveMethodInterceptor;
 import org.springframework.security.authorization.method.AuthorizationManagerBeforeReactiveMethodInterceptor;
+import org.springframework.security.authorization.method.MethodInvocationResult;
 import org.springframework.security.authorization.method.PostAuthorizeReactiveAuthorizationManager;
 import org.springframework.security.authorization.method.PostFilterAuthorizationReactiveMethodInterceptor;
 import org.springframework.security.authorization.method.PreAuthorizeReactiveAuthorizationManager;
 import org.springframework.security.authorization.method.PreFilterAuthorizationReactiveMethodInterceptor;
 import org.springframework.security.authorization.method.PrePostTemplateDefaults;
+import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
 import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
 
@@ -77,22 +79,30 @@ final class ReactiveAuthorizationManagerMethodSecurityConfiguration
 
 	private PostFilterAuthorizationReactiveMethodInterceptor postFilterMethodInterceptor = new PostFilterAuthorizationReactiveMethodInterceptor();
 
-	private AuthorizationManagerBeforeReactiveMethodInterceptor preAuthorizeMethodInterceptor;
+	private final AuthorizationManagerBeforeReactiveMethodInterceptor preAuthorizeMethodInterceptor;
 
-	private AuthorizationManagerAfterReactiveMethodInterceptor postAuthorizeMethodInterceptor;
+	private final AuthorizationManagerAfterReactiveMethodInterceptor postAuthorizeMethodInterceptor;
 
 	@Autowired(required = false)
-	ReactiveAuthorizationManagerMethodSecurityConfiguration(MethodSecurityExpressionHandler expressionHandler) {
+	ReactiveAuthorizationManagerMethodSecurityConfiguration(MethodSecurityExpressionHandler expressionHandler,
+			ObjectProvider<ObjectPostProcessor<ReactiveAuthorizationManager<MethodInvocation>>> preAuthorizePostProcessor,
+			ObjectProvider<ObjectPostProcessor<ReactiveAuthorizationManager<MethodInvocationResult>>> postAuthorizePostProcessor) {
 		if (expressionHandler != null) {
 			this.preFilterMethodInterceptor = new PreFilterAuthorizationReactiveMethodInterceptor(expressionHandler);
 			this.preAuthorizeAuthorizationManager = new PreAuthorizeReactiveAuthorizationManager(expressionHandler);
 			this.postFilterMethodInterceptor = new PostFilterAuthorizationReactiveMethodInterceptor(expressionHandler);
 			this.postAuthorizeAuthorizationManager = new PostAuthorizeReactiveAuthorizationManager(expressionHandler);
 		}
+		ReactiveAuthorizationManager<MethodInvocation> preAuthorize = preAuthorizePostProcessor
+			.getIfUnique(ObjectPostProcessor::noop)
+			.postProcess(this.preAuthorizeAuthorizationManager);
 		this.preAuthorizeMethodInterceptor = AuthorizationManagerBeforeReactiveMethodInterceptor
-			.preAuthorize(this.preAuthorizeAuthorizationManager);
+			.preAuthorize(preAuthorize);
+		ReactiveAuthorizationManager<MethodInvocationResult> postAuthorize = postAuthorizePostProcessor
+			.getIfAvailable(ObjectPostProcessor::noop)
+			.postProcess(this.postAuthorizeAuthorizationManager);
 		this.postAuthorizeMethodInterceptor = AuthorizationManagerAfterReactiveMethodInterceptor
-			.postAuthorize(this.postAuthorizeAuthorizationManager);
+			.postAuthorize(postAuthorize);
 	}
 
 	@Override
@@ -117,17 +127,6 @@ void setTemplateDefaults(AnnotationTemplateExpressionDefaults templateDefaults)
 		this.postFilterMethodInterceptor.setTemplateDefaults(templateDefaults);
 	}
 
-	@Autowired(required = false)
-	void setObservationRegistry(ObservationRegistry registry) {
-		if (registry.isNoop()) {
-			return;
-		}
-		this.preAuthorizeMethodInterceptor = AuthorizationManagerBeforeReactiveMethodInterceptor.preAuthorize(
-				new ObservationReactiveAuthorizationManager<>(registry, this.preAuthorizeAuthorizationManager));
-		this.postAuthorizeMethodInterceptor = AuthorizationManagerAfterReactiveMethodInterceptor.postAuthorize(
-				new ObservationReactiveAuthorizationManager<>(registry, this.postAuthorizeAuthorizationManager));
-	}
-
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	static MethodInterceptor preFilterAuthorizationMethodInterceptor(

config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecuritySelector.java

@@ -38,6 +38,9 @@ class ReactiveMethodSecuritySelector implements ImportSelector {
 	private static final boolean isDataPresent = ClassUtils
 		.isPresent("org.springframework.security.data.aot.hint.AuthorizeReturnObjectDataHintsRegistrar", null);
 
+	private static final boolean isObservabilityPresent = ClassUtils
+		.isPresent("io.micrometer.observation.ObservationRegistry", null);
+
 	private final ImportSelector autoProxy = new AutoProxyRegistrarSelector();
 
 	@Override
@@ -58,6 +61,10 @@ public String[] selectImports(AnnotationMetadata importMetadata) {
 		if (isDataPresent) {
 			imports.add(AuthorizationProxyDataConfiguration.class.getName());
 		}
+		if (isObservabilityPresent) {
+			imports.add(
+					"org.springframework.security.config.annotation.observation.configuration.ReactiveObservationConfiguration");
+		}
 		imports.add(AuthorizationProxyConfiguration.class.getName());
 		return imports.toArray(new String[0]);
 	}

config/src/main/java/org/springframework/security/config/annotation/method/configuration/SecuredMethodSecurityConfiguration.java

@@ -18,7 +18,6 @@
 
 import java.util.function.Supplier;
 
-import io.micrometer.observation.ObservationRegistry;
 import org.aopalliance.intercept.MethodInterceptor;
 import org.aopalliance.intercept.MethodInvocation;
 
@@ -37,9 +36,9 @@
 import org.springframework.security.authorization.AuthoritiesAuthorizationManager;
 import org.springframework.security.authorization.AuthorizationEventPublisher;
 import org.springframework.security.authorization.AuthorizationManager;
-import org.springframework.security.authorization.ObservationAuthorizationManager;
 import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor;
 import org.springframework.security.authorization.method.SecuredAuthorizationManager;
+import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
 
 /**
@@ -58,8 +57,15 @@ final class SecuredMethodSecurityConfiguration implements ImportAware, AopInfras
 
 	private final SecuredAuthorizationManager authorizationManager = new SecuredAuthorizationManager();
 
-	private AuthorizationManagerBeforeMethodInterceptor methodInterceptor = AuthorizationManagerBeforeMethodInterceptor
-		.secured(this.authorizationManager);
+	private final AuthorizationManagerBeforeMethodInterceptor methodInterceptor;
+
+	SecuredMethodSecurityConfiguration(
+			ObjectProvider<ObjectPostProcessor<AuthorizationManager<MethodInvocation>>> postProcessors) {
+		ObjectPostProcessor<AuthorizationManager<MethodInvocation>> postProcessor = postProcessors
+			.getIfUnique(ObjectPostProcessor::noop);
+		AuthorizationManager<MethodInvocation> manager = postProcessor.postProcess(this.authorizationManager);
+		this.methodInterceptor = AuthorizationManagerBeforeMethodInterceptor.secured(manager);
+	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
@@ -90,16 +96,6 @@ void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityCont
 		this.methodInterceptor.setSecurityContextHolderStrategy(securityContextHolderStrategy);
 	}
 
-	@Autowired(required = false)
-	void setObservationRegistry(ObservationRegistry registry) {
-		if (registry.isNoop()) {
-			return;
-		}
-		AuthorizationManager<MethodInvocation> observed = new ObservationAuthorizationManager<>(registry,
-				this.authorizationManager);
-		this.methodInterceptor = AuthorizationManagerBeforeMethodInterceptor.secured(observed);
-	}
-
 	@Autowired(required = false)
 	void setEventPublisher(AuthorizationEventPublisher eventPublisher) {
 		this.methodInterceptor.setAuthorizationEventPublisher(eventPublisher);

config/src/main/java/org/springframework/security/config/annotation/observation/configuration/AbstractObservationObjectPostProcessor.java

@@ -0,0 +1,70 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.observation.configuration;
+
+import java.util.function.BiFunction;
+import java.util.function.Function;
+import java.util.function.Predicate;
+
+import io.micrometer.observation.ObservationRegistry;
+
+import org.springframework.beans.factory.ObjectProvider;
+import org.springframework.security.config.annotation.ObjectPostProcessor;
+import org.springframework.security.config.observation.SecurityObservationPredicate;
+
+abstract class AbstractObservationObjectPostProcessor<O> implements ObjectPostProcessor<O> {
+
+	private final ObjectProvider<ObservationRegistry> observationRegistry;
+
+	private final ObjectProvider<SecurityObservationPredicate> observationPredicate;
+
+	private final Predicate<SecurityObservationPredicate> shouldWrap;
+
+	private final BiFunction<ObservationRegistry, O, O> wrapper;
+
+	AbstractObservationObjectPostProcessor(ObjectProvider<ObservationRegistry> observationRegistry,
+			ObjectProvider<SecurityObservationPredicate> observationPredicate,
+			Predicate<SecurityObservationPredicate> shouldWrap, Function<ObservationRegistry, O> constructor) {
+		this(observationRegistry, observationPredicate, shouldWrap, (registry, object) -> constructor.apply(registry));
+	}
+
+	AbstractObservationObjectPostProcessor(ObjectProvider<ObservationRegistry> observationRegistry,
+			ObjectProvider<SecurityObservationPredicate> observationPredicate,
+			Predicate<SecurityObservationPredicate> shouldWrap, BiFunction<ObservationRegistry, O, O> constructor) {
+		this.observationRegistry = observationRegistry;
+		this.observationPredicate = observationPredicate;
+		this.shouldWrap = shouldWrap;
+		this.wrapper = constructor;
+	}
+
+	@Override
+	public <O1 extends O> O1 postProcess(O1 object) {
+		ObservationRegistry registry = this.observationRegistry.getIfUnique(() -> ObservationRegistry.NOOP);
+		if (registry.isNoop()) {
+			return object;
+		}
+		SecurityObservationPredicate predicate = this.observationPredicate.getIfUnique();
+		if (predicate == null) {
+			return (O1) this.wrapper.apply(registry, object);
+		}
+		if (this.shouldWrap.test(predicate)) {
+			return (O1) this.wrapper.apply(registry, object);
+		}
+		return object;
+	}
+
+}