From a368cd100d8d6c33f44543b92836765869cee6fa Mon Sep 17 00:00:00 2001 From: Max Batischev Date: Sun, 7 Apr 2024 17:19:55 +0300 Subject: [PATCH] Add support AuthorizationResult for AuthorizationManager Added a new authorization method to AuthorizationManager that returns AuthorizationResult. Closes gh-14843 --- ...erringObservationAuthorizationManager.java | 7 +++--- .../http/DefaultFilterChainValidator.java | 8 +++---- ...ointcutDelegatingAuthorizationManager.java | 8 +++---- ...ageBrokerSecurityBeanDefinitionParser.java | 6 ++--- .../AuthorizeHttpRequestsConfigurerTests.java | 6 ++--- .../DefaultFilterChainValidatorTests.java | 4 ++-- .../security/config/http/HttpConfigTests.java | 6 ++--- ...ptMethodsBeanDefinitionDecoratorTests.java | 6 ++--- ...thodSecurityBeanDefinitionParserTests.java | 5 +++-- .../WebSocketMessageBrokerConfigTests.java | 6 ++--- .../AuthenticatedAuthorizationManager.java | 8 +++---- .../AuthoritiesAuthorizationManager.java | 9 ++++---- .../AuthorityAuthorizationManager.java | 14 ++++++------ .../authorization/AuthorizationManager.java | 21 +++++++++++++++--- .../authorization/AuthorizationManagers.java | 20 ++++++++--------- .../AuthorizationObservationContext.java | 14 ++++++------ .../AuthorizationObservationConvention.java | 4 ++-- .../ObservationAuthorizationManager.java | 8 +++---- ...rizationManagerAfterMethodInterceptor.java | 7 +++--- ...izationManagerBeforeMethodInterceptor.java | 7 +++--- .../method/Jsr250AuthorizationManager.java | 13 ++++++----- .../MethodExpressionAuthorizationManager.java | 9 ++++---- .../PostAuthorizeAuthorizationManager.java | 11 +++++----- .../PreAuthorizeAuthorizationManager.java | 11 +++++----- .../method/SecuredAuthorizationManager.java | 12 +++++----- .../ObservationAuthorizationManagerTests.java | 8 +++---- ...ionManagerAfterMethodInterceptorTests.java | 4 ++-- ...onManagerBeforeMethodInterceptorTests.java | 4 ++-- .../Jsr250AuthorizationManagerTests.java | 2 +- .../SecuredAuthorizationManagerTests.java | 5 +++-- .../AuthorizationChannelInterceptor.java | 7 +++--- ...MatcherDelegatingAuthorizationManager.java | 13 ++++++----- .../AuthorizationChannelInterceptorTests.java | 8 +++---- ...anagerWebInvocationPrivilegeEvaluator.java | 6 ++--- .../access/IpAddressAuthorizationManager.java | 6 ++--- .../WebExpressionAuthorizationManager.java | 10 ++++----- .../access/intercept/AuthorizationFilter.java | 7 +++--- ...MatcherDelegatingAuthorizationManager.java | 13 ++++++----- ...rWebInvocationPrivilegeEvaluatorTests.java | 14 ++++++------ .../intercept/AuthorizationFilterTests.java | 22 +++++++++---------- 40 files changed, 190 insertions(+), 169 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/DeferringObservationAuthorizationManager.java b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/DeferringObservationAuthorizationManager.java index 05068d98a9a..6e80262013c 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/DeferringObservationAuthorizationManager.java +++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/DeferringObservationAuthorizationManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,7 +22,6 @@ import org.aopalliance.intercept.MethodInvocation; import org.springframework.beans.factory.ObjectProvider; -import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationManager; import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.authorization.ObservationAuthorizationManager; @@ -61,8 +60,8 @@ final class DeferringObservationAuthorizationManager } @Override - public AuthorizationDecision check(Supplier authentication, T object) { - return this.delegate.get().check(authentication, object); + public AuthorizationResult authorize(Supplier authentication, T object) { + return this.delegate.get().authorize(authentication, object); } @Override diff --git a/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java b/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java index 1e89e78cb8a..5be5b43b68b 100644 --- a/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java +++ b/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,8 +32,8 @@ import org.springframework.security.access.ConfigAttribute; import org.springframework.security.authentication.AnonymousAuthenticationToken; import org.springframework.security.authentication.TestingAuthenticationToken; -import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.core.Authentication; import org.springframework.security.web.DefaultSecurityFilterChain; import org.springframework.security.web.FilterChainProxy; @@ -221,7 +221,7 @@ private boolean checkLoginPageIsPublic(List filters, FilterInvocation lo AuthorizationManager authorizationManager = authorizationFilter .getAuthorizationManager(); try { - AuthorizationDecision decision = authorizationManager.check(() -> TEST, loginRequest.getHttpRequest()); + AuthorizationResult decision = authorizationManager.authorize(() -> TEST, loginRequest.getHttpRequest()); return decision != null && decision.isGranted(); } catch (Exception ex) { @@ -252,7 +252,7 @@ private Supplier deriveAnonymousCheck(List filters, FilterInvoc return () -> { AuthorizationManager authorizationManager = authorizationFilter .getAuthorizationManager(); - AuthorizationDecision decision = authorizationManager.check(() -> token, loginRequest.getHttpRequest()); + AuthorizationResult decision = authorizationManager.authorize(() -> token, loginRequest.getHttpRequest()); return decision != null && decision.isGranted(); }; } diff --git a/config/src/main/java/org/springframework/security/config/method/PointcutDelegatingAuthorizationManager.java b/config/src/main/java/org/springframework/security/config/method/PointcutDelegatingAuthorizationManager.java index d6aa4767f8f..3b4045ce106 100644 --- a/config/src/main/java/org/springframework/security/config/method/PointcutDelegatingAuthorizationManager.java +++ b/config/src/main/java/org/springframework/security/config/method/PointcutDelegatingAuthorizationManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -25,6 +25,7 @@ import org.springframework.aop.support.AopUtils; import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.core.Authentication; class PointcutDelegatingAuthorizationManager implements AuthorizationManager { @@ -36,15 +37,14 @@ class PointcutDelegatingAuthorizationManager implements AuthorizationManager authentication, MethodInvocation object) { + public AuthorizationResult authorize(Supplier authentication, MethodInvocation object) { for (Map.Entry> entry : this.managers.entrySet()) { Class targetClass = (object.getThis() != null) ? AopUtils.getTargetClass(object.getThis()) : null; if (entry.getKey().getClassFilter().matches(targetClass) && entry.getKey().getMethodMatcher().matches(object.getMethod(), targetClass)) { - return entry.getValue().check(authentication, object); + return entry.getValue().authorize(authentication, object); } } return new AuthorizationDecision(false); } - } diff --git a/config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java index e833c6f3f77..b7a36c00b50 100644 --- a/config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,6 +21,7 @@ import java.util.Map; import java.util.function.Supplier; +import org.springframework.security.authorization.AuthorizationResult; import org.w3c.dom.Element; import org.springframework.beans.BeansException; @@ -455,8 +456,7 @@ private ExpressionBasedAuthorizationManager( } @Override - public AuthorizationDecision check(Supplier authentication, - MessageAuthorizationContext object) { + public AuthorizationResult authorize(Supplier authentication, MessageAuthorizationContext object) { EvaluationContext context = this.expressionHandler.createEvaluationContext(authentication, object); boolean granted = ExpressionUtils.evaluateAsBoolean(this.expression, context); return new AuthorizationDecision(granted); diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java index 0aad4d777ca..a3bacbb9a19 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -131,7 +131,7 @@ public void configureMvcMatcherAccessAuthorizationManagerWhenNotNullThenVerifyUs CustomAuthorizationManagerConfig.authorizationManager = mock(AuthorizationManager.class); this.spring.register(CustomAuthorizationManagerConfig.class, BasicController.class).autowire(); this.mvc.perform(get("/")).andExpect(status().isOk()); - verify(CustomAuthorizationManagerConfig.authorizationManager).check(any(), any()); + verify(CustomAuthorizationManagerConfig.authorizationManager).authorize(any(), any()); } @Test @@ -139,7 +139,7 @@ public void configureNoParameterMvcMatcherAccessAuthorizationManagerWhenNotNullT CustomAuthorizationManagerNoParameterConfig.authorizationManager = mock(AuthorizationManager.class); this.spring.register(CustomAuthorizationManagerNoParameterConfig.class, BasicController.class).autowire(); this.mvc.perform(get("/")).andExpect(status().isOk()); - verify(CustomAuthorizationManagerNoParameterConfig.authorizationManager).check(any(), any()); + verify(CustomAuthorizationManagerNoParameterConfig.authorizationManager).authorize(any(), any()); } @Test diff --git a/config/src/test/java/org/springframework/security/config/http/DefaultFilterChainValidatorTests.java b/config/src/test/java/org/springframework/security/config/http/DefaultFilterChainValidatorTests.java index a20fe5397f1..aac6a003c2b 100644 --- a/config/src/test/java/org/springframework/security/config/http/DefaultFilterChainValidatorTests.java +++ b/config/src/test/java/org/springframework/security/config/http/DefaultFilterChainValidatorTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -112,7 +112,7 @@ public void validateCheckLoginPageIsntProtectedThrowsIllegalArgumentException() @Test public void validateCheckLoginPageAllowsAnonymous() { - given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false)); + given(this.authorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(false)); this.validator.validate(this.chainAuthorizationFilter); verify(this.logger).warn("Anonymous access to the login page doesn't appear to be enabled. " + "This is almost certainly an error. Please check your configuration allows unauthenticated " diff --git a/config/src/test/java/org/springframework/security/config/http/HttpConfigTests.java b/config/src/test/java/org/springframework/security/config/http/HttpConfigTests.java index b8a86d2411c..35d16f40859 100644 --- a/config/src/test/java/org/springframework/security/config/http/HttpConfigTests.java +++ b/config/src/test/java/org/springframework/security/config/http/HttpConfigTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -90,13 +90,13 @@ public void getWhenUsingAuthorizationManagerThenRedirectsToLogin() throws Except this.spring.configLocations(this.xml("AuthorizationManager")).autowire(); AuthorizationManager authorizationManager = this.spring.getContext() .getBean(AuthorizationManager.class); - given(authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false)); + given(authorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(false)); // @formatter:off this.mvc.perform(get("/")) .andExpect(status().isFound()) .andExpect(redirectedUrl("http://localhost/login")); // @formatter:on - verify(authorizationManager).check(any(), any()); + verify(authorizationManager).authorize(any(), any()); } @Test diff --git a/config/src/test/java/org/springframework/security/config/method/InterceptMethodsBeanDefinitionDecoratorTests.java b/config/src/test/java/org/springframework/security/config/method/InterceptMethodsBeanDefinitionDecoratorTests.java index a4257f1732f..77af9c70b0f 100644 --- a/config/src/test/java/org/springframework/security/config/method/InterceptMethodsBeanDefinitionDecoratorTests.java +++ b/config/src/test/java/org/springframework/security/config/method/InterceptMethodsBeanDefinitionDecoratorTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -168,9 +168,9 @@ public void transactionalAuthorizationManagerMethodsShouldBeSecured() { @Test public void targetCustomAuthorizationManagerUsed() { - given(this.mockAuthorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(true)); + given(this.mockAuthorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(true)); this.targetCustomAuthorizationManager.doSomething(); - verify(this.mockAuthorizationManager).check(any(), any()); + verify(this.mockAuthorizationManager).authorize(any(), any()); } @Override diff --git a/config/src/test/java/org/springframework/security/config/method/MethodSecurityBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/method/MethodSecurityBeanDefinitionParserTests.java index 37cddc91048..4b6fe4485fc 100644 --- a/config/src/test/java/org/springframework/security/config/method/MethodSecurityBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/method/MethodSecurityBeanDefinitionParserTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -39,6 +39,7 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.config.annotation.method.configuration.MethodSecurityService; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; @@ -463,7 +464,7 @@ public boolean hasPermission(Authentication authentication, Serializable targetI static class MyAuthorizationManager implements AuthorizationManager { @Override - public AuthorizationDecision check(Supplier authentication, MethodInvocation object) { + public AuthorizationResult authorize(Supplier authentication, MethodInvocation object) { return new AuthorizationDecision("bob".equals(authentication.get().getName())); } diff --git a/config/src/test/java/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.java b/config/src/test/java/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.java index c8bf1d8eb1e..32480849874 100644 --- a/config/src/test/java/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.java +++ b/config/src/test/java/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -489,11 +489,11 @@ public void sendWhenCustomAuthorizationManagerThenAuthorizesAccordingly() { this.spring.configLocations(xml("CustomAuthorizationManagerConfig")).autowire(); AuthorizationManager> authorizationManager = this.spring.getContext() .getBean(AuthorizationManager.class); - given(authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false)); + given(authorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(false)); Message message = message("/any"); assertThatExceptionOfType(Exception.class).isThrownBy(send(message)) .withCauseInstanceOf(AccessDeniedException.class); - verify(authorizationManager).check(any(), any()); + verify(authorizationManager).authorize(any(), any()); } private String xml(String configName) { diff --git a/core/src/main/java/org/springframework/security/authorization/AuthenticatedAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/AuthenticatedAuthorizationManager.java index 8e636df1727..18eb8a46c4e 100644 --- a/core/src/main/java/org/springframework/security/authorization/AuthenticatedAuthorizationManager.java +++ b/core/src/main/java/org/springframework/security/authorization/AuthenticatedAuthorizationManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -106,12 +106,12 @@ public static AuthenticatedAuthorizationManager anonymous() { /** * Determines if the current user is authorized according to the given strategy. - * @param authentication the {@link Supplier} of the {@link Authentication} to check - * @param object the {@link T} object to check + * @param authentication the {@link Supplier} of the {@link Authentication} to authorize + * @param object the {@link T} object to authorize * @return an {@link AuthorizationDecision} */ @Override - public AuthorizationDecision check(Supplier authentication, T object) { + public AuthorizationResult authorize(Supplier authentication, T object) { boolean granted = this.authorizationStrategy.isGranted(authentication.get()); return new AuthorizationDecision(granted); } diff --git a/core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java index eedb9d8671b..8c1bff366d9 100644 --- a/core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java +++ b/core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -50,13 +50,12 @@ public void setRoleHierarchy(RoleHierarchy roleHierarchy) { /** * Determines if the current user is authorized by evaluating if the * {@link Authentication} contains any of specified authorities. - * @param authentication the {@link Supplier} of the {@link Authentication} to check - * @param authorities the collection of authority strings to check + * @param authentication the {@link Supplier} of the {@link Authentication} to authorize + * @param authorities the collection of authority strings to authorize * @return an {@link AuthorityAuthorizationDecision} */ @Override - public AuthorityAuthorizationDecision check(Supplier authentication, - Collection authorities) { + public AuthorizationResult authorize(Supplier authentication, Collection authorities) { boolean granted = isGranted(authentication.get(), authorities); return new AuthorityAuthorizationDecision(granted, AuthorityUtils.createAuthorityList(authorities)); } diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java index 1d93dffa08e..2114639c407 100644 --- a/core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java +++ b/core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,7 +26,7 @@ /** * An {@link AuthorizationManager} that determines if the current user is authorized by - * evaluating if the {@link Authentication} contains a specified authority. + * evaluating if the {@link AuthorizationResult} contains a specified authority. * * @param the type of object being authorized. * @author Evgeniy Cheban @@ -136,13 +136,13 @@ private static String[] toNamedRolesArray(String rolePrefix, String[] roles) { /** * Determines if the current user is authorized by evaluating if the * {@link Authentication} contains a specified authority. - * @param authentication the {@link Supplier} of the {@link Authentication} to check - * @param object the {@link T} object to check - * @return an {@link AuthorizationDecision} + * @param authentication the {@link Supplier} of the {@link Authentication} to authorize + * @param object the {@link T} object to authorize + * @return an {@link AuthorizationResult} */ @Override - public AuthorizationDecision check(Supplier authentication, T object) { - return this.delegate.check(authentication, this.authorities); + public AuthorizationResult authorize(Supplier authentication, T object) { + return this.delegate.authorize(authentication, this.authorities); } @Override diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/AuthorizationManager.java index 221d5f01c6b..33a88556087 100644 --- a/core/src/main/java/org/springframework/security/authorization/AuthorizationManager.java +++ b/core/src/main/java/org/springframework/security/authorization/AuthorizationManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -39,7 +39,7 @@ public interface AuthorizationManager { * @throws AccessDeniedException if access is not granted */ default void verify(Supplier authentication, T object) { - AuthorizationDecision decision = check(authentication, object); + AuthorizationResult decision = authorize(authentication, object); if (decision != null && !decision.isGranted()) { throw new AccessDeniedException("Access Denied"); } @@ -50,8 +50,23 @@ default void verify(Supplier authentication, T object) { * @param authentication the {@link Supplier} of the {@link Authentication} to check * @param object the {@link T} object to check * @return an {@link AuthorizationDecision} or null if no decision could be made + * @deprecated Use {{@link #authorize(Supplier, Object)}} instead */ + @Deprecated(forRemoval = true) @Nullable - AuthorizationDecision check(Supplier authentication, T object); + default AuthorizationDecision check(Supplier authentication, T object) { + return (AuthorizationDecision) authorize(authentication, object); + } + + /** + * Determines if access should be granted for a specific authentication and object. + * @param authentication the {@link Supplier} of the {@link Authentication} to + * authorize + * @param object the {@link T} object to authorize + * @return an {@link AuthorizationResult} or null if no result could be made + * @since 6.3 + */ + @Nullable + AuthorizationResult authorize(Supplier authentication, T object); } diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorizationManagers.java b/core/src/main/java/org/springframework/security/authorization/AuthorizationManagers.java index b9031092050..09077a48157 100644 --- a/core/src/main/java/org/springframework/security/authorization/AuthorizationManagers.java +++ b/core/src/main/java/org/springframework/security/authorization/AuthorizationManagers.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -56,9 +56,9 @@ public static AuthorizationManager anyOf(AuthorizationManager... manag public static AuthorizationManager anyOf(AuthorizationDecision allAbstainDefaultDecision, AuthorizationManager... managers) { return (authentication, object) -> { - List decisions = new ArrayList<>(); + List decisions = new ArrayList<>(); for (AuthorizationManager manager : managers) { - AuthorizationDecision decision = manager.check(authentication, object); + AuthorizationResult decision = manager.authorize(authentication, object); if (decision == null) { continue; } @@ -102,9 +102,9 @@ public static AuthorizationManager allOf(AuthorizationManager... manag public static AuthorizationManager allOf(AuthorizationDecision allAbstainDefaultDecision, AuthorizationManager... managers) { return (authentication, object) -> { - List decisions = new ArrayList<>(); + List decisions = new ArrayList<>(); for (AuthorizationManager manager : managers) { - AuthorizationDecision decision = manager.check(authentication, object); + AuthorizationResult decision = manager.authorize(authentication, object); if (decision == null) { continue; } @@ -131,7 +131,7 @@ public static AuthorizationManager allOf(AuthorizationDecision allAbstain */ public static AuthorizationManager not(AuthorizationManager manager) { return (authentication, object) -> { - AuthorizationDecision decision = manager.check(authentication, object); + AuthorizationResult decision = manager.authorize(authentication, object); if (decision == null) { return null; } @@ -144,9 +144,9 @@ private AuthorizationManagers() { private static final class CompositeAuthorizationDecision extends AuthorizationDecision { - private final List decisions; + private final List decisions; - private CompositeAuthorizationDecision(boolean granted, List decisions) { + private CompositeAuthorizationDecision(boolean granted, List decisions) { super(granted); this.decisions = decisions; } @@ -160,9 +160,9 @@ public String toString() { private static final class NotAuthorizationDecision extends AuthorizationDecision { - private final AuthorizationDecision decision; + private final AuthorizationResult decision; - private NotAuthorizationDecision(AuthorizationDecision decision) { + private NotAuthorizationDecision(AuthorizationResult decision) { super(!decision.isGranted()); this.decision = decision; } diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorizationObservationContext.java b/core/src/main/java/org/springframework/security/authorization/AuthorizationObservationContext.java index 8e5692213c0..e90898dce90 100644 --- a/core/src/main/java/org/springframework/security/authorization/AuthorizationObservationContext.java +++ b/core/src/main/java/org/springframework/security/authorization/AuthorizationObservationContext.java @@ -33,7 +33,7 @@ public class AuthorizationObservationContext extends Observation.Context { private final T object; - private AuthorizationDecision decision; + private AuthorizationResult decision; public AuthorizationObservationContext(T object) { Assert.notNull(object, "object cannot be null"); @@ -69,18 +69,18 @@ public T getObject() { } /** - * Get the observed {@link AuthorizationDecision} - * @return the observed {@link AuthorizationDecision} + * Get the observed {@link AuthorizationResult} + * @return the observed {@link AuthorizationResult} */ - public AuthorizationDecision getDecision() { + public AuthorizationResult getDecision() { return this.decision; } /** - * Set the observed {@link AuthorizationDecision} - * @param decision the observed {@link AuthorizationDecision} + * Set the observed {@link AuthorizationResult} + * @param decision the observed {@link AuthorizationResult} */ - public void setDecision(AuthorizationDecision decision) { + public void setDecision(AuthorizationResult decision) { this.decision = decision; } diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorizationObservationConvention.java b/core/src/main/java/org/springframework/security/authorization/AuthorizationObservationConvention.java index 1fb819cd49e..922e24b73a5 100644 --- a/core/src/main/java/org/springframework/security/authorization/AuthorizationObservationConvention.java +++ b/core/src/main/java/org/springframework/security/authorization/AuthorizationObservationConvention.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -117,7 +117,7 @@ private String getDecisionDetails(AuthorizationObservationContext context) { if (context.getDecision() == null) { return "unknown"; } - AuthorizationDecision decision = context.getDecision(); + AuthorizationResult decision = context.getDecision(); return String.valueOf(decision); } diff --git a/core/src/main/java/org/springframework/security/authorization/ObservationAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/ObservationAuthorizationManager.java index 3f0050b0c49..c62a63c4c8d 100644 --- a/core/src/main/java/org/springframework/security/authorization/ObservationAuthorizationManager.java +++ b/core/src/main/java/org/springframework/security/authorization/ObservationAuthorizationManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -69,7 +69,7 @@ public ObservationAuthorizationManager(ObservationRegistry registry, Authorizati } @Override - public AuthorizationDecision check(Supplier authentication, T object) { + public AuthorizationResult authorize(Supplier authentication, T object) { AuthorizationObservationContext context = new AuthorizationObservationContext<>(object); Supplier wrapped = () -> { context.setAuthentication(authentication.get()); @@ -77,8 +77,8 @@ public AuthorizationDecision check(Supplier authentication, T ob }; Observation observation = Observation.createNotStarted(this.convention, () -> context, this.registry).start(); try (Observation.Scope scope = observation.openScope()) { - AuthorizationDecision decision = this.delegate.check(wrapped, object); - context.setDecision(decision); + AuthorizationResult decision = this.delegate.authorize(wrapped, object); + context.setDecision((AuthorizationDecision) decision); if (decision != null && !decision.isGranted()) { observation.error(new AccessDeniedException( this.messages.getMessage("AbstractAccessDecisionManager.accessDenied", "Access Denied"))); diff --git a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptor.java b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptor.java index d5ca8b5f16a..ee4fe1cb17e 100644 --- a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptor.java +++ b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptor.java @@ -32,6 +32,7 @@ import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationEventPublisher; import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolderStrategy; @@ -172,8 +173,8 @@ public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy strat private Object attemptAuthorization(MethodInvocation mi, Object result) { this.logger.debug(LogMessage.of(() -> "Authorizing method invocation " + mi)); MethodInvocationResult object = new MethodInvocationResult(mi, result); - AuthorizationDecision decision = this.authorizationManager.check(this::getAuthentication, object); - this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, object, decision); + AuthorizationResult decision = this.authorizationManager.authorize(this::getAuthentication, object); + this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, object, (AuthorizationDecision) decision); if (decision != null && !decision.isGranted()) { this.logger.debug(LogMessage.of(() -> "Failed to authorize " + mi + " with authorization manager " + this.authorizationManager + " and decision " + decision)); @@ -183,7 +184,7 @@ private Object attemptAuthorization(MethodInvocation mi, Object result) { return result; } - private Object postProcess(MethodInvocationResult mi, AuthorizationDecision decision) { + private Object postProcess(MethodInvocationResult mi, AuthorizationResult decision) { if (this.authorizationManager instanceof MethodAuthorizationDeniedPostProcessor postProcessableDecision) { return postProcessableDecision.postProcessResult(mi, decision); } diff --git a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java index 371c8a2c1d1..df13fcdc45c 100644 --- a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java +++ b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java @@ -36,6 +36,7 @@ import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationEventPublisher; import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolderStrategy; @@ -245,8 +246,8 @@ public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy secur private Object attemptAuthorization(MethodInvocation mi) throws Throwable { this.logger.debug(LogMessage.of(() -> "Authorizing method invocation " + mi)); - AuthorizationDecision decision = this.authorizationManager.check(this::getAuthentication, mi); - this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, mi, decision); + AuthorizationResult decision = this.authorizationManager.authorize(this::getAuthentication, mi); + this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, mi, (AuthorizationDecision) decision); if (decision != null && !decision.isGranted()) { this.logger.debug(LogMessage.of(() -> "Failed to authorize " + mi + " with authorization manager " + this.authorizationManager + " and decision " + decision)); @@ -256,7 +257,7 @@ private Object attemptAuthorization(MethodInvocation mi) throws Throwable { return mi.proceed(); } - private Object handle(MethodInvocation mi, AuthorizationDecision decision) { + private Object handle(MethodInvocation mi, AuthorizationResult decision) { if (this.authorizationManager instanceof MethodAuthorizationDeniedHandler handler) { return handler.handle(mi, decision); } diff --git a/core/src/main/java/org/springframework/security/authorization/method/Jsr250AuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/method/Jsr250AuthorizationManager.java index f913db85f68..33432ea5884 100644 --- a/core/src/main/java/org/springframework/security/authorization/method/Jsr250AuthorizationManager.java +++ b/core/src/main/java/org/springframework/security/authorization/method/Jsr250AuthorizationManager.java @@ -34,6 +34,7 @@ import org.springframework.security.authorization.AuthoritiesAuthorizationManager; import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.core.Authentication; import org.springframework.util.Assert; @@ -89,15 +90,15 @@ public void setRolePrefix(String rolePrefix) { * Determine if an {@link Authentication} has access to a method by evaluating the * {@link DenyAll}, {@link PermitAll}, and {@link RolesAllowed} annotations that * {@link MethodInvocation} specifies. - * @param authentication the {@link Supplier} of the {@link Authentication} to check - * @param methodInvocation the {@link MethodInvocation} to check - * @return an {@link AuthorizationDecision} or null if the JSR-250 security + * @param authentication the {@link Supplier} of the {@link Authentication} to authorize + * @param methodInvocation the {@link MethodInvocation} to authorize + * @return an {@link AuthorizationResult} or null if the JSR-250 security * annotations is not present */ @Override - public AuthorizationDecision check(Supplier authentication, MethodInvocation methodInvocation) { + public AuthorizationResult authorize(Supplier authentication, MethodInvocation methodInvocation) { AuthorizationManager delegate = this.registry.getManager(methodInvocation); - return delegate.check(authentication, methodInvocation); + return delegate.authorize(authentication, methodInvocation); } private final class Jsr250AuthorizationManagerRegistry extends AbstractAuthorizationManagerRegistry { @@ -113,7 +114,7 @@ AuthorizationManager resolveManager(Method method, Class ta return (a, o) -> new AuthorizationDecision(true); } if (annotation instanceof RolesAllowed rolesAllowed) { - return (a, o) -> Jsr250AuthorizationManager.this.authoritiesAuthorizationManager.check(a, + return (a, o) -> Jsr250AuthorizationManager.this.authoritiesAuthorizationManager.authorize(a, getAllowedRolesWithPrefix(rolesAllowed)); } return NULL_MANAGER; diff --git a/core/src/main/java/org/springframework/security/authorization/method/MethodExpressionAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/method/MethodExpressionAuthorizationManager.java index 5a972f3e9f4..1de5904c859 100644 --- a/core/src/main/java/org/springframework/security/authorization/method/MethodExpressionAuthorizationManager.java +++ b/core/src/main/java/org/springframework/security/authorization/method/MethodExpressionAuthorizationManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -27,6 +27,7 @@ import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.authorization.ExpressionAuthorizationDecision; import org.springframework.security.core.Authentication; import org.springframework.util.Assert; @@ -67,13 +68,13 @@ public void setExpressionHandler(SecurityExpressionHandler exp /** * Determines the access by evaluating the provided expression. - * @param authentication the {@link Supplier} of the {@link Authentication} to check - * @param context the {@link MethodInvocation} to check + * @param authentication the {@link Supplier} of the {@link Authentication} to authorize + * @param context the {@link MethodInvocation} to authorize * @return an {@link ExpressionAuthorizationDecision} based on the evaluated * expression */ @Override - public AuthorizationDecision check(Supplier authentication, MethodInvocation context) { + public AuthorizationResult authorize(Supplier authentication, MethodInvocation context) { EvaluationContext ctx = this.expressionHandler.createEvaluationContext(authentication, context); boolean granted = ExpressionUtils.evaluateAsBoolean(this.expression, ctx); return new ExpressionAuthorizationDecision(granted, this.expression); diff --git a/core/src/main/java/org/springframework/security/authorization/method/PostAuthorizeAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/method/PostAuthorizeAuthorizationManager.java index a2cd9d26816..82669db6e7a 100644 --- a/core/src/main/java/org/springframework/security/authorization/method/PostAuthorizeAuthorizationManager.java +++ b/core/src/main/java/org/springframework/security/authorization/method/PostAuthorizeAuthorizationManager.java @@ -24,7 +24,6 @@ import org.springframework.expression.EvaluationContext; import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; import org.springframework.security.access.prepost.PostAuthorize; -import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationManager; import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.core.Authentication; @@ -78,13 +77,13 @@ public void setApplicationContext(ApplicationContext context) { * Determine if an {@link Authentication} has access to the returned object by * evaluating the {@link PostAuthorize} annotation that the {@link MethodInvocation} * specifies. - * @param authentication the {@link Supplier} of the {@link Authentication} to check - * @param mi the {@link MethodInvocationResult} to check - * @return an {@link AuthorizationDecision} or {@code null} if the + * @param authentication the {@link Supplier} of the {@link Authentication} to authorize + * @param mi the {@link MethodInvocationResult} to authorize + * @return an {@link AuthorizationResult} or {@code null} if the * {@link PostAuthorize} annotation is not present */ @Override - public AuthorizationDecision check(Supplier authentication, MethodInvocationResult mi) { + public AuthorizationResult authorize(Supplier authentication, MethodInvocationResult mi) { ExpressionAttribute attribute = this.registry.getAttribute(mi.getMethodInvocation()); if (attribute == ExpressionAttribute.NULL_ATTRIBUTE) { return null; @@ -92,7 +91,7 @@ public AuthorizationDecision check(Supplier authentication, Meth MethodSecurityExpressionHandler expressionHandler = this.registry.getExpressionHandler(); EvaluationContext ctx = expressionHandler.createEvaluationContext(authentication, mi.getMethodInvocation()); expressionHandler.setReturnObject(mi.getResult(), ctx); - return (AuthorizationDecision) ExpressionUtils.evaluate(attribute.getExpression(), ctx); + return ExpressionUtils.evaluate(attribute.getExpression(), ctx); } @Override diff --git a/core/src/main/java/org/springframework/security/authorization/method/PreAuthorizeAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/method/PreAuthorizeAuthorizationManager.java index 3895ceb90bd..10722e2b229 100644 --- a/core/src/main/java/org/springframework/security/authorization/method/PreAuthorizeAuthorizationManager.java +++ b/core/src/main/java/org/springframework/security/authorization/method/PreAuthorizeAuthorizationManager.java @@ -24,7 +24,6 @@ import org.springframework.expression.EvaluationContext; import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; import org.springframework.security.access.prepost.PreAuthorize; -import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationManager; import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.core.Authentication; @@ -70,19 +69,19 @@ public void setApplicationContext(ApplicationContext context) { * Determine if an {@link Authentication} has access to a method by evaluating an * expression from the {@link PreAuthorize} annotation that the * {@link MethodInvocation} specifies. - * @param authentication the {@link Supplier} of the {@link Authentication} to check - * @param mi the {@link MethodInvocation} to check - * @return an {@link AuthorizationDecision} or {@code null} if the + * @param authentication the {@link Supplier} of the {@link Authentication} to authorize + * @param mi the {@link MethodInvocation} to authorize + * @return an {@link AuthorizationResult} or {@code null} if the * {@link PreAuthorize} annotation is not present */ @Override - public AuthorizationDecision check(Supplier authentication, MethodInvocation mi) { + public AuthorizationResult authorize(Supplier authentication, MethodInvocation mi) { ExpressionAttribute attribute = this.registry.getAttribute(mi); if (attribute == ExpressionAttribute.NULL_ATTRIBUTE) { return null; } EvaluationContext ctx = this.registry.getExpressionHandler().createEvaluationContext(authentication, mi); - return (AuthorizationDecision) ExpressionUtils.evaluate(attribute.getExpression(), ctx); + return ExpressionUtils.evaluate(attribute.getExpression(), ctx); } @Override diff --git a/core/src/main/java/org/springframework/security/authorization/method/SecuredAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/method/SecuredAuthorizationManager.java index 63553503d21..7f9cb2856f1 100644 --- a/core/src/main/java/org/springframework/security/authorization/method/SecuredAuthorizationManager.java +++ b/core/src/main/java/org/springframework/security/authorization/method/SecuredAuthorizationManager.java @@ -30,8 +30,8 @@ import org.springframework.core.MethodClassKey; import org.springframework.security.access.annotation.Secured; import org.springframework.security.authorization.AuthoritiesAuthorizationManager; -import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.core.Authentication; import org.springframework.util.Assert; @@ -66,15 +66,15 @@ public void setAuthoritiesAuthorizationManager( /** * Determine if an {@link Authentication} has access to a method by evaluating the * {@link Secured} annotation that {@link MethodInvocation} specifies. - * @param authentication the {@link Supplier} of the {@link Authentication} to check - * @param mi the {@link MethodInvocation} to check - * @return an {@link AuthorizationDecision} or null if the {@link Secured} annotation + * @param authentication the {@link Supplier} of the {@link Authentication} to authorize + * @param mi the {@link MethodInvocation} to authorize + * @return an {@link AuthorizationResult} or null if the {@link Secured} annotation * is not present */ @Override - public AuthorizationDecision check(Supplier authentication, MethodInvocation mi) { + public AuthorizationResult authorize(Supplier authentication, MethodInvocation mi) { Set authorities = getAuthorities(mi); - return authorities.isEmpty() ? null : this.authoritiesAuthorizationManager.check(authentication, authorities); + return authorities.isEmpty() ? null : this.authoritiesAuthorizationManager.authorize(authentication, authorities); } private Set getAuthorities(MethodInvocation methodInvocation) { diff --git a/core/src/test/java/org/springframework/security/authorization/ObservationAuthorizationManagerTests.java b/core/src/test/java/org/springframework/security/authorization/ObservationAuthorizationManagerTests.java index 1921f7dc1a3..549a2bd3cfa 100644 --- a/core/src/test/java/org/springframework/security/authorization/ObservationAuthorizationManagerTests.java +++ b/core/src/test/java/org/springframework/security/authorization/ObservationAuthorizationManagerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -73,7 +73,7 @@ void setup() { @Test void verifyWhenDefaultsThenObserves() { given(this.handler.supportsContext(any())).willReturn(true); - given(this.authorizationManager.check(any(), any())).willReturn(this.grant); + given(this.authorizationManager.authorize(any(), any())).willReturn(this.grant); this.tested.verify(this.token, this.object); ArgumentCaptor captor = ArgumentCaptor.forClass(Observation.Context.class); verify(this.handler).onStart(captor.capture()); @@ -91,7 +91,7 @@ void verifyWhenErrorsThenObserves() { MessageSource source = mock(MessageSource.class); this.tested.setMessageSource(source); given(this.handler.supportsContext(any())).willReturn(true); - given(this.authorizationManager.check(any(), any())).willReturn(this.deny); + given(this.authorizationManager.authorize(any(), any())).willReturn(this.deny); given(source.getMessage(eq("AbstractAccessDecisionManager.accessDenied"), any(), any(), any())) .willReturn("accessDenied"); assertThatExceptionOfType(AccessDeniedException.class) @@ -112,7 +112,7 @@ void verifyWhenErrorsThenObserves() { @Test void verifyWhenLooksUpAuthenticationThenObserves() { given(this.handler.supportsContext(any())).willReturn(true); - given(this.authorizationManager.check(any(), any())).willAnswer((invocation) -> { + given(this.authorizationManager.authorize(any(), any())).willAnswer((invocation) -> { ((Supplier) invocation.getArgument(0)).get(); return this.grant; }); diff --git a/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptorTests.java b/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptorTests.java index b82785f1017..1e6286528a3 100644 --- a/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptorTests.java +++ b/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptorTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -74,7 +74,7 @@ public void beforeWhenMockAuthorizationManagerThenCheckAndReturnedObject() throw Pointcut.TRUE, mockAuthorizationManager); Object returnedObject = advice.invoke(mockMethodInvocation); assertThat(returnedObject).isEqualTo(result.getResult()); - verify(mockAuthorizationManager).check(any(Supplier.class), any(MethodInvocationResult.class)); + verify(mockAuthorizationManager).authorize(any(Supplier.class), any(MethodInvocationResult.class)); } @Test diff --git a/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptorTests.java b/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptorTests.java index 210a70e0b4e..00bd565351d 100644 --- a/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptorTests.java +++ b/core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptorTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -69,7 +69,7 @@ public void beforeWhenMockAuthorizationManagerThenCheck() throws Throwable { AuthorizationManagerBeforeMethodInterceptor advice = new AuthorizationManagerBeforeMethodInterceptor( Pointcut.TRUE, mockAuthorizationManager); advice.invoke(mockMethodInvocation); - verify(mockAuthorizationManager).check(any(Supplier.class), eq(mockMethodInvocation)); + verify(mockAuthorizationManager).authorize(any(Supplier.class), eq(mockMethodInvocation)); } @Test diff --git a/core/src/test/java/org/springframework/security/authorization/method/Jsr250AuthorizationManagerTests.java b/core/src/test/java/org/springframework/security/authorization/method/Jsr250AuthorizationManagerTests.java index 59187469232..338c8cce96a 100644 --- a/core/src/test/java/org/springframework/security/authorization/method/Jsr250AuthorizationManagerTests.java +++ b/core/src/test/java/org/springframework/security/authorization/method/Jsr250AuthorizationManagerTests.java @@ -86,7 +86,7 @@ public void setAuthoritiesAuthorizationManagerWhenNotNullThenVerifyUsage() throw "ROLE_ADMIN"); AuthorizationDecision decision = manager.check(authentication, methodInvocation); assertThat(decision).isNull(); - verify(authoritiesAuthorizationManager).check(authentication, Set.of("ROLE_ADMIN")); + verify(authoritiesAuthorizationManager).authorize(authentication, Set.of("ROLE_ADMIN")); } @Test diff --git a/core/src/test/java/org/springframework/security/authorization/method/SecuredAuthorizationManagerTests.java b/core/src/test/java/org/springframework/security/authorization/method/SecuredAuthorizationManagerTests.java index 5567ad7ae64..4e19642f927 100644 --- a/core/src/test/java/org/springframework/security/authorization/method/SecuredAuthorizationManagerTests.java +++ b/core/src/test/java/org/springframework/security/authorization/method/SecuredAuthorizationManagerTests.java @@ -32,6 +32,7 @@ import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.core.Authentication; import static org.assertj.core.api.Assertions.assertThat; @@ -62,9 +63,9 @@ public void setAuthoritiesAuthorizationManagerWhenNotNullThenVerifyUsage() throw MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, "securedUserOrAdmin"); Supplier authentication = TestAuthentication::authenticatedUser; - AuthorizationDecision decision = manager.check(authentication, methodInvocation); + AuthorizationResult decision = manager.authorize(authentication, methodInvocation); assertThat(decision).isNull(); - verify(authoritiesAuthorizationManager).check(authentication, Set.of("ROLE_USER", "ROLE_ADMIN")); + verify(authoritiesAuthorizationManager).authorize(authentication, Set.of("ROLE_USER", "ROLE_ADMIN")); } @Test diff --git a/messaging/src/main/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptor.java b/messaging/src/main/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptor.java index c61e3b660e8..e6bd61984ab 100644 --- a/messaging/src/main/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptor.java +++ b/messaging/src/main/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptor.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -30,6 +30,7 @@ import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationEventPublisher; import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolderStrategy; @@ -66,8 +67,8 @@ public AuthorizationChannelInterceptor(AuthorizationManager> preSendA @Override public Message preSend(Message message, MessageChannel channel) { this.logger.debug(LogMessage.of(() -> "Authorizing message send")); - AuthorizationDecision decision = this.preSendAuthorizationManager.check(this.authentication, message); - this.eventPublisher.publishAuthorizationEvent(this.authentication, message, decision); + AuthorizationResult decision = this.preSendAuthorizationManager.authorize(this.authentication, message); + this.eventPublisher.publishAuthorizationEvent(this.authentication, message, (AuthorizationDecision) decision); if (decision == null || !decision.isGranted()) { // default deny this.logger.debug(LogMessage.of(() -> "Failed to authorize message with authorization manager " + this.preSendAuthorizationManager + " and decision " + decision)); diff --git a/messaging/src/main/java/org/springframework/security/messaging/access/intercept/MessageMatcherDelegatingAuthorizationManager.java b/messaging/src/main/java/org/springframework/security/messaging/access/intercept/MessageMatcherDelegatingAuthorizationManager.java index d442e7532cf..2bd327a2e92 100644 --- a/messaging/src/main/java/org/springframework/security/messaging/access/intercept/MessageMatcherDelegatingAuthorizationManager.java +++ b/messaging/src/main/java/org/springframework/security/messaging/access/intercept/MessageMatcherDelegatingAuthorizationManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -31,6 +31,7 @@ import org.springframework.security.authorization.AuthorityAuthorizationManager; import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.core.Authentication; import org.springframework.security.messaging.util.matcher.MessageMatcher; import org.springframework.security.messaging.util.matcher.SimpDestinationMessageMatcher; @@ -55,14 +56,14 @@ private MessageMatcherDelegatingAuthorizationManager( /** * Delegates to a specific {@link AuthorizationManager} based on a * {@link MessageMatcher} evaluation. - * @param authentication the {@link Supplier} of the {@link Authentication} to check - * @param message the {@link Message} to check - * @return an {@link AuthorizationDecision}. If there is no {@link MessageMatcher} + * @param authentication the {@link Supplier} of the {@link Authentication} to authorize + * @param message the {@link Message} to authorize + * @return an {@link AuthorizationResult}. If there is no {@link MessageMatcher} * matching the message, or the {@link AuthorizationManager} could not decide, then * null is returned */ @Override - public AuthorizationDecision check(Supplier authentication, Message message) { + public AuthorizationResult authorize(Supplier authentication, Message message) { if (this.logger.isTraceEnabled()) { this.logger.trace(LogMessage.format("Authorizing message")); } @@ -74,7 +75,7 @@ public AuthorizationDecision check(Supplier authentication, Mess if (this.logger.isTraceEnabled()) { this.logger.trace(LogMessage.format("Checking authorization on message using %s", manager)); } - return manager.check(authentication, authorizationContext); + return manager.authorize(authentication, authorizationContext); } } this.logger.trace("Abstaining since did not find matching MessageMatcher"); diff --git a/messaging/src/test/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptorTests.java b/messaging/src/test/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptorTests.java index fc354ed212c..18ec3720c4b 100644 --- a/messaging/src/test/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptorTests.java +++ b/messaging/src/test/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptorTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -81,13 +81,13 @@ public void constructorWhenAuthorizationManagerNullThenIllegalArgument() { @Test public void preSendWhenAllowThenSameMessage() { - given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(true)); + given(this.authorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(true)); assertThat(this.interceptor.preSend(this.message, this.channel)).isSameAs(this.message); } @Test public void preSendWhenDenyThenException() { - given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false)); + given(this.authorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(false)); assertThatExceptionOfType(AccessDeniedException.class) .isThrownBy(() -> this.interceptor.preSend(this.message, this.channel)); } @@ -101,7 +101,7 @@ public void setEventPublisherWhenNullThenException() { @Test public void preSendWhenAuthorizationEventPublisherThenPublishes() { this.interceptor.setAuthorizationEventPublisher(this.eventPublisher); - given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(true)); + given(this.authorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(true)); this.interceptor.preSend(this.message, this.channel); verify(this.eventPublisher).publishAuthorizationEvent(any(), any(), any()); } diff --git a/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java b/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java index e36a54fda6e..d60f0e19652 100644 --- a/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java +++ b/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -19,8 +19,8 @@ import jakarta.servlet.ServletContext; import jakarta.servlet.http.HttpServletRequest; -import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.core.Authentication; import org.springframework.security.web.FilterInvocation; import org.springframework.util.Assert; @@ -57,7 +57,7 @@ public boolean isAllowed(String uri, Authentication authentication) { public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) { FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext); HttpServletRequest httpRequest = this.requestTransformer.transform(filterInvocation.getHttpRequest()); - AuthorizationDecision decision = this.authorizationManager.check(() -> authentication, httpRequest); + AuthorizationResult decision = this.authorizationManager.authorize(() -> authentication, httpRequest); return decision == null || decision.isGranted(); } diff --git a/web/src/main/java/org/springframework/security/web/access/IpAddressAuthorizationManager.java b/web/src/main/java/org/springframework/security/web/access/IpAddressAuthorizationManager.java index 35e9cfdbd23..bfd4bcf1699 100644 --- a/web/src/main/java/org/springframework/security/web/access/IpAddressAuthorizationManager.java +++ b/web/src/main/java/org/springframework/security/web/access/IpAddressAuthorizationManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,6 +20,7 @@ import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.core.Authentication; import org.springframework.security.web.access.intercept.RequestAuthorizationContext; import org.springframework.security.web.util.matcher.IpAddressMatcher; @@ -52,8 +53,7 @@ public static IpAddressAuthorizationManager hasIpAddress(String ipAddress) { } @Override - public AuthorizationDecision check(Supplier authentication, - RequestAuthorizationContext requestAuthorizationContext) { + public AuthorizationResult authorize(Supplier authentication, RequestAuthorizationContext requestAuthorizationContext) { return new AuthorizationDecision( this.ipAddressMatcher.matcher(requestAuthorizationContext.getRequest()).isMatch()); } diff --git a/web/src/main/java/org/springframework/security/web/access/expression/WebExpressionAuthorizationManager.java b/web/src/main/java/org/springframework/security/web/access/expression/WebExpressionAuthorizationManager.java index 22d49e44e7c..9707f1f5a29 100644 --- a/web/src/main/java/org/springframework/security/web/access/expression/WebExpressionAuthorizationManager.java +++ b/web/src/main/java/org/springframework/security/web/access/expression/WebExpressionAuthorizationManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,8 +22,8 @@ import org.springframework.expression.Expression; import org.springframework.security.access.expression.ExpressionUtils; import org.springframework.security.access.expression.SecurityExpressionHandler; -import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.authorization.ExpressionAuthorizationDecision; import org.springframework.security.core.Authentication; import org.springframework.security.web.access.intercept.RequestAuthorizationContext; @@ -65,13 +65,13 @@ public void setExpressionHandler(SecurityExpressionHandler authentication, RequestAuthorizationContext context) { + public AuthorizationResult authorize(Supplier authentication, RequestAuthorizationContext context) { EvaluationContext ctx = this.expressionHandler.createEvaluationContext(authentication, context); boolean granted = ExpressionUtils.evaluateAsBoolean(this.expression, ctx); return new ExpressionAuthorizationDecision(granted, this.expression); diff --git a/web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java b/web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java index 6c27365070e..8bde5406d70 100644 --- a/web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java +++ b/web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -33,6 +33,7 @@ import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationEventPublisher; import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.authorization.event.AuthorizationDeniedEvent; import org.springframework.security.authorization.event.AuthorizationGrantedEvent; import org.springframework.security.core.Authentication; @@ -92,8 +93,8 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo String alreadyFilteredAttributeName = getAlreadyFilteredAttributeName(); request.setAttribute(alreadyFilteredAttributeName, Boolean.TRUE); try { - AuthorizationDecision decision = this.authorizationManager.check(this::getAuthentication, request); - this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, request, decision); + AuthorizationResult decision = this.authorizationManager.authorize(this::getAuthentication, request); + this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, request, (AuthorizationDecision) decision); if (decision != null && !decision.isGranted()) { throw new AccessDeniedException("Access Denied"); } diff --git a/web/src/main/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManager.java b/web/src/main/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManager.java index 7f00779c4ed..2df54feb674 100644 --- a/web/src/main/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManager.java +++ b/web/src/main/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -30,6 +30,7 @@ import org.springframework.security.authorization.AuthorityAuthorizationManager; import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.authorization.AuthorizationResult; import org.springframework.security.core.Authentication; import org.springframework.security.web.util.matcher.AnyRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; @@ -62,14 +63,14 @@ private RequestMatcherDelegatingAuthorizationManager( /** * Delegates to a specific {@link AuthorizationManager} based on a * {@link RequestMatcher} evaluation. - * @param authentication the {@link Supplier} of the {@link Authentication} to check - * @param request the {@link HttpServletRequest} to check - * @return an {@link AuthorizationDecision}. If there is no {@link RequestMatcher} + * @param authentication the {@link Supplier} of the {@link Authentication} to authorize + * @param request the {@link HttpServletRequest} to authorize + * @return an {@link AuthorizationResult}. If there is no {@link RequestMatcher} * matching the request, or the {@link AuthorizationManager} could not decide, then * null is returned */ @Override - public AuthorizationDecision check(Supplier authentication, HttpServletRequest request) { + public AuthorizationResult authorize(Supplier authentication, HttpServletRequest request) { if (this.logger.isTraceEnabled()) { this.logger.trace(LogMessage.format("Authorizing %s", request)); } @@ -82,7 +83,7 @@ public AuthorizationDecision check(Supplier authentication, Http if (this.logger.isTraceEnabled()) { this.logger.trace(LogMessage.format("Checking authorization on %s using %s", request, manager)); } - return manager.check(authentication, + return manager.authorize(authentication, new RequestAuthorizationContext(request, matchResult.getVariables())); } } diff --git a/web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java b/web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java index c5cb7669c1b..c7069d1587d 100644 --- a/web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java +++ b/web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -60,22 +60,22 @@ void constructorWhenAuthorizationManagerNullThenIllegalArgument() { @Test void isAllowedWhenAuthorizationManagerAllowsThenAllowedTrue() { - given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(true)); + given(this.authorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(true)); boolean allowed = this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser()); assertThat(allowed).isTrue(); - verify(this.authorizationManager).check(any(), any()); + verify(this.authorizationManager).authorize(any(), any()); } @Test void isAllowedWhenAuthorizationManagerDeniesAllowedFalse() { - given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false)); + given(this.authorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(false)); boolean allowed = this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser()); assertThat(allowed).isFalse(); } @Test void isAllowedWhenAuthorizationManagerAbstainsThenAllowedTrue() { - given(this.authorizationManager.check(any(), any())).willReturn(null); + given(this.authorizationManager.authorize(any(), any())).willReturn(null); boolean allowed = this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser()); assertThat(allowed).isTrue(); } @@ -86,7 +86,7 @@ void isAllowedWhenServletContextExistsThenFilterInvocationHasServletContext() { this.privilegeEvaluator.setServletContext(servletContext); this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser()); ArgumentCaptor captor = ArgumentCaptor.forClass(HttpServletRequest.class); - verify(this.authorizationManager).check(any(), captor.capture()); + verify(this.authorizationManager).authorize(any(), captor.capture()); assertThat(captor.getValue().getServletContext()).isSameAs(servletContext); } @@ -103,7 +103,7 @@ void isAllowedWhenRequestTransformerThenUsesRequestTransformerResult() { this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser()); - verify(this.authorizationManager).check(any(), eq(request)); + verify(this.authorizationManager).authorize(any(), eq(request)); } } diff --git a/web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java b/web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java index e24fb6fd034..634c6ff5177 100644 --- a/web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -91,7 +91,7 @@ public void tearDown() { @Test public void filterWhenAuthorizationManagerVerifyPassesThenNextFilter() throws Exception { AuthorizationManager mockAuthorizationManager = mock(AuthorizationManager.class); - given(mockAuthorizationManager.check(any(Supplier.class), any(HttpServletRequest.class))) + given(mockAuthorizationManager.authorize(any(Supplier.class), any(HttpServletRequest.class))) .willReturn(new AuthorizationDecision(true)); AuthorizationFilter filter = new AuthorizationFilter(mockAuthorizationManager); TestingAuthenticationToken authenticationToken = new TestingAuthenticationToken("user", "password"); @@ -107,7 +107,7 @@ public void filterWhenAuthorizationManagerVerifyPassesThenNextFilter() throws Ex filter.doFilter(mockRequest, mockResponse, mockFilterChain); ArgumentCaptor> authenticationCaptor = ArgumentCaptor.forClass(Supplier.class); - verify(mockAuthorizationManager).check(authenticationCaptor.capture(), eq(mockRequest)); + verify(mockAuthorizationManager).authorize(authenticationCaptor.capture(), eq(mockRequest)); Supplier authentication = authenticationCaptor.getValue(); assertThat(authentication.get()).isEqualTo(authenticationToken); @@ -130,14 +130,14 @@ public void filterWhenAuthorizationManagerVerifyThrowsAccessDeniedExceptionThenS FilterChain mockFilterChain = mock(FilterChain.class); willThrow(new AccessDeniedException("Access Denied")).given(mockAuthorizationManager) - .check(any(), eq(mockRequest)); + .authorize(any(), eq(mockRequest)); assertThatExceptionOfType(AccessDeniedException.class) .isThrownBy(() -> filter.doFilter(mockRequest, mockResponse, mockFilterChain)) .withMessage("Access Denied"); ArgumentCaptor> authenticationCaptor = ArgumentCaptor.forClass(Supplier.class); - verify(mockAuthorizationManager).check(authenticationCaptor.capture(), eq(mockRequest)); + verify(mockAuthorizationManager).authorize(authenticationCaptor.capture(), eq(mockRequest)); Supplier authentication = authenticationCaptor.getValue(); assertThat(authentication.get()).isEqualTo(authenticationToken); @@ -203,7 +203,7 @@ public void doFilterWhenErrorThenDoFilter() throws Exception { FilterChain mockFilterChain = mock(FilterChain.class); authorizationFilter.doFilter(mockRequest, mockResponse, mockFilterChain); - verify(authorizationManager).check(any(Supplier.class), eq(mockRequest)); + verify(authorizationManager).authorize(any(Supplier.class), eq(mockRequest)); } @Test @@ -233,7 +233,7 @@ public void doFilterWhenObserveOncePerRequestTrueAndIsAppliedThenNotInvoked() th public void doFilterWhenObserveOncePerRequestTrueAndNotAppliedThenInvoked() throws ServletException, IOException { this.filter.setObserveOncePerRequest(true); this.filter.doFilter(this.request, this.response, this.chain); - verify(this.authorizationManager).check(any(), any()); + verify(this.authorizationManager).authorize(any(), any()); } @Test @@ -241,14 +241,14 @@ public void doFilterWhenObserveOncePerRequestFalseAndIsAppliedThenInvoked() thro setIsAppliedTrue(); this.filter.setObserveOncePerRequest(false); this.filter.doFilter(this.request, this.response, this.chain); - verify(this.authorizationManager).check(any(), any()); + verify(this.authorizationManager).authorize(any(), any()); } @Test public void doFilterWhenObserveOncePerRequestFalseAndNotAppliedThenInvoked() throws ServletException, IOException { this.filter.setObserveOncePerRequest(false); this.filter.doFilter(this.request, this.response, this.chain); - verify(this.authorizationManager).check(any(), any()); + verify(this.authorizationManager).authorize(any(), any()); } @Test @@ -264,7 +264,7 @@ public void doFilterWhenFilterErrorDispatchTrueAndIsErrorThenInvoked() throws Se this.request.setDispatcherType(DispatcherType.ERROR); this.filter.setFilterErrorDispatch(true); this.filter.doFilter(this.request, this.response, this.chain); - verify(this.authorizationManager).check(any(), any()); + verify(this.authorizationManager).authorize(any(), any()); } @Test @@ -287,7 +287,7 @@ public void doFilterWhenFilterAsyncDispatchTrueAndIsAsyncThenInvoked() throws Se this.request.setDispatcherType(DispatcherType.ASYNC); this.filter.setFilterAsyncDispatch(true); this.filter.doFilter(this.request, this.response, this.chain); - verify(this.authorizationManager).check(any(), any()); + verify(this.authorizationManager).authorize(any(), any()); } @Test