SpEL Expressions Support Returning AuthorizationManager

jzheaux · jzheaux · commit 765bdf1ed01d · 2025-09-19T12:07:59.000-06:00
Closes spring-projectsgh-17936
diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/Authz.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/Authz.java
@@ -16,10 +16,13 @@
 
 package org.springframework.security.config.annotation.method.configuration;
 
+import org.aopalliance.intercept.MethodInvocation;
 import reactor.core.publisher.Mono;
 
 import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.authorization.AuthorizationResult;
+import org.springframework.security.authorization.ReactiveAuthorizationManager;
 import org.springframework.security.core.Authentication;
 import org.springframework.stereotype.Component;
 
@@ -55,6 +58,14 @@ public Mono<AuthorizationResult> checkReactiveResult(boolean result) {
 		return Mono.just(checkResult(result));
 	}
 
+	public AuthorizationManager<MethodInvocation> checkManager(long id) {
+		return (authentication, context) -> new AuthorizationDecision(check(id));
+	}
+
+	public ReactiveAuthorizationManager<MethodInvocation> checkReactiveManager(long id) {
+		return (authentication, context) -> checkReactive(id).map(AuthorizationDecision::new);
+	}
+
 	@SuppressWarnings("serial")
 	public static class AuthzResult extends AuthorizationDecision {
 
diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityService.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityService.java
@@ -196,6 +196,9 @@ public interface MethodSecurityService {
 	@HandleAuthorizationDenied(handlerClass = MethodAuthorizationDeniedHandler.class)
 	String checkCustomResult(boolean result);
 
+	@PreAuthorize("@authz.checkManager(#id)")
+	String checkCustomManager(long id);
+
 	class StarMaskingHandler implements MethodAuthorizationDeniedHandler {
 
 		@Override
diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityServiceImpl.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityServiceImpl.java
@@ -203,6 +203,11 @@ public String checkCustomResult(boolean result) {
 		return "ok";
 	}
 
+	@Override
+	public String checkCustomManager(long id) {
+		return "ok";
+	}
+
 	@Override
 	public void hasAllRolesUserAdmin() {
 	}
diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java
@@ -92,6 +92,7 @@
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.access.prepost.PreFilter;
 import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationDeniedException;
 import org.springframework.security.authorization.AuthorizationEventPublisher;
 import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.authorization.SpringAuthorizationEventPublisher;
@@ -1410,6 +1411,14 @@ void getWhenCustomAdvisorAuthenticationNameNotMatchThenRespondsWithForbidden() t
 		this.mvc.perform(requestWithUser).andExpect(status().isForbidden());
 	}
 
+	@Test
+	void checkCustomManagerWhenInvokedThenUsesBeanToAuthorize() {
+		this.spring.register(MethodSecurityServiceConfig.class).autowire();
+		MethodSecurityService service = this.spring.getContext().getBean(MethodSecurityService.class);
+		service.checkCustomManager(2);
+		assertThatExceptionOfType(AuthorizationDeniedException.class).isThrownBy(() -> service.checkCustomManager(1));
+	}
+
 	private static Consumer<ConfigurableWebApplicationContext> disallowBeanOverriding() {
 		return (context) -> ((AnnotationConfigWebApplicationContext) context).setAllowBeanDefinitionOverriding(false);
 	}
diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityConfigurationTests.java
@@ -51,6 +51,7 @@
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.access.prepost.PreFilter;
 import org.springframework.security.authentication.TestAuthentication;
+import org.springframework.security.authorization.AuthorizationDeniedException;
 import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory;
 import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.TargetVisitor;
 import org.springframework.security.authorization.method.AuthorizeReturnObject;
@@ -66,6 +67,7 @@
 import org.springframework.security.test.context.support.WithMockUser;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.clearInvocations;
 import static org.mockito.Mockito.mock;
@@ -285,6 +287,15 @@ public void prePostMethodWhenExcludeAuthorizationObservationsThenUnobserved() {
 		verifyNoInteractions(handler);
 	}
 
+	@Test
+	void checkCustomManagerWhenInvokedThenUsesBeanToAuthorize() {
+		this.spring.register(WithRolePrefixConfiguration.class, MethodSecurityServiceConfig.class).autowire();
+		ReactiveMethodSecurityService service = this.spring.getContext().getBean(ReactiveMethodSecurityService.class);
+		service.checkCustomManager(2).block();
+		assertThatExceptionOfType(AuthorizationDeniedException.class)
+			.isThrownBy(() -> service.checkCustomManager(1).block());
+	}
+
 	private static Consumer<User.UserBuilder> authorities(String... authorities) {
 		return (builder) -> builder.authorities(authorities);
 	}
diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityService.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityService.java
@@ -110,6 +110,9 @@ public interface ReactiveMethodSecurityService {
 	@HandleAuthorizationDenied(handlerClass = MethodAuthorizationDeniedHandler.class)
 	Mono<String> checkCustomResult(boolean result);
 
+	@PreAuthorize("@authz.checkReactiveManager(#id)")
+	Mono<String> checkCustomManager(long id);
+
 	@PreAuthorize("hasPermission(#kgName, 'read')")
 	Mono<String> preAuthorizeHasPermission(String kgName);
 
diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityServiceImpl.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityServiceImpl.java
@@ -100,6 +100,11 @@ public Mono<String> checkCustomResult(boolean result) {
 		return Mono.just("ok");
 	}
 
+	@Override
+	public Mono<String> checkCustomManager(long id) {
+		return Mono.just("ok");
+	}
+
 	@Override
 	public Mono<String> preAuthorizeHasPermission(String kgName) {
 		return Mono.just("ok");
diff --git a/core/src/main/java/org/springframework/security/authorization/method/ExpressionUtils.java b/core/src/main/java/org/springframework/security/authorization/method/ExpressionUtils.java
@@ -16,23 +16,38 @@
 
 package org.springframework.security.authorization.method;
 
+import java.util.function.Supplier;
+
 import org.jspecify.annotations.Nullable;
 
 import org.springframework.expression.EvaluationContext;
 import org.springframework.expression.EvaluationException;
 import org.springframework.expression.Expression;
 import org.springframework.security.authorization.AuthorizationDeniedException;
+import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.authorization.ExpressionAuthorizationDecision;
+import org.springframework.security.core.Authentication;
+import org.springframework.util.Assert;
 
 final class ExpressionUtils {
 
 	private ExpressionUtils() {
 	}
 
 	static @Nullable AuthorizationResult evaluate(Expression expr, EvaluationContext ctx) {
+		return evaluate(expr, ctx, () -> null, null);
+	}
+
+	static <T> @Nullable AuthorizationResult evaluate(Expression expr, EvaluationContext ctx,
+			Supplier<? extends @Nullable Authentication> authentication, @Nullable T context) {
 		try {
 			Object result = expr.getValue(ctx);
+			if (result instanceof AuthorizationManager<?> manager) {
+				Assert.notNull(authentication, "authentication supplier cannot be null");
+				Assert.notNull(context, "context cannot be null");
+				return ((AuthorizationManager<T>) manager).authorize(authentication, context);
+			}
 			if (result instanceof AuthorizationResult decision) {
 				return decision;
 			}
diff --git a/core/src/main/java/org/springframework/security/authorization/method/PostAuthorizeAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/method/PostAuthorizeAuthorizationManager.java
@@ -95,7 +95,7 @@ public void setApplicationContext(ApplicationContext context) {
 		MethodSecurityExpressionHandler expressionHandler = this.registry.getExpressionHandler();
 		EvaluationContext ctx = expressionHandler.createEvaluationContext(authentication, mi.getMethodInvocation());
 		expressionHandler.setReturnObject(mi.getResult(), ctx);
-		return ExpressionUtils.evaluate(attribute.getExpression(), ctx);
+		return ExpressionUtils.evaluate(attribute.getExpression(), ctx, authentication, mi);
 	}
 
 	@Override
diff --git a/core/src/main/java/org/springframework/security/authorization/method/PostAuthorizeReactiveAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/method/PostAuthorizeReactiveAuthorizationManager.java
@@ -91,7 +91,7 @@ public Mono<AuthorizationResult> authorize(Mono<Authentication> authentication,
 		return authentication
 				.map((auth) -> expressionHandler.createEvaluationContext(auth, mi))
 				.doOnNext((ctx) -> expressionHandler.setReturnObject(result.getResult(), ctx))
-				.flatMap((ctx) -> ReactiveExpressionUtils.evaluate(attribute.getExpression(), ctx))
+				.flatMap((ctx) -> ReactiveExpressionUtils.evaluate(attribute.getExpression(), ctx, authentication, result))
 				.cast(AuthorizationResult.class);
 		// @formatter:on
 	}
diff --git a/core/src/main/java/org/springframework/security/authorization/method/PreAuthorizeAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/method/PreAuthorizeAuthorizationManager.java
@@ -85,7 +85,7 @@ public void setApplicationContext(ApplicationContext context) {
 			return null;
 		}
 		EvaluationContext ctx = this.registry.getExpressionHandler().createEvaluationContext(authentication, mi);
-		return ExpressionUtils.evaluate(attribute.getExpression(), ctx);
+		return ExpressionUtils.evaluate(attribute.getExpression(), ctx, authentication, mi);
 	}
 
 	@Override
diff --git a/core/src/main/java/org/springframework/security/authorization/method/PreAuthorizeReactiveAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/method/PreAuthorizeReactiveAuthorizationManager.java
@@ -85,7 +85,7 @@ public Mono<AuthorizationResult> authorize(Mono<Authentication> authentication,
 		// @formatter:off
 		return authentication
 				.map((auth) -> this.registry.getExpressionHandler().createEvaluationContext(auth, mi))
-				.flatMap((ctx) -> ReactiveExpressionUtils.evaluate(attribute.getExpression(), ctx))
+				.flatMap((ctx) -> ReactiveExpressionUtils.evaluate(attribute.getExpression(), ctx, authentication, mi))
 				.cast(AuthorizationResult.class);
 		// @formatter:on
 	}
diff --git a/core/src/main/java/org/springframework/security/authorization/method/ReactiveExpressionUtils.java b/core/src/main/java/org/springframework/security/authorization/method/ReactiveExpressionUtils.java
@@ -24,6 +24,9 @@
 import org.springframework.expression.Expression;
 import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.authorization.ExpressionAuthorizationDecision;
+import org.springframework.security.authorization.ReactiveAuthorizationManager;
+import org.springframework.security.core.Authentication;
+import org.springframework.util.Assert;
 
 /**
  * For internal use only, as this contract is likely to change.
@@ -34,6 +37,11 @@
 final class ReactiveExpressionUtils {
 
 	static Mono<AuthorizationResult> evaluate(Expression expr, EvaluationContext ctx) {
+		return evaluate(expr, ctx, Mono.empty(), null);
+	}
+
+	static <T> Mono<AuthorizationResult> evaluate(Expression expr, EvaluationContext ctx,
+			Mono<Authentication> authentication, @Nullable T context) {
 		return Mono.defer(() -> {
 			Object value;
 			try {
@@ -43,6 +51,10 @@ static Mono<AuthorizationResult> evaluate(Expression expr, EvaluationContext ctx
 				return Mono.error(() -> new IllegalArgumentException(
 						"Failed to evaluate expression '" + expr.getExpressionString() + "'", ex));
 			}
+			if (value instanceof ReactiveAuthorizationManager<?> manager) {
+				Assert.notNull(context, "context cannot be null");
+				return ((ReactiveAuthorizationManager<T>) manager).authorize(authentication, context);
+			}
 			if (value instanceof Mono<?> mono) {
 				return mono.flatMap((data) -> adapt(expr, data));
 			}
diff --git a/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc b/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc
@@ -1362,6 +1362,12 @@ Note, though, that returning an object is preferred as this doesn't incur the ex
 
 Then, you can access the custom details when you <<fallback-values-authorization-denied, customize how the authorization result is handled>>.
 
+[TIP]
+====
+Further, you can return an `AuthorizationManager` itself.
+This is helpful when unifying custom web authorization rules with method security ones since web security by default requires specifying an `AuthorizationManager` instance.
+====
+
 [[custom-authorization-managers]]
 === Using a Custom Authorization Manager
 

Original file line number	Diff line number	Diff line change
`@@ -203,6 +203,11 @@ public String checkCustomResult(boolean result) {`
`203`	`203`	`return "ok";`
`204`	`204`	`}`
`205`	`205`
	`206`	`+ @Override`
	`207`	`+ public String checkCustomManager(long id) {`
	`208`	`+ return "ok";`
	`209`	`+ }`
	`210`	`+`
`206`	`211`	`@Override`
`207`	`212`	`public void hasAllRolesUserAdmin() {`
`208`	`213`	`}`
Original file line number	Diff line number	Diff line change
`@@ -95,7 +95,7 @@ public void setApplicationContext(ApplicationContext context) {`
`95`	`95`	`MethodSecurityExpressionHandler expressionHandler = this.registry.getExpressionHandler();`
`96`	`96`	`EvaluationContext ctx = expressionHandler.createEvaluationContext(authentication, mi.getMethodInvocation());`
`97`	`97`	`expressionHandler.setReturnObject(mi.getResult(), ctx);`
`98`		`- return ExpressionUtils.evaluate(attribute.getExpression(), ctx);`
	`98`	`+ return ExpressionUtils.evaluate(attribute.getExpression(), ctx, authentication, mi);`
`99`	`99`	`}`
`100`	`100`
`101`	`101`	`@Override`
Original file line number	Diff line number	Diff line change
`@@ -91,7 +91,7 @@ public Mono<AuthorizationResult> authorize(Mono<Authentication> authentication,`
`91`	`91`	`return authentication`
`92`	`92`	`.map((auth) -> expressionHandler.createEvaluationContext(auth, mi))`
`93`	`93`	`.doOnNext((ctx) -> expressionHandler.setReturnObject(result.getResult(), ctx))`
`94`		`- .flatMap((ctx) -> ReactiveExpressionUtils.evaluate(attribute.getExpression(), ctx))`
	`94`	`+ .flatMap((ctx) -> ReactiveExpressionUtils.evaluate(attribute.getExpression(), ctx, authentication, result))`
`95`	`95`	`.cast(AuthorizationResult.class);`
`96`	`96`	`// @formatter:on`
`97`	`97`	`}`