Support Pre and Post method security annotations

See gh-289

Author: eleftherias

spring-graalvm-native-configuration/src/main/java/org/springframework/PrePostSecuredComponentProcessor.java

@@ -0,0 +1,56 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework;
+
+import org.springframework.graalvm.extension.ComponentProcessor;
+import org.springframework.graalvm.extension.NativeImageContext;
+import org.springframework.graalvm.type.Type;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Recognize spring.components that use any of @PostAuthorize, @PostFilter, @PreAuthorize or @PreFilter
+ * annotation and register proxies for them.
+ *
+ * @author Eleftheria Stein
+ */
+public class PrePostSecuredComponentProcessor implements ComponentProcessor {
+
+    @Override
+    public boolean handle(NativeImageContext imageContext, String componentType, List<String> classifiers) {
+        Type type = imageContext.getTypeSystem().resolveName(componentType);
+        return (type != null && (type.isAtPrePostSecured()));
+    }
+
+    @Override
+    public void process(NativeImageContext imageContext, String componentType, List<String> classifiers) {
+        Type type = imageContext.getTypeSystem().resolveName(componentType);
+        List<String> prePostSecuredInterfaces = new ArrayList<>();
+        for (Type intface: type.getInterfaces()) {
+            prePostSecuredInterfaces.add(intface.getDottedName());
+        }
+        if (prePostSecuredInterfaces.size()==0) {
+            imageContext.log("PrePostSecuredComponentProcessor: unable to find interfaces to proxy on "+componentType);
+            return;
+        }
+        prePostSecuredInterfaces.add("org.springframework.aop.SpringProxy");
+        prePostSecuredInterfaces.add("org.springframework.aop.framework.Advised");
+        prePostSecuredInterfaces.add("org.springframework.core.DecoratingProxy");
+        imageContext.addProxy(prePostSecuredInterfaces);
+        imageContext.log("PrePostSecuredComponentProcessor: creating proxy for these interfaces: "+prePostSecuredInterfaces);
+    }
+}

spring-graalvm-native-configuration/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityHints.java

@@ -26,8 +26,9 @@
 		@TypeInfo(types= {EnableGlobalMethodSecurity.class,GlobalMethodSecurityConfiguration.class,
 				AutoProxyRegistrar.class,GlobalMethodSecurityAspectJAutoProxyRegistrar.class,
 				MethodSecurityMetadataSourceAdvisorRegistrar.class,Jsr250MetadataSourceConfiguration.class,
-				})
-		,@TypeInfo(types= MethodSecurityMetadataSourceAdvisor.class, access=AccessBits.CLASS|AccessBits.PUBLIC_METHODS|AccessBits.DECLARED_CONSTRUCTORS)
+				}),
+		@TypeInfo(types= MethodSecurityMetadataSourceAdvisor.class, access=AccessBits.CLASS|AccessBits.PUBLIC_METHODS|AccessBits.DECLARED_CONSTRUCTORS),
+		@TypeInfo(typeNames= "org.springframework.security.access.expression.method.MethodSecurityExpressionRoot", access=AccessBits.DECLARED_CONSTRUCTORS),
 		})
 @NativeImageHint(trigger=ReactiveMethodSecuritySelector.class, typeInfos = {
 		@TypeInfo(types= {AutoProxyRegistrar.class,ReactiveMethodSecurityConfiguration.class})})

spring-graalvm-native-configuration/src/main/resources/META-INF/services/org.springframework.graalvm.extension.ComponentProcessor

@@ -3,3 +3,4 @@ org.springframework.data.SpringDataComponentProcessor
 org.springframework.web.WebComponentProcessor
 org.springframework.SynthesizerComputationComponentProcessor
 org.springframework.TransactionalComponentProcessor
+org.springframework.PrePostSecuredComponentProcessor

spring-graalvm-native-feature/src/main/java/org/springframework/graalvm/type/Type.java

@@ -98,6 +98,10 @@ public class Type {
 	public final static String AtAliasFor = "Lorg/springframework/core/annotation/AliasFor;";
 	public final static String Condition = "Lorg/springframework/context/annotation/Condition;";
 	public final static String EnvironmentPostProcessor = "Lorg/springframework/boot/env/EnvironmentPostProcessor";
+	public final static String AtPostAuthorize = "Lorg/springframework/security/access/prepost/PostAuthorize;";
+	public final static String AtPostFilter = "Lorg/springframework/security/access/prepost/PostFilter;";
+	public final static String AtPreAuthorize = "Lorg/springframework/security/access/prepost/PreAuthorize;";
+	public final static String AtPreFilter = "Lorg/springframework/security/access/prepost/PreFilter;";
 
 	public final static Type MISSING = new Type(null, null, 0);
 
@@ -2558,6 +2562,14 @@ public boolean isConditional() {
 		}
 	}
 
+	/**
+	 * @return true if type or a method inside is marked @PostAuthorize, @PostFilter, @PreAuthorize or @PreFilter
+	 */
+	public boolean isAtPrePostSecured() {
+		return isAnnotatedInHierarchy(AtPostAuthorize) || isAnnotatedInHierarchy(AtPostFilter)
+				|| isAnnotatedInHierarchy(AtPreAuthorize) || isAnnotatedInHierarchy(AtPreFilter);
+	}
+
 	public void collectAnnotations(List<Type> collector, Predicate<Type> filter) {
 		if (!this.isAnnotation()) {
 			throw new IllegalStateException(this.getDottedName() + " is not an annotation");

spring-graalvm-native-samples/security-method/README.md

@@ -0,0 +1,17 @@
+Spring Boot project with Spring MVC, Tomcat and Jackson.
+
+To build and run the native application packaged in a lightweight container:
+```
+mvn spring-boot:build-image
+docker-compose up
+```
+
+And then request the "/hello" or "/admin/hello" endpoints.
+
+```
+curl user:password@localhost:8080/hello
+```
+
+As an alternative, you can use `build.sh` (with a local GraalVM installation or combined with
+`run-dev-container.sh` at the root of `spring-graalvm-native` project). See also the related issue
+[Take advantage of Paketo dev-oriented images](https://github.com/spring-projects-experimental/spring-graalvm-native/issues/227).

spring-graalvm-native-samples/security-method/build.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+printf "=== ${BLUE}Building %s sample${NC} ===\n" "${PWD##*/}"
+./compile.sh && ${PWD%/*samples/*}/scripts/test.sh

spring-graalvm-native-samples/security-method/compile.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+ARTIFACT=security-method
+MAINCLASS=com.example.securingweb.SecuringWebApplication
+VERSION=0.0.1-SNAPSHOT
+
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+NC='\033[0m'
+
+rm -rf target
+mkdir -p target/native-image
+
+echo "Packaging $ARTIFACT with Maven"
+mvn -ntp package > target/native-image/output.txt
+
+JAR="$ARTIFACT-$VERSION.jar"
+rm -f $ARTIFACT
+echo "Unpacking $JAR"
+cd target/native-image
+jar -xvf ../$JAR >/dev/null 2>&1
+cp -R META-INF BOOT-INF/classes
+
+LIBPATH=`find BOOT-INF/lib | tr '\n' ':'`
+CP=BOOT-INF/classes:$LIBPATH
+
+GRAALVM_VERSION=`native-image --version`
+echo "Compiling $ARTIFACT with $GRAALVM_VERSION"
+{ time native-image \
+  --verbose \
+  -H:Name=$ARTIFACT \
+  --enable-all-security-services \
+  -cp $CP $MAINCLASS >> output.txt ; } 2>> output.txt
+
+if [[ -f $ARTIFACT ]]
+then
+  cat output.txt
+  printf "${GREEN}SUCCESS${NC}\n"
+  mv ./$ARTIFACT ..
+  exit 0
+else
+  cat output.txt
+  printf "${RED}FAILURE${NC}: an error occurred when compiling the native-image.\n"
+  exit 1
+fi

spring-graalvm-native-samples/security-method/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '3.1'
+services:
+  security:
+    image: security:0.0.1-SNAPSHOT
+    ports:
+      - "8080:8080"

spring-graalvm-native-samples/security-method/pom.xml

@@ -0,0 +1,195 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-starter-parent</artifactId>
+		<version>2.4.0</version>
+		<relativePath/> <!-- lookup parent from repository -->
+	</parent>
+	<groupId>com.example</groupId>
+	<artifactId>security-method</artifactId>
+	<version>0.0.1-SNAPSHOT</version>
+
+	<properties>
+		<java.version>1.8</java.version>
+	</properties>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+				<configuration>
+					<image>
+						<builder>paketobuildpacks/builder:tiny</builder>
+						<env>
+							<BP_BOOT_NATIVE_IMAGE>1</BP_BOOT_NATIVE_IMAGE>
+							<!-- See https://github.com/spring-projects/spring-boot/issues/23132 -->
+							<BP_BOOT_NATIVE_IMAGE_BUILD_ARGUMENTS>
+								--enable-all-security-services
+							</BP_BOOT_NATIVE_IMAGE_BUILD_ARGUMENTS>
+						</env>
+					</image>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.springframework.experimental</groupId>
+			<artifactId>spring-graalvm-native</artifactId>
+			<version>0.8.3-SNAPSHOT</version>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-context-indexer</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-thymeleaf</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>org.apache.tomcat.embed</groupId>
+					<artifactId>tomcat-embed-core</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>org.apache.tomcat.embed</groupId>
+					<artifactId>tomcat-embed-websocket</artifactId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+		<dependency>
+			<groupId>org.apache.tomcat.experimental</groupId>
+			<artifactId>tomcat-embed-programmatic</artifactId>
+			<version>${tomcat.version}</version>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+			<exclusions>
+				<exclusion>
+					<groupId>org.junit.vintage</groupId>
+					<artifactId>junit-vintage-engine</artifactId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+	</dependencies>
+
+	<pluginRepositories>
+		<pluginRepository>
+			<id>central</id>
+			<url>https://repo.maven.apache.org/maven2</url>
+			<snapshots>
+				<enabled>false</enabled>
+			</snapshots>
+		</pluginRepository>
+		<pluginRepository>
+			<id>spring-release</id>
+			<name>Spring release</name>
+			<url>https://repo.spring.io/release</url>
+			<snapshots>
+				<enabled>false</enabled>
+			</snapshots>
+		</pluginRepository>
+		<pluginRepository>
+			<id>spring-snapshot</id>
+			<name>Spring Snapshots</name>
+			<url>https://repo.spring.io/snapshot</url>
+			<snapshots>
+				<enabled>true</enabled>
+			</snapshots>
+		</pluginRepository>
+		<pluginRepository>
+			<id>spring-milestone</id>
+			<name>Spring Milestone</name>
+			<url>https://repo.spring.io/milestone</url>
+			<snapshots>
+				<enabled>false</enabled>
+			</snapshots>
+		</pluginRepository>
+	</pluginRepositories>
+	<repositories>
+		<repository>
+			<id>central</id>
+			<url>https://repo.maven.apache.org/maven2</url>
+			<snapshots>
+				<enabled>false</enabled>
+			</snapshots>
+		</repository>
+		<repository>
+			<id>spring-release</id>
+			<name>Spring release</name>
+			<url>https://repo.spring.io/release</url>
+			<snapshots>
+				<enabled>false</enabled>
+			</snapshots>
+		</repository>
+		<repository>
+			<id>spring-snapshot</id>
+			<name>Spring Snapshots</name>
+			<url>https://repo.spring.io/snapshot</url>
+			<snapshots>
+				<enabled>true</enabled>
+			</snapshots>
+		</repository>
+		<repository>
+			<id>spring-milestone</id>
+			<name>Spring Milestone</name>
+			<url>https://repo.spring.io/milestone</url>
+			<snapshots>
+				<enabled>false</enabled>
+			</snapshots>
+		</repository>
+	</repositories>
+
+	<profiles>
+		<profile>
+			<id>agent</id>
+			<build>
+				<plugins>
+					<plugin>
+						<groupId>org.graalvm.nativeimage</groupId>
+						<artifactId>native-image-maven-plugin</artifactId>
+						<version>20.2.0</version>
+						<configuration>
+							<mainClass>com.example.methodsecurity.MethodSecurityApplication</mainClass>
+							<imageName>security-method</imageName>
+							<buildArgs>-Dspring.native.remove-yaml-support=true</buildArgs>
+						</configuration>
+						<executions>
+							<execution>
+								<goals>
+									<goal>native-image</goal>
+								</goals>
+								<phase>package</phase>
+							</execution>
+						</executions>
+					</plugin>
+					<plugin>
+						<groupId>org.springframework.boot</groupId>
+						<artifactId>spring-boot-maven-plugin</artifactId>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+	</profiles>
+
+</project>

spring-graalvm-native-samples/security-method/run_agent.sh

@@ -0,0 +1 @@
+java -agentlib:native-image-agent=experimental-class-loader-support,config-output-dir=src/main/resources/META-INF/native-image -jar target/security-method-0.0.1-SNAPSHOT.jar