Update SecurityExpressionRoot to use AuthorizationManagerFactory

Signed-off-by: Steve Riesenberg <[email protected]>

Author: sjohnr

core/src/main/java/org/springframework/security/access/expression/SecurityExpressionRoot.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,19 +17,18 @@
 package org.springframework.security.access.expression;
 
 import java.io.Serializable;
-import java.util.Collection;
-import java.util.Set;
 import java.util.function.Supplier;
 
 import org.jspecify.annotations.Nullable;
 
 import org.springframework.security.access.PermissionEvaluator;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
-import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationManagerFactory;
+import org.springframework.security.authorization.AuthorizationResult;
+import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.util.Assert;
 import org.springframework.util.function.SingletonSupplier;
 
@@ -42,15 +41,17 @@
  */
 public abstract class SecurityExpressionRoot implements SecurityExpressionOperations {
 
-	private final Supplier<Authentication> authentication;
+	private static final AuthorizationManagerFactory<Object> DEFAULT_AUTHORIZATION_MANAGER_FACTORY = new DefaultAuthorizationManagerFactory<>();
+
+	private static final Object DEFAULT_OBJECT = new Object();
 
-	private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
+	private final Supplier<Authentication> authentication;
 
-	private @Nullable RoleHierarchy roleHierarchy;
+	private final Object object;
 
-	private @Nullable Set<String> roles;
+	private @Nullable DefaultAuthorizationManagerFactory<Object> defaultAuthorizationManagerFactory;
 
-	private String defaultRolePrefix = "ROLE_";
+	private AuthorizationManagerFactory<Object> authorizationManagerFactory = DEFAULT_AUTHORIZATION_MANAGER_FACTORY;
 
 	/**
 	 * Allows "permitAll" expression
@@ -77,9 +78,11 @@ public abstract class SecurityExpressionRoot implements SecurityExpressionOperat
 	/**
 	 * Creates a new instance
 	 * @param authentication the {@link Authentication} to use. Cannot be null.
+	 * @deprecated use {@link #SecurityExpressionRoot(Supplier, Object)} instead
 	 */
+	@Deprecated(since = "7.0")
 	public SecurityExpressionRoot(Authentication authentication) {
-		this(() -> authentication);
+		this(() -> authentication, DEFAULT_OBJECT);
 	}
 
 	/**
@@ -88,44 +91,48 @@ public SecurityExpressionRoot(Authentication authentication) {
 	 * @param authentication the {@link Supplier} of the {@link Authentication} to use.
 	 * Cannot be null.
 	 * @since 5.8
+	 * @deprecated use {@link #SecurityExpressionRoot(Supplier, Object)} instead
 	 */
+	@Deprecated(since = "7.0")
 	public SecurityExpressionRoot(Supplier<Authentication> authentication) {
+		this(authentication, DEFAULT_OBJECT);
+	}
+
+	/**
+	 * Creates a new instance that uses lazy initialization of the {@link Authentication}
+	 * object.
+	 * @param authentication the {@link Supplier} of the {@link Authentication} to use.
+	 * Cannot be null.
+	 * @param object the object being authorized
+	 * @since 7.0
+	 */
+	public SecurityExpressionRoot(Supplier<Authentication> authentication, Object object) {
 		this.authentication = SingletonSupplier.of(() -> {
 			Authentication value = authentication.get();
 			Assert.notNull(value, "Authentication object cannot be null");
 			return value;
 		});
+		this.object = object;
 	}
 
 	@Override
 	public final boolean hasAuthority(String authority) {
-		return hasAnyAuthority(authority);
+		return isGranted(this.authorizationManagerFactory.hasAnyAuthority(authority));
 	}
 
 	@Override
 	public final boolean hasAnyAuthority(String... authorities) {
-		return hasAnyAuthorityName(null, authorities);
+		return isGranted(this.authorizationManagerFactory.hasAnyAuthority(authorities));
 	}
 
 	@Override
 	public final boolean hasRole(String role) {
-		return hasAnyRole(role);
+		return isGranted(this.authorizationManagerFactory.hasRole(role));
 	}
 
 	@Override
 	public final boolean hasAnyRole(String... roles) {
-		return hasAnyAuthorityName(this.defaultRolePrefix, roles);
-	}
-
-	private boolean hasAnyAuthorityName(@Nullable String prefix, String... roles) {
-		Set<String> roleSet = getAuthoritySet();
-		for (String role : roles) {
-			String defaultedRole = getRoleWithDefaultPrefix(prefix, role);
-			if (roleSet.contains(defaultedRole)) {
-				return true;
-			}
-		}
-		return false;
+		return isGranted(this.authorizationManagerFactory.hasAnyRole(roles));
 	}
 
 	@Override
@@ -135,33 +142,37 @@ public final Authentication getAuthentication() {
 
 	@Override
 	public final boolean permitAll() {
-		return true;
+		return isGranted(this.authorizationManagerFactory.permitAll());
 	}
 
 	@Override
 	public final boolean denyAll() {
-		return false;
+		return isGranted(this.authorizationManagerFactory.denyAll());
 	}
 
 	@Override
 	public final boolean isAnonymous() {
-		return this.trustResolver.isAnonymous(getAuthentication());
+		return isGranted(this.authorizationManagerFactory.anonymous());
 	}
 
 	@Override
 	public final boolean isAuthenticated() {
-		return this.trustResolver.isAuthenticated(getAuthentication());
+		return isGranted(this.authorizationManagerFactory.authenticated());
 	}
 
 	@Override
 	public final boolean isRememberMe() {
-		return this.trustResolver.isRememberMe(getAuthentication());
+		return isGranted(this.authorizationManagerFactory.rememberMe());
 	}
 
 	@Override
 	public final boolean isFullyAuthenticated() {
-		Authentication authentication = getAuthentication();
-		return this.trustResolver.isFullyAuthenticated(authentication);
+		return isGranted(this.authorizationManagerFactory.fullyAuthenticated());
+	}
+
+	private boolean isGranted(AuthorizationManager<Object> authorizationManager) {
+		AuthorizationResult authorizationResult = authorizationManager.authorize(this.authentication, this.object);
+		return (authorizationResult != null && authorizationResult.isGranted());
 	}
 
 	/**
@@ -173,12 +184,22 @@ public final boolean isFullyAuthenticated() {
 		return getAuthentication().getPrincipal();
 	}
 
+	/**
+	 * @deprecated Use
+	 * {@link #setAuthorizationManagerFactory(AuthorizationManagerFactory)} instead
+	 */
+	@Deprecated(since = "7.0")
 	public void setTrustResolver(AuthenticationTrustResolver trustResolver) {
-		this.trustResolver = trustResolver;
+		getDefaultAuthorizationManagerFactory().setTrustResolver(trustResolver);
 	}
 
+	/**
+	 * @deprecated Use
+	 * {@link #setAuthorizationManagerFactory(AuthorizationManagerFactory)} instead
+	 */
+	@Deprecated(since = "7.0")
 	public void setRoleHierarchy(RoleHierarchy roleHierarchy) {
-		this.roleHierarchy = roleHierarchy;
+		getDefaultAuthorizationManagerFactory().setRoleHierarchy(roleHierarchy);
 	}
 
 	/**
@@ -193,20 +214,32 @@ public void setRoleHierarchy(RoleHierarchy roleHierarchy) {
 	 * If null or empty, then no default role prefix is used.
 	 * </p>
 	 * @param defaultRolePrefix the default prefix to add to roles. Default "ROLE_".
+	 * @deprecated Use
+	 * {@link #setAuthorizationManagerFactory(AuthorizationManagerFactory)} instead
 	 */
+	@Deprecated(since = "7.0")
 	public void setDefaultRolePrefix(String defaultRolePrefix) {
-		this.defaultRolePrefix = defaultRolePrefix;
+		getDefaultAuthorizationManagerFactory().setRolePrefix(defaultRolePrefix);
+	}
+
+	/**
+	 * Sets the {@link AuthorizationManagerFactory} to use for creating instances of
+	 * {@link AuthorizationManager}.
+	 * @param authorizationManagerFactory the {@link AuthorizationManagerFactory} to use
+	 * @since 7.0
+	 */
+	public void setAuthorizationManagerFactory(AuthorizationManagerFactory<Object> authorizationManagerFactory) {
+		Assert.notNull(authorizationManagerFactory, "authorizationManagerFactory cannot be null");
+		this.authorizationManagerFactory = authorizationManagerFactory;
 	}
 
-	private Set<String> getAuthoritySet() {
-		if (this.roles == null) {
-			Collection<? extends GrantedAuthority> userAuthorities = getAuthentication().getAuthorities();
-			if (this.roleHierarchy != null) {
-				userAuthorities = this.roleHierarchy.getReachableGrantedAuthorities(userAuthorities);
-			}
-			this.roles = AuthorityUtils.authorityListToSet(userAuthorities);
+	private DefaultAuthorizationManagerFactory<Object> getDefaultAuthorizationManagerFactory() {
+		if (this.defaultAuthorizationManagerFactory == null) {
+			this.defaultAuthorizationManagerFactory = new DefaultAuthorizationManagerFactory<>();
+			this.authorizationManagerFactory = this.defaultAuthorizationManagerFactory;
 		}
-		return this.roles;
+
+		return this.defaultAuthorizationManagerFactory;
 	}
 
 	@Override
@@ -225,24 +258,4 @@ public void setPermissionEvaluator(PermissionEvaluator permissionEvaluator) {
 		this.permissionEvaluator = permissionEvaluator;
 	}
 
-	/**
-	 * Prefixes role with defaultRolePrefix if defaultRolePrefix is non-null and if role
-	 * does not already start with defaultRolePrefix.
-	 * @param defaultRolePrefix
-	 * @param role
-	 * @return
-	 */
-	private static String getRoleWithDefaultPrefix(@Nullable String defaultRolePrefix, String role) {
-		if (role == null) {
-			return role;
-		}
-		if (defaultRolePrefix == null || defaultRolePrefix.length() == 0) {
-			return role;
-		}
-		if (role.startsWith(defaultRolePrefix)) {
-			return role;
-		}
-		return defaultRolePrefix + role;
-	}
-
 }