Add AspectJ AuthorizationManager Support

Closes gh-11326

Author: jzheaux

aspects/src/main/java/org/springframework/security/authorization/method/aspectj/AbstractMethodInterceptorAspect.aj

@@ -0,0 +1,61 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.authorization.method.aspectj;
+
+import org.aopalliance.intercept.MethodInterceptor;
+import org.aopalliance.intercept.MethodInvocation;
+
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.security.access.prepost.PostAuthorize;
+
+/**
+ * Abstract AspectJ aspect for adapting a {@link MethodInvocation}
+ *
+ * @author Josh Cummings
+ * @since 5.8
+ */
+abstract aspect AbstractMethodInterceptorAspect {
+
+	protected abstract pointcut executionOfAnnotatedMethod();
+
+	private MethodInterceptor securityInterceptor;
+
+	Object around(): executionOfAnnotatedMethod() {
+		if (this.securityInterceptor == null) {
+			return proceed();
+		}
+		MethodInvocation invocation = new JoinPointMethodInvocation(thisJoinPoint, () -> proceed());
+		try {
+			return this.securityInterceptor.invoke(invocation);
+		} catch (Throwable t) {
+			throwUnchecked(t);
+			throw new IllegalStateException("Code unexpectedly reached", t);
+		}
+	}
+
+	public void setSecurityInterceptor(MethodInterceptor securityInterceptor) {
+		this.securityInterceptor = securityInterceptor;
+	}
+
+	private static void throwUnchecked(Throwable ex) {
+		AbstractMethodInterceptorAspect.<RuntimeException>throwAny(ex);
+	}
+
+	@SuppressWarnings("unchecked")
+	private static <E extends Throwable> void throwAny(Throwable ex) throws E {
+		throw (E) ex;
+	}
+}

aspects/src/main/java/org/springframework/security/authorization/method/aspectj/JoinPointMethodInvocation.aj

@@ -0,0 +1,98 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authorization.method.aspectj;
+
+import java.lang.reflect.AccessibleObject;
+import java.lang.reflect.Method;
+import java.util.function.Supplier;
+
+import org.aopalliance.intercept.MethodInvocation;
+import org.aspectj.lang.JoinPoint;
+import org.aspectj.lang.reflect.CodeSignature;
+
+import org.springframework.util.Assert;
+
+class JoinPointMethodInvocation implements MethodInvocation {
+
+	private final JoinPoint jp;
+
+	private final Method method;
+
+	private final Object target;
+
+	private final Supplier<Object> proceed;
+
+	JoinPointMethodInvocation(JoinPoint jp, Supplier<Object> proceed) {
+		this.jp = jp;
+		if (jp.getTarget() != null) {
+			this.target = jp.getTarget();
+		}
+		else {
+			// SEC-1295: target may be null if an ITD is in use
+			this.target = jp.getSignature().getDeclaringType();
+		}
+		String targetMethodName = jp.getStaticPart().getSignature().getName();
+		Class<?>[] types = ((CodeSignature) jp.getStaticPart().getSignature()).getParameterTypes();
+		Class<?> declaringType = jp.getStaticPart().getSignature().getDeclaringType();
+		this.method = findMethod(targetMethodName, declaringType, types);
+		Assert.notNull(this.method, () -> "Could not obtain target method from JoinPoint: '" + jp + "'");
+		this.proceed = proceed;
+	}
+
+	private Method findMethod(String name, Class<?> declaringType, Class<?>[] params) {
+		Method method = null;
+		try {
+			method = declaringType.getMethod(name, params);
+		}
+		catch (NoSuchMethodException ignored) {
+		}
+		if (method == null) {
+			try {
+				method = declaringType.getDeclaredMethod(name, params);
+			}
+			catch (NoSuchMethodException ignored) {
+			}
+		}
+		return method;
+	}
+
+	@Override
+	public Method getMethod() {
+		return this.method;
+	}
+
+	@Override
+	public Object[] getArguments() {
+		return this.jp.getArgs();
+	}
+
+	@Override
+	public AccessibleObject getStaticPart() {
+		return this.method;
+	}
+
+	@Override
+	public Object getThis() {
+		return this.target;
+	}
+
+	@Override
+	public Object proceed() throws Throwable {
+		return this.proceed.get();
+	}
+
+}

aspects/src/main/java/org/springframework/security/authorization/method/aspectj/PostAuthorizeAspect.aj

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.authorization.method.aspectj;
+
+import org.aopalliance.intercept.MethodInterceptor;
+import org.aopalliance.intercept.MethodInvocation;
+
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.security.access.prepost.PostAuthorize;
+
+/**
+ * Concrete AspectJ aspect using Spring Security @PostAuthorize annotation.
+ *
+ * <p>
+ * When using this aspect, you <i>must</i> annotate the implementation class
+ * (and/or methods within that class), <i>not</i> the interface (if any) that
+ * the class implements. AspectJ follows Java's rule that annotations on
+ * interfaces are <i>not</i> inherited. This will vary from Spring AOP.
+ *
+ * @author Mike Wiesner
+ * @author Luke Taylor
+ * @author Josh Cummings
+ * @since 5.8
+ */
+public aspect PostAuthorizeAspect extends AbstractMethodInterceptorAspect {
+
+	/**
+	 * Matches the execution of any method with a PostAuthorize annotation.
+	 */
+	protected pointcut executionOfAnnotatedMethod() : execution(* *(..)) && @annotation(PostAuthorize);
+}

aspects/src/main/java/org/springframework/security/authorization/method/aspectj/PostFilterAspect.aj

@@ -0,0 +1,45 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.authorization.method.aspectj;
+
+import org.aopalliance.intercept.MethodInterceptor;
+import org.aopalliance.intercept.MethodInvocation;
+
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.security.access.prepost.PostFilter;
+
+/**
+ * Concrete AspectJ aspect using Spring Security @PostFilter annotation.
+ *
+ * <p>
+ * When using this aspect, you <i>must</i> annotate the implementation class
+ * (and/or methods within that class), <i>not</i> the interface (if any) that
+ * the class implements. AspectJ follows Java's rule that annotations on
+ * interfaces are <i>not</i> inherited. This will vary from Spring AOP.
+ *
+ * @author Mike Wiesner
+ * @author Luke Taylor
+ * @author Josh Cummings
+ * @since 5.8
+ */
+public aspect PostFilterAspect extends AbstractMethodInterceptorAspect {
+
+	/**
+	 * Matches the execution of any method with a PostFilter annotation.
+	 */
+	protected pointcut executionOfAnnotatedMethod() : execution(* *(..)) && @annotation(PostFilter);
+
+}

aspects/src/main/java/org/springframework/security/authorization/method/aspectj/PreAuthorizeAspect.aj

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.authorization.method.aspectj;
+
+import org.aopalliance.intercept.MethodInterceptor;
+import org.aopalliance.intercept.MethodInvocation;
+
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.security.access.prepost.PreAuthorize;
+
+/**
+ * Concrete AspectJ aspect using Spring Security @PreAuthorize annotation.
+ *
+ * <p>
+ * When using this aspect, you <i>must</i> annotate the implementation class
+ * (and/or methods within that class), <i>not</i> the interface (if any) that
+ * the class implements. AspectJ follows Java's rule that annotations on
+ * interfaces are <i>not</i> inherited. This will vary from Spring AOP.
+ *
+ * @author Mike Wiesner
+ * @author Luke Taylor
+ * @author Josh Cummings
+ * @since 5.8
+ */
+public aspect PreAuthorizeAspect extends AbstractMethodInterceptorAspect {
+
+	/**
+	 * Matches the execution of any method with a PreAuthorize annotation.
+	 */
+	protected pointcut executionOfAnnotatedMethod() : execution(* *(..)) && @annotation(PreAuthorize);
+}

aspects/src/main/java/org/springframework/security/authorization/method/aspectj/PreFilterAspect.aj

@@ -0,0 +1,45 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.authorization.method.aspectj;
+
+import org.aopalliance.intercept.MethodInterceptor;
+import org.aopalliance.intercept.MethodInvocation;
+
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.security.access.prepost.PreFilter;
+
+/**
+ * Concrete AspectJ aspect using Spring Security @PreFilter annotation.
+ *
+ * <p>
+ * When using this aspect, you <i>must</i> annotate the implementation class
+ * (and/or methods within that class), <i>not</i> the interface (if any) that
+ * the class implements. AspectJ follows Java's rule that annotations on
+ * interfaces are <i>not</i> inherited. This will vary from Spring AOP.
+ *
+ * @author Mike Wiesner
+ * @author Luke Taylor
+ * @author Josh Cummings
+ * @since 5.8
+ */
+public aspect PreFilterAspect extends AbstractMethodInterceptorAspect {
+
+	/**
+	 * Matches the execution of any method with a PreFilter annotation.
+	 */
+	protected pointcut executionOfAnnotatedMethod() : execution(* *(..)) && @annotation(PreFilter);
+
+}

aspects/src/main/java/org/springframework/security/authorization/method/aspectj/SecuredAspect.aj

@@ -0,0 +1,56 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.authorization.method.aspectj;
+
+import org.aopalliance.intercept.MethodInterceptor;
+import org.aopalliance.intercept.MethodInvocation;
+
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.security.access.annotation.Secured;
+
+/**
+ * Concrete AspectJ aspect using Spring Security @Secured annotation.
+ *
+ * <p>
+ * When using this aspect, you <i>must</i> annotate the implementation class
+ * (and/or methods within that class), <i>not</i> the interface (if any) that
+ * the class implements. AspectJ follows Java's rule that annotations on
+ * interfaces are <i>not</i> inherited. This will vary from Spring AOP.
+ *
+ * @author Mike Wiesner
+ * @author Luke Taylor
+ * @author Josh Cummings
+ * @since 5.8
+ */
+public aspect SecuredAspect extends AbstractMethodInterceptorAspect {
+
+	/**
+	 * Matches the execution of any public method in a type with the Secured
+	 * annotation, or any subtype of a type with the Secured annotation.
+	 */
+	private pointcut executionOfAnyPublicMethodInAtSecuredType() :
+			execution(public * ((@Secured *)+).*(..)) && @this(Secured);
+
+	/**
+	 * Matches the execution of any method with the Secured annotation.
+	 */
+	private pointcut executionOfSecuredMethod() :
+			execution(* *(..)) && @annotation(Secured);
+
+	protected pointcut executionOfAnnotatedMethod() :
+			executionOfAnyPublicMethodInAtSecuredType() ||
+			executionOfSecuredMethod();
+}