Add AuthorizationManagerSecurityExpressionRoot

sjohnr · sjohnr · commit 2cea5f9fb4b5 · 2025-07-29T11:36:16.000-05:00
Signed-off-by: Steve Riesenberg &lt;5248162+sjohnr@users.noreply.github.com&gt;
diff --git a/core/src/main/java/org/springframework/security/access/expression/AuthorizationManagerSecurityExpressionRoot.java b/core/src/main/java/org/springframework/security/access/expression/AuthorizationManagerSecurityExpressionRoot.java
@@ -0,0 +1,184 @@
+/*
+ * Copyright 2002-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.access.expression;
+
+import java.io.Serializable;
+import java.util.function.Supplier;
+
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.security.access.PermissionEvaluator;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationManagerFactory;
+import org.springframework.security.authorization.AuthorizationResult;
+import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.util.Assert;
+import org.springframework.util.function.SingletonSupplier;
+
+/**
+ * A security expression root object that delegates to {@link AuthorizationManager}
+ * instances.
+ *
+ * @param <T> the type of object that the authorization check is being done on
+ * @author Steve Riesenberg
+ * @since 7.0
+ */
+public class AuthorizationManagerSecurityExpressionRoot<T> implements SecurityExpressionOperations {
+
+	private static final DefaultAuthorizationManagerFactory<?> DEFAULT_AUTHORIZATION_MANAGER_FACTORY = new DefaultAuthorizationManagerFactory<>();
+
+	private static final PermissionEvaluator DEFAULT_PERMISSION_EVALUATOR = new DenyAllPermissionEvaluator();
+
+	private final Supplier<Authentication> authentication;
+
+	private final T object;
+
+	private AuthorizationManagerFactory<T> authorizationManagerFactory = defaultAuthorizationManagerFactory();
+
+	private PermissionEvaluator permissionEvaluator = DEFAULT_PERMISSION_EVALUATOR;
+
+	public final boolean permitAll = true;
+
+	public final boolean denyAll = false;
+
+	public final String read = "read";
+
+	public final String write = "write";
+
+	public final String create = "create";
+
+	public final String delete = "delete";
+
+	public final String admin = "administration";
+
+	/**
+	 * Creates a new instance.
+	 * @param authentication the {@link Authentication} to use. Cannot be null.
+	 * @param object the object that the authorization check is being done on
+	 */
+	public AuthorizationManagerSecurityExpressionRoot(Supplier<Authentication> authentication, T object) {
+		this.authentication = SingletonSupplier.of(() -> {
+			Authentication value = authentication.get();
+			Assert.notNull(value, "Authentication object cannot be null");
+			return value;
+		});
+		this.object = object;
+	}
+
+	@Override
+	public boolean permitAll() {
+		return isGranted(this.authorizationManagerFactory.permitAll());
+	}
+
+	@Override
+	public boolean denyAll() {
+		return isGranted(this.authorizationManagerFactory.denyAll());
+	}
+
+	@Override
+	public boolean hasRole(String role) {
+		return isGranted(this.authorizationManagerFactory.hasRole(role));
+	}
+
+	@Override
+	public boolean hasAnyRole(String... roles) {
+		return isGranted(this.authorizationManagerFactory.hasAnyRole(roles));
+	}
+
+	@Override
+	public boolean hasAuthority(String authority) {
+		return isGranted(this.authorizationManagerFactory.hasAuthority(authority));
+	}
+
+	@Override
+	public boolean hasAnyAuthority(String... authorities) {
+		return isGranted(this.authorizationManagerFactory.hasAnyAuthority(authorities));
+	}
+
+	@Override
+	public boolean isAnonymous() {
+		return isGranted(this.authorizationManagerFactory.anonymous());
+	}
+
+	@Override
+	public boolean isAuthenticated() {
+		return isGranted(this.authorizationManagerFactory.authenticated());
+	}
+
+	@Override
+	public boolean isRememberMe() {
+		return isGranted(this.authorizationManagerFactory.rememberMe());
+	}
+
+	@Override
+	public boolean isFullyAuthenticated() {
+		return isGranted(this.authorizationManagerFactory.fullyAuthenticated());
+	}
+
+	private boolean isGranted(AuthorizationManager<T> authorizationManager) {
+		AuthorizationResult authorizationResult = authorizationManager.authorize(this.authentication, this.object);
+		return (authorizationResult != null && authorizationResult.isGranted());
+	}
+
+	@Override
+	public boolean hasPermission(Object target, Object permission) {
+		return this.permissionEvaluator.hasPermission(getAuthentication(), target, permission);
+	}
+
+	@Override
+	public boolean hasPermission(Object targetId, String targetType, Object permission) {
+		return this.permissionEvaluator.hasPermission(getAuthentication(), (Serializable) targetId, targetType,
+				permission);
+	}
+
+	/**
+	 * Sets the {@link AuthorizationManagerFactory} to use for creating instances of
+	 * {@link AuthorizationManager}. The default is
+	 * {@link DefaultAuthorizationManagerFactory}.
+	 * @param authorizationManagerFactory the {@link AuthorizationManagerFactory} to use
+	 */
+	public void setAuthorizationManagerFactory(AuthorizationManagerFactory<T> authorizationManagerFactory) {
+		Assert.notNull(authorizationManagerFactory, "authorizationManagerFactory cannot be null");
+		this.authorizationManagerFactory = authorizationManagerFactory;
+	}
+
+	/**
+	 * Sets the {@link PermissionEvaluator} to use for evaluating permission checks on
+	 * domain objects.
+	 * @param permissionEvaluator the {@link PermissionEvaluator} to use
+	 */
+	public void setPermissionEvaluator(PermissionEvaluator permissionEvaluator) {
+		Assert.notNull(permissionEvaluator, "permissionEvaluator cannot be null");
+		this.permissionEvaluator = permissionEvaluator;
+	}
+
+	@Override
+	public Authentication getAuthentication() {
+		return this.authentication.get();
+	}
+
+	public @Nullable Object getPrincipal() {
+		return getAuthentication().getPrincipal();
+	}
+
+	@SuppressWarnings("unchecked")
+	private static <T> AuthorizationManagerFactory<T> defaultAuthorizationManagerFactory() {
+		return (AuthorizationManagerFactory<T>) DEFAULT_AUTHORIZATION_MANAGER_FACTORY;
+	}
+
+}
diff --git a/core/src/main/java/org/springframework/security/access/expression/method/DefaultMethodSecurityExpressionHandler.java b/core/src/main/java/org/springframework/security/access/expression/method/DefaultMethodSecurityExpressionHandler.java
@@ -59,6 +59,7 @@
  * @author Luke Taylor
  * @author Evgeniy Cheban
  * @author Blagoja Stamatovski
+ * @author Steve Riesenberg
  * @since 3.0
  */
 public class DefaultMethodSecurityExpressionHandler extends AbstractSecurityExpressionHandler<MethodInvocation>
@@ -243,27 +244,39 @@ public void setAuthorizationManagerFactory(
 	 * {@link AuthenticationTrustResolverImpl}.
 	 * @param trustResolver the {@link AuthenticationTrustResolver} to use. Cannot be
 	 * null.
+	 * @deprecated use {@link #setAuthorizationManagerFactory(AuthorizationManagerFactory)} instead
 	 */
+	@Deprecated(since = "7.0")
 	public void setTrustResolver(AuthenticationTrustResolver trustResolver) {
 		Assert.notNull(trustResolver, "trustResolver cannot be null");
 		this.defaultAuthorizationManagerFactory.setTrustResolver(trustResolver);
 	}
 
 	/**
 	 * @return The current {@link AuthenticationTrustResolver}
+	 * @deprecated use {@link DefaultAuthorizationManagerFactory#getTrustResolver()} instead
 	 */
+	@Deprecated(since = "7.0")
 	protected AuthenticationTrustResolver getTrustResolver() {
 		return this.defaultAuthorizationManagerFactory.getTrustResolver();
 	}
 
+	/**
+	 * @deprecated use {@link #setAuthorizationManagerFactory(AuthorizationManagerFactory)} instead
+	 */
 	@Override
+	@Deprecated(since = "7.0")
 	public void setRoleHierarchy(@Nullable RoleHierarchy roleHierarchy) {
 		if (roleHierarchy != null) {
 			this.defaultAuthorizationManagerFactory.setRoleHierarchy(roleHierarchy);
 		}
 	}
 
+	/**
+	 * @deprecated use {@link #setAuthorizationManagerFactory(AuthorizationManagerFactory)} instead
+	 */
 	@Override
+	@Deprecated(since = "7.0")
 	protected @Nullable RoleHierarchy getRoleHierarchy() {
 		return this.defaultAuthorizationManagerFactory.getRoleHierarchy();
 	}
@@ -312,14 +325,18 @@ public void setReturnObject(@Nullable Object returnObject, EvaluationContext ctx
 	 * If null or empty, then no default role prefix is used.
 	 * </p>
 	 * @param defaultRolePrefix the default prefix to add to roles. Default "ROLE_".
+	 * @deprecated use {@link #setAuthorizationManagerFactory(AuthorizationManagerFactory)} instead
 	 */
+	@Deprecated(since = "7.0")
 	public void setDefaultRolePrefix(String defaultRolePrefix) {
 		this.defaultAuthorizationManagerFactory.setRolePrefix(defaultRolePrefix);
 	}
 
 	/**
 	 * @return The default role prefix
+	 * @deprecated use {@link DefaultAuthorizationManagerFactory#getRolePrefix()} instead
 	 */
+	@Deprecated(since = "7.0")
 	protected String getDefaultRolePrefix() {
 		return this.defaultAuthorizationManagerFactory.getRolePrefix();
 	}
diff --git a/core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityExpressionRoot.java b/core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityExpressionRoot.java
