Move and share DefaultAuthorizationManagerFactory

Signed-off-by: Steve Riesenberg <[email protected]>

Author: sjohnr

core/src/main/java/org/springframework/security/access/expression/method/DefaultMethodSecurityAuthorizationManagerFactory.java

@@ -45,6 +45,7 @@
 import org.springframework.security.authentication.AuthenticationTrustResolver;
 import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 import org.springframework.security.authorization.AuthorizationManagerFactory;
+import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.parameters.DefaultSecurityParameterNameDiscoverer;
 import org.springframework.util.Assert;
@@ -65,7 +66,7 @@ public class DefaultMethodSecurityExpressionHandler extends AbstractSecurityExpr
 
 	protected final Log logger = LogFactory.getLog(getClass());
 
-	private final DefaultMethodSecurityAuthorizationManagerFactory defaultAuthorizationManagerFactory = new DefaultMethodSecurityAuthorizationManagerFactory();
+	private final DefaultAuthorizationManagerFactory<MethodInvocation> defaultAuthorizationManagerFactory = new DefaultAuthorizationManagerFactory<>();
 
 	private AuthorizationManagerFactory<MethodInvocation> authorizationManagerFactory = defaultAuthorizationManagerFactory;
 
@@ -226,7 +227,7 @@ private Object filterStream(final Stream<?> filterTarget, Expression filterExpre
 
 	/**
 	 * Sets the {@link AuthorizationManagerFactory} to be used. The default is
-	 * {@link DefaultMethodSecurityAuthorizationManagerFactory}.
+	 * {@link DefaultAuthorizationManagerFactory}.
 	 * @param authorizationManagerFactory the {@link AuthorizationManagerFactory} to use.
 	 * Cannot be null.
 	 * @since 7.0

core/src/main/java/org/springframework/security/access/expression/method/DefaultMethodSecurityExpressionHandler.java

@@ -27,6 +27,7 @@
 import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.authorization.AuthorizationManagerFactory;
 import org.springframework.security.authorization.AuthorizationResult;
+import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
 import org.springframework.security.core.Authentication;
 import org.springframework.util.Assert;
 import org.springframework.util.function.SingletonSupplier;
@@ -41,7 +42,7 @@
  */
 final class MethodSecurityExpressionRoot implements MethodSecurityExpressionOperations {
 
-	private static final DefaultMethodSecurityAuthorizationManagerFactory DEFAULT_AUTHORIZATION_MANAGER_FACTORY = new DefaultMethodSecurityAuthorizationManagerFactory();
+	private static final DefaultAuthorizationManagerFactory<MethodInvocation> DEFAULT_AUTHORIZATION_MANAGER_FACTORY = new DefaultAuthorizationManagerFactory<>();
 
 	private static final PermissionEvaluator DEFAULT_PERMISSION_EVALUATOR = new DenyAllPermissionEvaluator();
 

core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityExpressionRoot.java

@@ -19,7 +19,7 @@
 /**
  * A factory for creating different kinds of {@link AuthorizationManager} instances.
  *
- * @param <T> the type of object that the authorization check is being done on.
+ * @param <T> the type of object that the authorization check is being done on
  * @author Steve Riesenberg
  * @since 7.0
  */

core/src/main/java/org/springframework/security/authorization/AuthorizationManagerFactory.java

@@ -0,0 +1,145 @@
+/*
+ * Copyright 2002-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authorization;
+
+import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy;
+import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
+import org.springframework.security.authentication.AuthenticationTrustResolver;
+import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
+import org.springframework.util.Assert;
+
+/**
+ * A factory for creating different kinds of {@link AuthorizationManager} instances.
+ *
+ * @param <T> the type of object that the authorization check is being done on
+ * @author Steve Riesenberg
+ * @since 7.0
+ */
+public final class DefaultAuthorizationManagerFactory<T> implements AuthorizationManagerFactory<T> {
+
+	private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
+
+	private RoleHierarchy roleHierarchy = new NullRoleHierarchy();
+
+	private String rolePrefix = "ROLE_";
+
+	/**
+	 * Returns the {@link AuthenticationTrustResolver} used to check the user's
+	 * authentication.
+	 * @return the {@link AuthenticationTrustResolver}
+	 */
+	public AuthenticationTrustResolver getTrustResolver() {
+		return this.trustResolver;
+	}
+
+	/**
+	 * Sets the {@link AuthenticationTrustResolver} used to check the user's
+	 * authentication.
+	 * @param trustResolver the {@link AuthenticationTrustResolver} to use
+	 */
+	public void setTrustResolver(AuthenticationTrustResolver trustResolver) {
+		Assert.notNull(trustResolver, "trustResolver cannot be null");
+		this.trustResolver = trustResolver;
+	}
+
+	/**
+	 * Returns the {@link RoleHierarchy} used to discover reachable authorities.
+	 * @return the {@link RoleHierarchy}
+	 */
+	public RoleHierarchy getRoleHierarchy() {
+		return this.roleHierarchy;
+	}
+
+	/**
+	 * Sets the {@link RoleHierarchy} used to discover reachable authorities.
+	 * @param roleHierarchy the {@link RoleHierarchy} to use
+	 */
+	public void setRoleHierarchy(RoleHierarchy roleHierarchy) {
+		Assert.notNull(roleHierarchy, "roleHierarchy cannot be null");
+		this.roleHierarchy = roleHierarchy;
+	}
+
+	/**
+	 * Returns the prefix used to create an authority name from a role name.
+	 * @return the role prefix
+	 */
+	public String getRolePrefix() {
+		return this.rolePrefix;
+	}
+
+	/**
+	 * Sets the prefix used to create an authority name from a role name. Can be an empty
+	 * string.
+	 * @param rolePrefix the role prefix to use
+	 */
+	public void setRolePrefix(String rolePrefix) {
+		Assert.notNull(rolePrefix, "rolePrefix cannot be null");
+		this.rolePrefix = rolePrefix;
+	}
+
+	@Override
+	public AuthorizationManager<T> hasRole(String role) {
+		return hasAnyRole(role);
+	}
+
+	@Override
+	public AuthorizationManager<T> hasAnyRole(String... roles) {
+		return withRoleHierarchy(AuthorityAuthorizationManager.hasAnyRole(this.rolePrefix, roles));
+	}
+
+	@Override
+	public AuthorizationManager<T> hasAuthority(String authority) {
+		return withRoleHierarchy(AuthorityAuthorizationManager.hasAuthority(authority));
+	}
+
+	@Override
+	public AuthorizationManager<T> hasAnyAuthority(String... authorities) {
+		return withRoleHierarchy(AuthorityAuthorizationManager.hasAnyAuthority(authorities));
+	}
+
+	@Override
+	public AuthorizationManager<T> authenticated() {
+		return withTrustResolver(AuthenticatedAuthorizationManager.authenticated());
+	}
+
+	@Override
+	public AuthorizationManager<T> fullyAuthenticated() {
+		return withTrustResolver(AuthenticatedAuthorizationManager.fullyAuthenticated());
+	}
+
+	@Override
+	public AuthorizationManager<T> rememberMe() {
+		return withTrustResolver(AuthenticatedAuthorizationManager.rememberMe());
+	}
+
+	@Override
+	public AuthorizationManager<T> anonymous() {
+		return withTrustResolver(AuthenticatedAuthorizationManager.anonymous());
+	}
+
+	private AuthorityAuthorizationManager<T> withRoleHierarchy(AuthorityAuthorizationManager<T> authorizationManager) {
+		authorizationManager.setRoleHierarchy(this.roleHierarchy);
+		return authorizationManager;
+	}
+
+	private AuthenticatedAuthorizationManager<T> withTrustResolver(
+			AuthenticatedAuthorizationManager<T> authorizationManager) {
+		authorizationManager.setTrustResolver(this.trustResolver);
+		return authorizationManager;
+	}
+
+}

core/src/main/java/org/springframework/security/authorization/DefaultAuthorizationManagerFactory.java

@@ -26,6 +26,7 @@
 import org.springframework.security.access.PermissionEvaluator;
 import org.springframework.security.access.expression.ExpressionUtils;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
+import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
 import org.springframework.security.core.Authentication;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -58,7 +59,7 @@ public void createContext() {
 		this.ctx = new StandardEvaluationContext();
 		this.ctx.setRootObject(this.root);
 		this.trustResolver = mock(AuthenticationTrustResolver.class);
-		DefaultMethodSecurityAuthorizationManagerFactory authorizationManagerFactory = new DefaultMethodSecurityAuthorizationManagerFactory();
+		DefaultAuthorizationManagerFactory authorizationManagerFactory = new DefaultAuthorizationManagerFactory();
 		authorizationManagerFactory.setTrustResolver(this.trustResolver);
 		this.root.setAuthorizationManagerFactory(authorizationManagerFactory);
 	}