Support Meta-Annotation Parameters on Parameter Annotations

Closes-16248

Author: kse-music

core/src/main/java/org/springframework/security/core/annotation/UniqueSecurityAnnotationScanner.java

@@ -18,6 +18,7 @@
 
 import java.lang.annotation.Annotation;
 import java.lang.reflect.AnnotatedElement;
+import java.lang.reflect.Executable;
 import java.lang.reflect.Method;
 import java.lang.reflect.Parameter;
 import java.util.ArrayList;
@@ -83,6 +84,7 @@
  *
  * @param <A> the annotation to search for and synthesize
  * @author Josh Cummings
+ * @author DingHao
  * @since 6.4
  */
 final class UniqueSecurityAnnotationScanner<A extends Annotation> extends AbstractSecurityAnnotationScanner<A> {
@@ -107,7 +109,7 @@ final class UniqueSecurityAnnotationScanner<A extends Annotation> extends Abstra
 	MergedAnnotation<A> merge(AnnotatedElement element, Class<?> targetClass) {
 		if (element instanceof Parameter parameter) {
 			return this.uniqueParameterAnnotationCache.computeIfAbsent(parameter, (p) -> {
-				List<MergedAnnotation<A>> annotations = findDirectAnnotations(p);
+				List<MergedAnnotation<A>> annotations = findParameterAnnotations(p);
 				return requireUnique(p, annotations);
 			});
 		}
@@ -137,6 +139,50 @@ private MergedAnnotation<A> requireUnique(AnnotatedElement element, List<MergedA
 		};
 	}
 
+	private List<MergedAnnotation<A>> findParameterAnnotations(Parameter current) {
+		List<MergedAnnotation<A>> directAnnotations = findDirectAnnotations(current);
+		if (!directAnnotations.isEmpty()) {
+			return directAnnotations;
+		}
+		directAnnotations = new ArrayList<>(findDirectAnnotations(current));
+		Executable executable = current.getDeclaringExecutable();
+		if (executable instanceof Method method) {
+			Class<?> clazz = method.getDeclaringClass();
+			Set<Class<?>> visited = new HashSet<>();
+			while (clazz != null && visited.add(clazz)) {
+				for (Class<?> ifc : clazz.getInterfaces()) {
+					directAnnotations.addAll(findParameterAnnotations(method, ifc, current));
+				}
+				clazz = clazz.getSuperclass();
+				if (clazz == Object.class) {
+					clazz = null;
+				}
+				if (clazz != null && visited.add(clazz)) {
+					directAnnotations.addAll(findParameterAnnotations(method, clazz, current));
+				}
+			}
+		}
+		return directAnnotations;
+	}
+
+	private List<MergedAnnotation<A>> findParameterAnnotations(Method method, Class<?> superOrIfc, Parameter current) {
+		try {
+			Method methodToUse = superOrIfc.getDeclaredMethod(method.getName(), method.getParameterTypes());
+			for (Parameter parameter : methodToUse.getParameters()) {
+				if (parameter.getName().equals(current.getName())) {
+					List<MergedAnnotation<A>> directAnnotations = findDirectAnnotations(parameter);
+					if (!directAnnotations.isEmpty()) {
+						return directAnnotations;
+					}
+				}
+			}
+		}
+		catch (NoSuchMethodException ex) {
+			// move on
+		}
+		return Collections.emptyList();
+	}
+
 	private List<MergedAnnotation<A>> findMethodAnnotations(Method method, Class<?> targetClass) {
 		// The method may be on an interface, but we need attributes from the target
 		// class.

core/src/test/java/org/springframework/security/core/annotation/UniqueSecurityAnnotationScannerTests.java

@@ -16,7 +16,13 @@
 
 package org.springframework.security.core.annotation;
 
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
 import java.lang.reflect.Method;
+import java.lang.reflect.Parameter;
+import java.util.List;
 
 import org.junit.jupiter.api.Test;
 
@@ -34,6 +40,9 @@ public class UniqueSecurityAnnotationScannerTests {
 	private UniqueSecurityAnnotationScanner<PreAuthorize> scanner = new UniqueSecurityAnnotationScanner<>(
 			PreAuthorize.class);
 
+	private UniqueSecurityAnnotationScanner<CustomParameterAnnotation> parameterScanner = new UniqueSecurityAnnotationScanner<>(
+			CustomParameterAnnotation.class);
+
 	@Test
 	void scanWhenAnnotationOnInterfaceThenResolves() throws Exception {
 		Method method = AnnotationOnInterface.class.getDeclaredMethod("method");
@@ -251,6 +260,77 @@ void scanWhenClassInheritingAbstractClassNoAnnotationsThenNoAnnotation() throws
 		assertThat(preAuthorize).isNull();
 	}
 
+	@Test
+	void scanParameterAnnotationWhenAnnotationOnInterface() throws Exception {
+		Parameter parameter = UserService.class.getDeclaredMethod("add", String.class).getParameters()[0];
+		CustomParameterAnnotation customParameterAnnotation = this.parameterScanner.scan(parameter);
+		assertThat(customParameterAnnotation.value()).isEqualTo("one");
+	}
+
+	@Test
+	void scanParameterAnnotationWhenClassInheritingInterfaceAnnotation() throws Exception {
+		Parameter parameter = UserServiceImpl.class.getDeclaredMethod("add", String.class).getParameters()[0];
+		CustomParameterAnnotation customParameterAnnotation = this.parameterScanner.scan(parameter);
+		assertThat(customParameterAnnotation.value()).isEqualTo("one");
+	}
+
+	@Test
+	void scanParameterAnnotationWhenClassOverridingMethodOverridingInterface() throws Exception {
+		Parameter parameter = UserServiceImpl.class.getDeclaredMethod("get", String.class).getParameters()[0];
+		CustomParameterAnnotation customParameterAnnotation = this.parameterScanner.scan(parameter);
+		assertThat(customParameterAnnotation.value()).isEqualTo("five");
+	}
+
+	@Test
+	void scanParameterAnnotationWhenMultipleMethodInheritanceThenException() throws Exception {
+		Parameter parameter = UserServiceImpl.class.getDeclaredMethod("list", String.class).getParameters()[0];
+		assertThatExceptionOfType(AnnotationConfigurationException.class)
+			.isThrownBy(() -> this.parameterScanner.scan(parameter));
+	}
+
+	interface UserService {
+
+		void add(@CustomParameterAnnotation("one") String user);
+
+		List<String> list(@CustomParameterAnnotation("two") String user);
+
+		String get(@CustomParameterAnnotation("three") String user);
+
+	}
+
+	interface OtherUserService {
+
+		List<String> list(@CustomParameterAnnotation("four") String user);
+
+	}
+
+	static class UserServiceImpl implements UserService, OtherUserService {
+
+		@Override
+		public void add(String user) {
+
+		}
+
+		@Override
+		public List<String> list(String user) {
+			return List.of(user);
+		}
+
+		@Override
+		public String get(@CustomParameterAnnotation("five") String user) {
+			return user;
+		}
+
+	}
+
+	@Target({ ElementType.PARAMETER })
+	@Retention(RetentionPolicy.RUNTIME)
+	@interface CustomParameterAnnotation {
+
+		String value();
+
+	}
+
 	@PreAuthorize("one")
 	private interface AnnotationOnInterface {
 

messaging/src/main/java/org/springframework/security/messaging/context/AuthenticationPrincipalArgumentResolver.java

@@ -17,8 +17,6 @@
 package org.springframework.security.messaging.context;
 
 import java.lang.annotation.Annotation;
-import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
 
 import org.springframework.core.MethodParameter;
 import org.springframework.expression.Expression;
@@ -95,8 +93,6 @@ public final class AuthenticationPrincipalArgumentResolver implements HandlerMet
 	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
 		.getContextHolderStrategy();
 
-	private final Map<MethodParameter, Annotation> cachedAttributes = new ConcurrentHashMap<>();
-
 	private ExpressionParser parser = new SpelExpressionParser();
 
 	private SecurityAnnotationScanner<AuthenticationPrincipal> scanner = SecurityAnnotationScanners
@@ -164,8 +160,7 @@ public void setTemplateDefaults(AnnotationTemplateExpressionDefaults templateDef
 	 */
 	@SuppressWarnings("unchecked")
 	private <T extends Annotation> T findMethodAnnotation(MethodParameter parameter) {
-		return (T) this.cachedAttributes.computeIfAbsent(parameter,
-				(methodParameter) -> this.scanner.scan(methodParameter.getParameter()));
+		return (T) this.scanner.scan(parameter.getParameter());
 	}
 
 }

messaging/src/main/java/org/springframework/security/messaging/handler/invocation/reactive/AuthenticationPrincipalArgumentResolver.java

@@ -17,8 +17,6 @@
 package org.springframework.security.messaging.handler.invocation.reactive;
 
 import java.lang.annotation.Annotation;
-import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
 
 import org.reactivestreams.Publisher;
 import reactor.core.publisher.Mono;
@@ -99,8 +97,6 @@
  */
 public class AuthenticationPrincipalArgumentResolver implements HandlerMethodArgumentResolver {
 
-	private final Map<MethodParameter, Annotation> cachedAttributes = new ConcurrentHashMap<>();
-
 	private ExpressionParser parser = new SpelExpressionParser();
 
 	private SecurityAnnotationScanner<AuthenticationPrincipal> scanner = SecurityAnnotationScanners
@@ -205,8 +201,7 @@ public void setTemplateDefaults(AnnotationTemplateExpressionDefaults templateDef
 	 */
 	@SuppressWarnings("unchecked")
 	private <T extends Annotation> T findMethodAnnotation(MethodParameter parameter) {
-		return (T) this.cachedAttributes.computeIfAbsent(parameter,
-				(methodParameter) -> this.scanner.scan(methodParameter.getParameter()));
+		return (T) this.scanner.scan(parameter.getParameter());
 	}
 
 }

messaging/src/main/java/org/springframework/security/messaging/handler/invocation/reactive/CurrentSecurityContextArgumentResolver.java

@@ -17,8 +17,6 @@
 package org.springframework.security.messaging.handler.invocation.reactive;
 
 import java.lang.annotation.Annotation;
-import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
 
 import org.reactivestreams.Publisher;
 import reactor.core.publisher.Mono;
@@ -97,8 +95,6 @@
  */
 public class CurrentSecurityContextArgumentResolver implements HandlerMethodArgumentResolver {
 
-	private final Map<MethodParameter, Annotation> cachedAttributes = new ConcurrentHashMap<>();
-
 	private ExpressionParser parser = new SpelExpressionParser();
 
 	private SecurityAnnotationScanner<CurrentSecurityContext> scanner = SecurityAnnotationScanners
@@ -222,8 +218,7 @@ public void setTemplateDefaults(AnnotationTemplateExpressionDefaults templateDef
 	 */
 	@SuppressWarnings("unchecked")
 	private <T extends Annotation> T findMethodAnnotation(MethodParameter parameter) {
-		return (T) this.cachedAttributes.computeIfAbsent(parameter,
-				(methodParameter) -> this.scanner.scan(methodParameter.getParameter()));
+		return (T) this.scanner.scan(parameter.getParameter());
 	}
 
 }

web/src/main/java/org/springframework/security/web/method/annotation/AuthenticationPrincipalArgumentResolver.java

@@ -17,8 +17,6 @@
 package org.springframework.security.web.method.annotation;
 
 import java.lang.annotation.Annotation;
-import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
 
 import org.springframework.core.MethodParameter;
 import org.springframework.expression.BeanResolver;
@@ -98,8 +96,6 @@ public final class AuthenticationPrincipalArgumentResolver implements HandlerMet
 	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
 		.getContextHolderStrategy();
 
-	private final Map<MethodParameter, Annotation> cachedAttributes = new ConcurrentHashMap<>();
-
 	private ExpressionParser parser = new SpelExpressionParser();
 
 	private SecurityAnnotationScanner<AuthenticationPrincipal> scanner = SecurityAnnotationScanners
@@ -179,8 +175,7 @@ public void setTemplateDefaults(AnnotationTemplateExpressionDefaults templateDef
 	 */
 	@SuppressWarnings("unchecked")
 	private <T extends Annotation> T findMethodAnnotation(MethodParameter parameter) {
-		return (T) this.cachedAttributes.computeIfAbsent(parameter,
-				(methodParameter) -> this.scanner.scan(methodParameter.getParameter()));
+		return (T) this.scanner.scan(parameter.getParameter());
 	}
 
 }

web/src/main/java/org/springframework/security/web/method/annotation/CurrentSecurityContextArgumentResolver.java

@@ -17,8 +17,6 @@
 package org.springframework.security.web.method.annotation;
 
 import java.lang.annotation.Annotation;
-import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
 
 import org.springframework.core.MethodParameter;
 import org.springframework.expression.BeanResolver;
@@ -84,8 +82,6 @@ public final class CurrentSecurityContextArgumentResolver implements HandlerMeth
 	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
 		.getContextHolderStrategy();
 
-	private final Map<MethodParameter, Annotation> cachedAttributes = new ConcurrentHashMap<>();
-
 	private ExpressionParser parser = new SpelExpressionParser();
 
 	private SecurityAnnotationScanner<CurrentSecurityContext> scanner = SecurityAnnotationScanners
@@ -177,8 +173,7 @@ private Object resolveSecurityContextFromAnnotation(MethodParameter parameter, C
 	 */
 	@SuppressWarnings("unchecked")
 	private <T extends Annotation> T findMethodAnnotation(MethodParameter parameter) {
-		return (T) this.cachedAttributes.computeIfAbsent(parameter,
-				(methodParameter) -> this.scanner.scan(methodParameter.getParameter()));
+		return (T) this.scanner.scan(parameter.getParameter());
 	}
 
 }

web/src/main/java/org/springframework/security/web/reactive/result/method/annotation/AuthenticationPrincipalArgumentResolver.java

@@ -17,8 +17,6 @@
 package org.springframework.security.web.reactive.result.method.annotation;
 
 import java.lang.annotation.Annotation;
-import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
 
 import org.reactivestreams.Publisher;
 import reactor.core.publisher.Mono;
@@ -53,8 +51,6 @@
  */
 public class AuthenticationPrincipalArgumentResolver extends HandlerMethodArgumentResolverSupport {
 
-	private final Map<MethodParameter, Annotation> cachedAttributes = new ConcurrentHashMap<>();
-
 	private ExpressionParser parser = new SpelExpressionParser();
 
 	private SecurityAnnotationScanner<AuthenticationPrincipal> scanner = SecurityAnnotationScanners
@@ -149,8 +145,7 @@ public void setTemplateDefaults(AnnotationTemplateExpressionDefaults templateDef
 	 */
 	@SuppressWarnings("unchecked")
 	private <T extends Annotation> T findMethodAnnotation(MethodParameter parameter) {
-		return (T) this.cachedAttributes.computeIfAbsent(parameter,
-				(methodParameter) -> this.scanner.scan(methodParameter.getParameter()));
+		return (T) this.scanner.scan(parameter.getParameter());
 	}
 
 }

web/src/main/java/org/springframework/security/web/reactive/result/method/annotation/CurrentSecurityContextArgumentResolver.java

@@ -17,8 +17,6 @@
 package org.springframework.security.web.reactive.result.method.annotation;
 
 import java.lang.annotation.Annotation;
-import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
 
 import org.reactivestreams.Publisher;
 import reactor.core.publisher.Mono;
@@ -53,8 +51,6 @@
  */
 public class CurrentSecurityContextArgumentResolver extends HandlerMethodArgumentResolverSupport {
 
-	private final Map<MethodParameter, Annotation> cachedAttributes = new ConcurrentHashMap<>();
-
 	private ExpressionParser parser = new SpelExpressionParser();
 
 	private SecurityAnnotationScanner<CurrentSecurityContext> scanner = SecurityAnnotationScanners
@@ -189,8 +185,7 @@ private boolean isInvalidType(MethodParameter parameter, Object reactiveSecurity
 	 */
 	@SuppressWarnings("unchecked")
 	private <T extends Annotation> T findMethodAnnotation(MethodParameter parameter) {
-		return (T) this.cachedAttributes.computeIfAbsent(parameter,
-				(methodParameter) -> this.scanner.scan(methodParameter.getParameter()));
+		return (T) this.scanner.scan(parameter.getParameter());
 	}
 
 }