Inject AuthorizationManagerFactory into DefaultMethodSecurityExpressionHandler

Signed-off-by: Steve Riesenberg <[email protected]>

Author: sjohnr

config/src/main/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.java

@@ -39,6 +39,7 @@
 import org.springframework.security.aot.hint.SecurityHintsRegistrar;
 import org.springframework.security.authorization.AuthorizationEventPublisher;
 import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationManagerFactory;
 import org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor;
 import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor;
 import org.springframework.security.authorization.method.MethodInvocationResult;
@@ -121,6 +122,11 @@ void setRoleHierarchy(RoleHierarchy roleHierarchy) {
 		this.expressionHandler.setRoleHierarchy(roleHierarchy);
 	}
 
+	@Autowired(required = false)
+	void setAuthorizationManagerFactory(AuthorizationManagerFactory<MethodInvocation> authorizationManagerFactory) {
+		this.expressionHandler.setAuthorizationManagerFactory(authorizationManagerFactory);
+	}
+
 	@Autowired(required = false)
 	void setTemplateDefaults(AnnotationTemplateExpressionDefaults templateDefaults) {
 		this.preFilterMethodInterceptor.setTemplateDefaults(templateDefaults);

core/src/main/java/org/springframework/security/access/expression/method/DefaultMethodSecurityAuthorizationManagerFactory.java

@@ -0,0 +1,120 @@
+/*
+ * Copyright 2002-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.access.expression.method;
+
+import org.aopalliance.intercept.MethodInvocation;
+
+import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy;
+import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
+import org.springframework.security.authentication.AuthenticationTrustResolver;
+import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
+import org.springframework.security.authorization.AuthenticatedAuthorizationManager;
+import org.springframework.security.authorization.AuthorityAuthorizationManager;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationManagerFactory;
+
+/**
+ * A factory for creating {@link AuthorizationManager} instances for method security.
+ *
+ * @author Steve Riesenberg
+ * @since 7.0
+ */
+final class DefaultMethodSecurityAuthorizationManagerFactory implements AuthorizationManagerFactory<MethodInvocation> {
+
+	private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
+
+	private RoleHierarchy roleHierarchy = new NullRoleHierarchy();
+
+	private String rolePrefix = "ROLE_";
+
+	AuthenticationTrustResolver getTrustResolver() {
+		return this.trustResolver;
+	}
+
+	void setTrustResolver(AuthenticationTrustResolver trustResolver) {
+		this.trustResolver = trustResolver;
+	}
+
+	RoleHierarchy getRoleHierarchy() {
+		return this.roleHierarchy;
+	}
+
+	void setRoleHierarchy(RoleHierarchy roleHierarchy) {
+		this.roleHierarchy = roleHierarchy;
+	}
+
+	String getRolePrefix() {
+		return this.rolePrefix;
+	}
+
+	void setRolePrefix(String rolePrefix) {
+		this.rolePrefix = rolePrefix;
+	}
+
+	@Override
+	public AuthorizationManager<MethodInvocation> hasRole(String role) {
+		return hasAnyRole(role);
+	}
+
+	@Override
+	public AuthorizationManager<MethodInvocation> hasAnyRole(String... roles) {
+		return withRoleHierarchy(AuthorityAuthorizationManager.hasAnyRole(this.rolePrefix, roles));
+	}
+
+	@Override
+	public AuthorizationManager<MethodInvocation> hasAuthority(String authority) {
+		return withRoleHierarchy(AuthorityAuthorizationManager.hasAuthority(authority));
+	}
+
+	@Override
+	public AuthorizationManager<MethodInvocation> hasAnyAuthority(String... authorities) {
+		return withRoleHierarchy(AuthorityAuthorizationManager.hasAnyAuthority(authorities));
+	}
+
+	@Override
+	public AuthorizationManager<MethodInvocation> authenticated() {
+		return withTrustResolver(AuthenticatedAuthorizationManager.authenticated());
+	}
+
+	@Override
+	public AuthorizationManager<MethodInvocation> fullyAuthenticated() {
+		return withTrustResolver(AuthenticatedAuthorizationManager.fullyAuthenticated());
+	}
+
+	@Override
+	public AuthorizationManager<MethodInvocation> rememberMe() {
+		return withTrustResolver(AuthenticatedAuthorizationManager.rememberMe());
+	}
+
+	@Override
+	public AuthorizationManager<MethodInvocation> anonymous() {
+		return withTrustResolver(AuthenticatedAuthorizationManager.anonymous());
+	}
+
+	private AuthorityAuthorizationManager<MethodInvocation> withRoleHierarchy(
+			AuthorityAuthorizationManager<MethodInvocation> authorizationManager) {
+		authorizationManager.setRoleHierarchy(this.roleHierarchy);
+		return authorizationManager;
+	}
+
+	private AuthenticatedAuthorizationManager<MethodInvocation> withTrustResolver(
+			AuthenticatedAuthorizationManager<MethodInvocation> authorizationManager) {
+		authorizationManager.setTrustResolver(this.trustResolver);
+		return authorizationManager;
+	}
+
+}

core/src/main/java/org/springframework/security/access/expression/method/DefaultMethodSecurityExpressionHandler.java

@@ -41,8 +41,10 @@
 import org.springframework.security.access.PermissionCacheOptimizer;
 import org.springframework.security.access.expression.AbstractSecurityExpressionHandler;
 import org.springframework.security.access.expression.ExpressionUtils;
+import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
 import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
+import org.springframework.security.authorization.AuthorizationManagerFactory;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.parameters.DefaultSecurityParameterNameDiscoverer;
 import org.springframework.util.Assert;
@@ -63,14 +65,14 @@ public class DefaultMethodSecurityExpressionHandler extends AbstractSecurityExpr
 
 	protected final Log logger = LogFactory.getLog(getClass());
 
-	private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
+	private final DefaultMethodSecurityAuthorizationManagerFactory defaultAuthorizationManagerFactory = new DefaultMethodSecurityAuthorizationManagerFactory();
+
+	private AuthorizationManagerFactory<MethodInvocation> authorizationManagerFactory = defaultAuthorizationManagerFactory;
 
 	private ParameterNameDiscoverer parameterNameDiscoverer = new DefaultSecurityParameterNameDiscoverer();
 
 	private @Nullable PermissionCacheOptimizer permissionCacheOptimizer = null;
 
-	private String defaultRolePrefix = "ROLE_";
-
 	public DefaultMethodSecurityExpressionHandler() {
 	}
 
@@ -103,12 +105,10 @@ protected MethodSecurityExpressionOperations createSecurityExpressionRoot(Authen
 
 	private MethodSecurityExpressionOperations createSecurityExpressionRoot(Supplier<Authentication> authentication,
 			MethodInvocation invocation) {
-		MethodSecurityExpressionRoot root = new MethodSecurityExpressionRoot(authentication);
-		root.setThis(invocation.getThis());
+		MethodSecurityExpressionRoot root = new MethodSecurityExpressionRoot(authentication, invocation);
+		root.setAuthorizationManagerFactory(this.authorizationManagerFactory);
 		root.setPermissionEvaluator(getPermissionEvaluator());
-		root.setTrustResolver(getTrustResolver());
-		Optional.ofNullable(getRoleHierarchy()).ifPresent(root::setRoleHierarchy);
-		root.setDefaultRolePrefix(getDefaultRolePrefix());
+		root.setThis(invocation.getThis());
 		return root;
 	}
 
@@ -224,6 +224,19 @@ private Object filterStream(final Stream<?> filterTarget, Expression filterExpre
 		}).onClose(filterTarget::close);
 	}
 
+	/**
+	 * Sets the {@link AuthorizationManagerFactory} to be used. The default is
+	 * {@link DefaultMethodSecurityAuthorizationManagerFactory}.
+	 * @param authorizationManagerFactory the {@link AuthorizationManagerFactory} to use.
+	 * Cannot be null.
+	 * @since 7.0
+	 */
+	public void setAuthorizationManagerFactory(
+			AuthorizationManagerFactory<MethodInvocation> authorizationManagerFactory) {
+		Assert.notNull(authorizationManagerFactory, "authorizationManagerFactory cannot be null");
+		this.authorizationManagerFactory = authorizationManagerFactory;
+	}
+
 	/**
 	 * Sets the {@link AuthenticationTrustResolver} to be used. The default is
 	 * {@link AuthenticationTrustResolverImpl}.
@@ -232,14 +245,26 @@ private Object filterStream(final Stream<?> filterTarget, Expression filterExpre
 	 */
 	public void setTrustResolver(AuthenticationTrustResolver trustResolver) {
 		Assert.notNull(trustResolver, "trustResolver cannot be null");
-		this.trustResolver = trustResolver;
+		this.defaultAuthorizationManagerFactory.setTrustResolver(trustResolver);
 	}
 
 	/**
 	 * @return The current {@link AuthenticationTrustResolver}
 	 */
 	protected AuthenticationTrustResolver getTrustResolver() {
-		return this.trustResolver;
+		return this.defaultAuthorizationManagerFactory.getTrustResolver();
+	}
+
+	@Override
+	public void setRoleHierarchy(@Nullable RoleHierarchy roleHierarchy) {
+		if (roleHierarchy != null) {
+			this.defaultAuthorizationManagerFactory.setRoleHierarchy(roleHierarchy);
+		}
+	}
+
+	@Override
+	protected @Nullable RoleHierarchy getRoleHierarchy() {
+		return this.defaultAuthorizationManagerFactory.getRoleHierarchy();
 	}
 
 	/**
@@ -288,14 +313,14 @@ public void setReturnObject(@Nullable Object returnObject, EvaluationContext ctx
 	 * @param defaultRolePrefix the default prefix to add to roles. Default "ROLE_".
 	 */
 	public void setDefaultRolePrefix(String defaultRolePrefix) {
-		this.defaultRolePrefix = defaultRolePrefix;
+		this.defaultAuthorizationManagerFactory.setRolePrefix(defaultRolePrefix);
 	}
 
 	/**
 	 * @return The default role prefix
 	 */
 	protected String getDefaultRolePrefix() {
-		return this.defaultRolePrefix;
+		return this.defaultAuthorizationManagerFactory.getRolePrefix();
 	}
 
 }