Make SecurityExpressionRoot generic

Signed-off-by: Steve Riesenberg <[email protected]>

Author: sjohnr

core/src/main/java/org/springframework/security/access/expression/AbstractSecurityExpressionHandler.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -28,6 +28,8 @@
 import org.springframework.expression.spel.support.StandardEvaluationContext;
 import org.springframework.security.access.PermissionEvaluator;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
+import org.springframework.security.authorization.AuthorizationManagerFactory;
+import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
 import org.springframework.security.core.Authentication;
 import org.springframework.util.Assert;
 
@@ -47,7 +49,9 @@ public abstract class AbstractSecurityExpressionHandler<T>
 
 	private @Nullable BeanResolver beanResolver;
 
-	private @Nullable RoleHierarchy roleHierarchy;
+	private final DefaultAuthorizationManagerFactory<T> defaultAuthorizationManagerFactory = new DefaultAuthorizationManagerFactory<>();
+
+	private AuthorizationManagerFactory<T> authorizationManagerFactory = defaultAuthorizationManagerFactory;
 
 	private PermissionEvaluator permissionEvaluator = new DenyAllPermissionEvaluator();
 
@@ -105,12 +109,43 @@ protected StandardEvaluationContext createEvaluationContextInternal(Authenticati
 	protected abstract SecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication,
 			T invocation);
 
+	/**
+	 * Sets the {@link AuthorizationManagerFactory} to be used. The default is
+	 * {@link DefaultAuthorizationManagerFactory}.
+	 * @param authorizationManagerFactory the {@link AuthorizationManagerFactory} to use.
+	 * Cannot be null.
+	 * @since 7.0
+	 */
+	public final void setAuthorizationManagerFactory(AuthorizationManagerFactory<T> authorizationManagerFactory) {
+		Assert.notNull(authorizationManagerFactory, "authorizationManagerFactory cannot be null");
+		this.authorizationManagerFactory = authorizationManagerFactory;
+	}
+
+	protected final AuthorizationManagerFactory<T> getAuthorizationManagerFactory() {
+		return this.authorizationManagerFactory;
+	}
+
+	protected final DefaultAuthorizationManagerFactory<T> getDefaultAuthorizationManagerFactory() {
+		return this.defaultAuthorizationManagerFactory;
+	}
+
+	/**
+	 * @deprecated Use {@link #getDefaultAuthorizationManagerFactory()} instead
+	 */
+	@Deprecated(since = "7.0")
 	protected @Nullable RoleHierarchy getRoleHierarchy() {
-		return this.roleHierarchy;
+		return this.defaultAuthorizationManagerFactory.getRoleHierarchy();
 	}
 
-	public void setRoleHierarchy(RoleHierarchy roleHierarchy) {
-		this.roleHierarchy = roleHierarchy;
+	/**
+	 * @deprecated Use
+	 * {@link #setAuthorizationManagerFactory(AuthorizationManagerFactory)} instead
+	 */
+	@Deprecated(since = "7.0")
+	public void setRoleHierarchy(@Nullable RoleHierarchy roleHierarchy) {
+		if (roleHierarchy != null) {
+			this.defaultAuthorizationManagerFactory.setRoleHierarchy(roleHierarchy);
+		}
 	}
 
 	protected PermissionEvaluator getPermissionEvaluator() {

core/src/main/java/org/springframework/security/access/expression/AuthorizationManagerSecurityExpressionRoot.java

@@ -37,21 +37,20 @@
  *
  * @author Luke Taylor
  * @author Evgeniy Cheban
+ * @author Steve Riesenberg
  * @since 3.0
  */
-public abstract class SecurityExpressionRoot implements SecurityExpressionOperations {
+public abstract class SecurityExpressionRoot<T> implements SecurityExpressionOperations {
 
-	private static final AuthorizationManagerFactory<Object> DEFAULT_AUTHORIZATION_MANAGER_FACTORY = new DefaultAuthorizationManagerFactory<>();
-
-	private static final Object DEFAULT_OBJECT = new Object();
+	private static final AuthorizationManagerFactory<?> DEFAULT_AUTHORIZATION_MANAGER_FACTORY = new DefaultAuthorizationManagerFactory<>();
 
 	private final Supplier<Authentication> authentication;
 
-	private final Object object;
+	private final @Nullable T object;
 
-	private @Nullable DefaultAuthorizationManagerFactory<Object> defaultAuthorizationManagerFactory;
+	private @Nullable DefaultAuthorizationManagerFactory<T> defaultAuthorizationManagerFactory;
 
-	private AuthorizationManagerFactory<Object> authorizationManagerFactory = DEFAULT_AUTHORIZATION_MANAGER_FACTORY;
+	private AuthorizationManagerFactory<T> authorizationManagerFactory = defaultAuthorizationManagerFactory();
 
 	/**
 	 * Allows "permitAll" expression
@@ -82,7 +81,7 @@ public abstract class SecurityExpressionRoot implements SecurityExpressionOperat
 	 */
 	@Deprecated(since = "7.0")
 	public SecurityExpressionRoot(Authentication authentication) {
-		this(() -> authentication, DEFAULT_OBJECT);
+		this(() -> authentication);
 	}
 
 	/**
@@ -95,7 +94,12 @@ public SecurityExpressionRoot(Authentication authentication) {
 	 */
 	@Deprecated(since = "7.0")
 	public SecurityExpressionRoot(Supplier<Authentication> authentication) {
-		this(authentication, DEFAULT_OBJECT);
+		this.authentication = SingletonSupplier.of(() -> {
+			Authentication value = authentication.get();
+			Assert.notNull(value, "Authentication object cannot be null");
+			return value;
+		});
+		this.object = null;
 	}
 
 	/**
@@ -106,7 +110,7 @@ public SecurityExpressionRoot(Supplier<Authentication> authentication) {
 	 * @param object the object being authorized
 	 * @since 7.0
 	 */
-	public SecurityExpressionRoot(Supplier<Authentication> authentication, Object object) {
+	public SecurityExpressionRoot(Supplier<Authentication> authentication, T object) {
 		this.authentication = SingletonSupplier.of(() -> {
 			Authentication value = authentication.get();
 			Assert.notNull(value, "Authentication object cannot be null");
@@ -170,7 +174,8 @@ public final boolean isFullyAuthenticated() {
 		return isGranted(this.authorizationManagerFactory.fullyAuthenticated());
 	}
 
-	private boolean isGranted(AuthorizationManager<Object> authorizationManager) {
+	@SuppressWarnings("DataFlowIssue")
+	private boolean isGranted(AuthorizationManager<T> authorizationManager) {
 		AuthorizationResult authorizationResult = authorizationManager.authorize(this.authentication, this.object);
 		return (authorizationResult != null && authorizationResult.isGranted());
 	}
@@ -228,12 +233,12 @@ public void setDefaultRolePrefix(String defaultRolePrefix) {
 	 * @param authorizationManagerFactory the {@link AuthorizationManagerFactory} to use
 	 * @since 7.0
 	 */
-	public void setAuthorizationManagerFactory(AuthorizationManagerFactory<Object> authorizationManagerFactory) {
+	public void setAuthorizationManagerFactory(AuthorizationManagerFactory<T> authorizationManagerFactory) {
 		Assert.notNull(authorizationManagerFactory, "authorizationManagerFactory cannot be null");
 		this.authorizationManagerFactory = authorizationManagerFactory;
 	}
 
-	private DefaultAuthorizationManagerFactory<Object> getDefaultAuthorizationManagerFactory() {
+	private DefaultAuthorizationManagerFactory<T> getDefaultAuthorizationManagerFactory() {
 		if (this.defaultAuthorizationManagerFactory == null) {
 			this.defaultAuthorizationManagerFactory = new DefaultAuthorizationManagerFactory<>();
 			this.authorizationManagerFactory = this.defaultAuthorizationManagerFactory;
@@ -258,4 +263,9 @@ public void setPermissionEvaluator(PermissionEvaluator permissionEvaluator) {
 		this.permissionEvaluator = permissionEvaluator;
 	}
 
+	@SuppressWarnings("unchecked")
+	private static <T> AuthorizationManagerFactory<T> defaultAuthorizationManagerFactory() {
+		return (AuthorizationManagerFactory<T>) DEFAULT_AUTHORIZATION_MANAGER_FACTORY;
+	}
+
 }