Add Expirable Authorities

Allowing individual authorities to expire offers enormous flexibility
as far as granting authorities that need to be renewed independently
from logging in.

Author: jzheaux

config/src/test/java/org/springframework/security/SerializationSamples.java

@@ -92,6 +92,7 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.authority.ExpirableGrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextImpl;
 import org.springframework.security.core.context.TransientSecurityContext;
@@ -375,6 +376,8 @@ final class SerializationSamples {
 		generatorByClassName.put(AlreadyBuiltException.class, (r) -> new AlreadyBuiltException("message"));
 
 		// core
+		generatorByClassName.put(ExpirableGrantedAuthority.class,
+				(r) -> new ExpirableGrantedAuthority("a", Instant.now()));
 		generatorByClassName.put(RunAsUserToken.class, (r) -> {
 			RunAsUserToken token = new RunAsUserToken("key", user, "creds", user.getAuthorities(),
 					AnonymousAuthenticationToken.class);

config/src/test/resources/serialized/7.0.x/org.springframework.security.core.authority.ExpirableGrantedAuthority.serialized

@@ -18,7 +18,6 @@
 
 import java.util.Collection;
 import java.util.HashSet;
-import java.util.List;
 import java.util.Set;
 import java.util.function.Supplier;
 
@@ -90,10 +89,16 @@ public AuthorizationResult authorize(Supplier<Authentication> authentication, Co
 	}
 
 	private Collection<GrantedAuthority> getGrantedAuthorities(Authentication authentication) {
+		Collection<GrantedAuthority> authorities = new HashSet<>();
 		if (authentication == null) {
-			return List.of();
+			return authorities;
 		}
-		return new HashSet<>(this.roleHierarchy.getReachableGrantedAuthorities(authentication.getAuthorities()));
+		for (GrantedAuthority authority : authentication.getAuthorities()) {
+			if (authority.isGranted()) {
+				authorities.add(authority);
+			}
+		}
+		return new HashSet<>(this.roleHierarchy.getReachableGrantedAuthorities(authorities));
 	}
 
 }

core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java

@@ -48,4 +48,8 @@ public interface GrantedAuthority extends Serializable {
 	 */
 	String getAuthority();
 
+	default boolean isGranted() {
+		return true;
+	}
+
 }

core/src/main/java/org/springframework/security/core/GrantedAuthority.java

@@ -0,0 +1,73 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.core.authority;
+
+import java.io.Serial;
+import java.time.Clock;
+import java.time.Instant;
+import java.util.Objects;
+
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.util.Assert;
+
+public final class ExpirableGrantedAuthority implements GrantedAuthority {
+
+	@Serial
+	private static final long serialVersionUID = 4168993944484835205L;
+
+	private final String authority;
+
+	private final Instant expiresAt;
+
+	private Clock clock = Clock.systemUTC();
+
+	public ExpirableGrantedAuthority(String authority, Instant expiresAt) {
+		Assert.notNull(authority, "authority cannot be null");
+		Assert.notNull(expiresAt, "expiresAt cannot be null");
+		this.authority = authority;
+		this.expiresAt = expiresAt;
+	}
+
+	@Override
+	public String getAuthority() {
+		return this.authority;
+	}
+
+	@Override
+	public boolean isGranted() {
+		return this.clock.instant().isAfter(this.expiresAt);
+	}
+
+	public void setClock(Clock clock) {
+		Assert.notNull(clock, "clock cannot be null");
+		this.clock = clock;
+	}
+
+	@Override
+	public boolean equals(Object o) {
+		if (!(o instanceof GrantedAuthority that)) {
+			return false;
+		}
+		return Objects.equals(this.authority, that.getAuthority());
+	}
+
+	@Override
+	public int hashCode() {
+		return Objects.hashCode(this.authority);
+	}
+
+}