Adjust Annotation Scanning

Closes spring-projectsgh-15097

Author: jzheaux

core/src/main/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtils.java

@@ -17,7 +17,9 @@
 package org.springframework.security.authorization.method;
 
 import java.lang.annotation.Annotation;
+import java.lang.reflect.AnnotatedElement;
 import java.lang.reflect.Method;
+import java.util.function.Function;
 
 import org.springframework.security.core.annotation.AnnotationSynthesizers;
 
@@ -44,12 +46,16 @@
  */
 final class AuthorizationAnnotationUtils {
 
+	static <A extends Annotation> Function<AnnotatedElement, A> withDefaults(Class<A> type) {
+		return AnnotationSynthesizers.requireUnique(type)::synthesize;
+	}
+
 	static <A extends Annotation> A findUniqueAnnotation(Method method, Class<A> annotationType) {
-		return AnnotationSynthesizers.createDefault(annotationType).synthesize(method);
+		return AnnotationSynthesizers.requireUnique(annotationType).synthesize(method);
 	}
 
 	static <A extends Annotation> A findUniqueAnnotation(Class<?> type, Class<A> annotationType) {
-		return AnnotationSynthesizers.createDefault(annotationType).synthesize(type);
+		return AnnotationSynthesizers.requireUnique(annotationType).synthesize(type);
 	}
 
 	private AuthorizationAnnotationUtils() {

core/src/main/java/org/springframework/security/authorization/method/Jsr250AuthorizationManager.java

@@ -20,6 +20,7 @@
 import java.lang.reflect.Method;
 import java.util.Collection;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Set;
 import java.util.function.Supplier;
 
@@ -29,7 +30,6 @@
 import org.aopalliance.intercept.MethodInvocation;
 
 import org.springframework.aop.support.AopUtils;
-import org.springframework.core.annotation.AnnotationConfigurationException;
 import org.springframework.lang.NonNull;
 import org.springframework.security.authorization.AuthoritiesAuthorizationManager;
 import org.springframework.security.authorization.AuthorizationDecision;
@@ -54,9 +54,9 @@ public final class Jsr250AuthorizationManager implements AuthorizationManager<Me
 	private static final Set<AnnotationSynthesizer<? extends Annotation>> JSR250_ANNOTATIONS = new HashSet<>();
 
 	static {
-		JSR250_ANNOTATIONS.add(AnnotationSynthesizers.createDefault(DenyAll.class));
-		JSR250_ANNOTATIONS.add(AnnotationSynthesizers.createDefault(PermitAll.class));
-		JSR250_ANNOTATIONS.add(AnnotationSynthesizers.createDefault(RolesAllowed.class));
+		JSR250_ANNOTATIONS.add(AnnotationSynthesizers.requireUnique(DenyAll.class));
+		JSR250_ANNOTATIONS.add(AnnotationSynthesizers.requireUnique(PermitAll.class));
+		JSR250_ANNOTATIONS.add(AnnotationSynthesizers.requireUnique(RolesAllowed.class));
 	}
 
 	private final Jsr250AuthorizationManagerRegistry registry = new Jsr250AuthorizationManagerRegistry();
@@ -104,6 +104,9 @@ public AuthorizationDecision check(Supplier<Authentication> authentication, Meth
 
 	private final class Jsr250AuthorizationManagerRegistry extends AbstractAuthorizationManagerRegistry {
 
+		private final AnnotationSynthesizer<?> synthesizer = AnnotationSynthesizers
+			.requireUnique(List.of(DenyAll.class, PermitAll.class, RolesAllowed.class));
+
 		@NonNull
 		@Override
 		AuthorizationManager<MethodInvocation> resolveManager(Method method, Class<?> targetClass) {
@@ -123,45 +126,9 @@ AuthorizationManager<MethodInvocation> resolveManager(Method method, Class<?> ta
 
 		private Annotation findJsr250Annotation(Method method, Class<?> targetClass) {
 			Method specificMethod = AopUtils.getMostSpecificMethod(method, targetClass);
-			Annotation annotation = findAnnotation(specificMethod);
-			return (annotation != null) ? annotation
-					: findAnnotation((targetClass != null) ? targetClass : specificMethod.getDeclaringClass());
-		}
-
-		private Annotation findAnnotation(Method method) {
-			Set<Annotation> annotations = new HashSet<>();
-			for (AnnotationSynthesizer<? extends Annotation> synthesizer : JSR250_ANNOTATIONS) {
-				Annotation annotation = synthesizer.synthesize(method);
-				if (annotation != null) {
-					annotations.add(annotation);
-				}
-			}
-			if (annotations.isEmpty()) {
-				return null;
-			}
-			if (annotations.size() > 1) {
-				throw new AnnotationConfigurationException(
-						"The JSR-250 specification disallows DenyAll, PermitAll, and RolesAllowed from appearing on the same method.");
-			}
-			return annotations.iterator().next();
-		}
-
-		private Annotation findAnnotation(Class<?> clazz) {
-			Set<Annotation> annotations = new HashSet<>();
-			for (AnnotationSynthesizer<? extends Annotation> synthesizer : JSR250_ANNOTATIONS) {
-				Annotation annotation = synthesizer.synthesize(clazz);
-				if (annotation != null) {
-					annotations.add(annotation);
-				}
-			}
-			if (annotations.isEmpty()) {
-				return null;
-			}
-			if (annotations.size() > 1) {
-				throw new AnnotationConfigurationException(
-						"The JSR-250 specification disallows DenyAll, PermitAll, and RolesAllowed from appearing on the same class definition.");
-			}
-			return annotations.iterator().next();
+			Annotation annotation = this.synthesizer.synthesize(specificMethod);// findAnnotation(specificMethod);
+			return (annotation != null) ? annotation : this.synthesizer
+				.synthesize((targetClass != null) ? targetClass : specificMethod.getDeclaringClass());
 		}
 
 		private Set<String> getAllowedRolesWithPrefix(RolesAllowed rolesAllowed) {

core/src/main/java/org/springframework/security/authorization/method/PostAuthorizeExpressionAttributeRegistry.java

@@ -42,12 +42,12 @@ final class PostAuthorizeExpressionAttributeRegistry extends AbstractExpressionA
 	private final MethodAuthorizationDeniedHandler defaultHandler = new ThrowingMethodAuthorizationDeniedHandler();
 
 	private final AnnotationSynthesizer<HandleAuthorizationDenied> handleAuthorizationDeniedSynthesizer = AnnotationSynthesizers
-		.createDefault(HandleAuthorizationDenied.class);
+		.requireUnique(HandleAuthorizationDenied.class);
 
 	private Function<Class<? extends MethodAuthorizationDeniedHandler>, MethodAuthorizationDeniedHandler> handlerResolver;
 
 	private AnnotationSynthesizer<PostAuthorize> postAuthorizeSynthesizer = AnnotationSynthesizers
-		.createDefault(PostAuthorize.class);
+		.requireUnique(PostAuthorize.class);
 
 	PostAuthorizeExpressionAttributeRegistry() {
 		this.handlerResolver = (clazz) -> this.defaultHandler;
@@ -95,7 +95,7 @@ void setApplicationContext(ApplicationContext context) {
 	}
 
 	void setTemplateDefaults(PrePostTemplateDefaults templateDefaults) {
-		this.postAuthorizeSynthesizer = AnnotationSynthesizers.createDefault(PostAuthorize.class, templateDefaults);
+		this.postAuthorizeSynthesizer = AnnotationSynthesizers.requireUnique(PostAuthorize.class, templateDefaults);
 	}
 
 	private MethodAuthorizationDeniedHandler resolveHandler(ApplicationContext context,

core/src/main/java/org/springframework/security/authorization/method/PostFilterExpressionAttributeRegistry.java

@@ -34,7 +34,7 @@
  */
 final class PostFilterExpressionAttributeRegistry extends AbstractExpressionAttributeRegistry<ExpressionAttribute> {
 
-	private AnnotationSynthesizer<PostFilter> synthesizer = AnnotationSynthesizers.createDefault(PostFilter.class);
+	private AnnotationSynthesizer<PostFilter> synthesizer = AnnotationSynthesizers.requireUnique(PostFilter.class);
 
 	@NonNull
 	@Override
@@ -50,7 +50,7 @@ ExpressionAttribute resolveAttribute(Method method, Class<?> targetClass) {
 	}
 
 	void setTemplateDefaults(PrePostTemplateDefaults defaults) {
-		this.synthesizer = AnnotationSynthesizers.createDefault(PostFilter.class, defaults);
+		this.synthesizer = AnnotationSynthesizers.requireUnique(PostFilter.class, defaults);
 	}
 
 	private PostFilter findPostFilterAnnotation(Method method, Class<?> targetClass) {

core/src/main/java/org/springframework/security/authorization/method/PreAuthorizeExpressionAttributeRegistry.java

@@ -42,12 +42,12 @@ final class PreAuthorizeExpressionAttributeRegistry extends AbstractExpressionAt
 	private final MethodAuthorizationDeniedHandler defaultHandler = new ThrowingMethodAuthorizationDeniedHandler();
 
 	private final AnnotationSynthesizer<HandleAuthorizationDenied> handleAuthorizationDeniedSynthesizer = AnnotationSynthesizers
-		.createDefault(HandleAuthorizationDenied.class);
+		.requireUnique(HandleAuthorizationDenied.class);
 
 	private Function<Class<? extends MethodAuthorizationDeniedHandler>, MethodAuthorizationDeniedHandler> handlerResolver;
 
 	private AnnotationSynthesizer<PreAuthorize> preAuthorizeSynthesizer = AnnotationSynthesizers
-		.createDefault(PreAuthorize.class);
+		.requireUnique(PreAuthorize.class);
 
 	PreAuthorizeExpressionAttributeRegistry() {
 		this.handlerResolver = (clazz) -> this.defaultHandler;
@@ -95,7 +95,7 @@ void setApplicationContext(ApplicationContext context) {
 	}
 
 	void setTemplateDefaults(PrePostTemplateDefaults defaults) {
-		this.preAuthorizeSynthesizer = AnnotationSynthesizers.createDefault(PreAuthorize.class, defaults);
+		this.preAuthorizeSynthesizer = AnnotationSynthesizers.requireUnique(PreAuthorize.class, defaults);
 	}
 
 	private MethodAuthorizationDeniedHandler resolveHandler(ApplicationContext context,

core/src/main/java/org/springframework/security/authorization/method/PreFilterExpressionAttributeRegistry.java

@@ -35,7 +35,7 @@
 final class PreFilterExpressionAttributeRegistry
 		extends AbstractExpressionAttributeRegistry<PreFilterExpressionAttributeRegistry.PreFilterExpressionAttribute> {
 
-	private AnnotationSynthesizer<PreFilter> synthesizer = AnnotationSynthesizers.createDefault(PreFilter.class);
+	private AnnotationSynthesizer<PreFilter> synthesizer = AnnotationSynthesizers.requireUnique(PreFilter.class);
 
 	@NonNull
 	@Override
@@ -51,7 +51,7 @@ PreFilterExpressionAttribute resolveAttribute(Method method, Class<?> targetClas
 	}
 
 	void setTemplateDefaults(PrePostTemplateDefaults defaults) {
-		this.synthesizer = AnnotationSynthesizers.createDefault(PreFilter.class, defaults);
+		this.synthesizer = AnnotationSynthesizers.requireUnique(PreFilter.class, defaults);
 	}
 
 	private PreFilter findPreFilterAnnotation(Method method, Class<?> targetClass) {

core/src/main/java/org/springframework/security/authorization/method/SecuredAuthorizationManager.java

@@ -52,7 +52,7 @@ public final class SecuredAuthorizationManager implements AuthorizationManager<M
 
 	private final Map<MethodClassKey, Set<String>> cachedAuthorities = new ConcurrentHashMap<>();
 
-	private final AnnotationSynthesizer<Secured> synthesizer = AnnotationSynthesizers.createDefault(Secured.class);
+	private final AnnotationSynthesizer<Secured> synthesizer = AnnotationSynthesizers.requireUnique(Secured.class);
 
 	/**
 	 * Sets an {@link AuthorizationManager} that accepts a collection of authority

core/src/main/java/org/springframework/security/core/annotation/AnnotationSynthesizer.java

@@ -19,6 +19,7 @@
 import java.lang.annotation.Annotation;
 import java.lang.reflect.AnnotatedElement;
 
+import org.springframework.core.annotation.MergedAnnotation;
 import org.springframework.lang.Nullable;
 
 /**
@@ -59,6 +60,14 @@ public interface AnnotationSynthesizer<A extends Annotation> {
 	 * @return the synthesized annotation or {@code null} if not found
 	 */
 	@Nullable
-	A synthesize(AnnotatedElement element);
+	default A synthesize(AnnotatedElement element) {
+		MergedAnnotation<A> annotation = merge(element);
+		if (annotation == null) {
+			return null;
+		}
+		return annotation.synthesize();
+	}
+
+	MergedAnnotation<A> merge(AnnotatedElement element);
 
 }

core/src/main/java/org/springframework/security/core/annotation/AnnotationSynthesizers.java

@@ -18,6 +18,8 @@
 
 import java.lang.annotation.Annotation;
 import java.lang.reflect.AnnotatedElement;
+import java.util.ArrayList;
+import java.util.List;
 
 /**
  * Factory for creating {@link AnnotationSynthesizer} instances.
@@ -31,38 +33,49 @@ private AnnotationSynthesizers() {
 	}
 
 	/**
-	 * Create a default {@link AnnotationSynthesizer} for the given annotation type.
-	 *
-	 * <p>
-	 * By default, uses an annotation synthsizer that ensures the annotation's uniqueness
-	 * on the {@link AnnotatedElement}.
+	 * Create a {@link AnnotationSynthesizer} that requires synthesized annotations to be
+	 * unique on the given {@link AnnotatedElement}.
 	 * @param type the annotation type
 	 * @param <A> the annotation type
 	 * @return the default {@link AnnotationSynthesizer}
 	 */
-	public static <A extends Annotation> AnnotationSynthesizer<A> createDefault(Class<A> type) {
+	public static <A extends Annotation> AnnotationSynthesizer<A> requireUnique(Class<A> type) {
 		return new UniqueMergedAnnotationSynthesizer<>(type);
 	}
 
 	/**
-	 * Create a default {@link AnnotationSynthesizer} for the given annotation type.
+	 * Create a {@link AnnotationSynthesizer} that requires synthesized annotations to be
+	 * unique on the given {@link AnnotatedElement}.
 	 *
 	 * <p>
 	 * When a {@link AnnotationTemplateExpressionDefaults} is provided, it will return a
-	 * synethsizer that supports placeholders in the annotation's attributes in addition
-	 * to the meta-annotation sythesizing provided by {@link #createDefault(Class)}.
+	 * synthesizer that supports placeholders in the annotation's attributes in addition
+	 * to the meta-annotation synthesizing provided by {@link #requireUnique(Class)}.
 	 * @param type the annotation type
 	 * @param templateDefaults the defaults for resolving placeholders in the annotation's
 	 * attributes
 	 * @param <A> the annotation type
 	 * @return the default {@link AnnotationSynthesizer}
 	 */
-	public static <A extends Annotation> AnnotationSynthesizer<A> createDefault(Class<A> type,
+	public static <A extends Annotation> AnnotationSynthesizer<A> requireUnique(Class<A> type,
 			AnnotationTemplateExpressionDefaults templateDefaults) {
 		if (templateDefaults == null) {
 			return new UniqueMergedAnnotationSynthesizer<>(type);
 		}
 		return new ExpressionTemplateAnnotationSynthesizer<>(type, templateDefaults);
 	}
 
+	/**
+	 * Create a {@link AnnotationSynthesizer} that requires synthesized annotations to be
+	 * unique on the given {@link AnnotatedElement}. Supplying multiple types implies that
+	 * the synthesized annotation must be unique across all specified types.
+	 * @param types the annotation types
+	 * @return the default {@link AnnotationSynthesizer}
+	 */
+	public static AnnotationSynthesizer<Annotation> requireUnique(List<Class<? extends Annotation>> types) {
+		List<Class<Annotation>> casted = new ArrayList<>();
+		types.forEach(type -> casted.add((Class<Annotation>) type));
+		return new UniqueMergedAnnotationSynthesizer<>(casted);
+	}
+
 }

core/src/main/java/org/springframework/security/core/annotation/ExpressionTemplateAnnotationSynthesizer.java

@@ -22,7 +22,6 @@
 import java.util.Map;
 
 import org.springframework.core.annotation.MergedAnnotation;
-import org.springframework.core.annotation.MergedAnnotations;
 import org.springframework.core.convert.support.DefaultConversionService;
 import org.springframework.util.Assert;
 import org.springframework.util.PropertyPlaceholderHelper;
@@ -64,7 +63,7 @@ final class ExpressionTemplateAnnotationSynthesizer<A extends Annotation> implem
 
 	private final AnnotationTemplateExpressionDefaults templateDefaults;
 
-	private final Map<AnnotatedElement, A> uniqueAnnotationCache = new HashMap<>();
+	private final Map<AnnotatedElement, MergedAnnotation<A>> uniqueAnnotationCache = new HashMap<>();
 
 	ExpressionTemplateAnnotationSynthesizer(Class<A> type, AnnotationTemplateExpressionDefaults templateDefaults) {
 		Assert.notNull(type, "type cannot be null");
@@ -75,17 +74,20 @@ final class ExpressionTemplateAnnotationSynthesizer<A extends Annotation> implem
 	}
 
 	@Override
-	public A synthesize(AnnotatedElement element) {
-		this.uniqueAnnotationCache.computeIfAbsent(element, this.unique::synthesize);
-		return resolvePlaceholders(MergedAnnotations.from(element).get(this.type));
+	public MergedAnnotation<A> merge(AnnotatedElement element) {
+		MergedAnnotation<A> annotation = this.uniqueAnnotationCache.computeIfAbsent(element, this.unique::merge);
+		if (annotation == null) {
+			return null;
+		}
+		return resolvePlaceholders(annotation);
 	}
 
-	private A resolvePlaceholders(MergedAnnotation<A> mergedAnnotation) {
+	private MergedAnnotation<A> resolvePlaceholders(MergedAnnotation<A> mergedAnnotation) {
 		if (this.templateDefaults == null) {
-			return mergedAnnotation.synthesize();
+			return mergedAnnotation;
 		}
 		if (mergedAnnotation.getMetaSource() == null) {
-			return mergedAnnotation.synthesize();
+			return mergedAnnotation;
 		}
 		PropertyPlaceholderHelper helper = new PropertyPlaceholderHelper("{", "}", null, null,
 				this.templateDefaults.isIgnoreUnknown());
@@ -109,7 +111,7 @@ private A resolvePlaceholders(MergedAnnotation<A> mergedAnnotation) {
 			properties.put(annotationProperty.getKey(), value);
 		}
 		AnnotatedElement annotatedElement = (AnnotatedElement) mergedAnnotation.getSource();
-		return MergedAnnotation.of(annotatedElement, this.type, properties).synthesize();
+		return MergedAnnotation.of(annotatedElement, this.type, properties);
 	}
 
 }