Revert "Support SpEL Returning AuthorizationDecision"

This reverts commit 77f2977.

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/method/configuration/DeferringObservationAuthorizationManager.java

@@ -19,30 +19,18 @@
 import java.util.function.Supplier;
 
 import io.micrometer.observation.ObservationRegistry;
-import org.aopalliance.intercept.MethodInvocation;
 
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
-import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.authorization.ObservationAuthorizationManager;
-import org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler;
-import org.springframework.security.authorization.method.MethodAuthorizationDeniedPostProcessor;
-import org.springframework.security.authorization.method.MethodInvocationResult;
-import org.springframework.security.authorization.method.ThrowingMethodAuthorizationDeniedHandler;
-import org.springframework.security.authorization.method.ThrowingMethodAuthorizationDeniedPostProcessor;
 import org.springframework.security.core.Authentication;
 import org.springframework.util.function.SingletonSupplier;
 
-final class DeferringObservationAuthorizationManager<T>
-		implements AuthorizationManager<T>, MethodAuthorizationDeniedHandler, MethodAuthorizationDeniedPostProcessor {
+final class DeferringObservationAuthorizationManager<T> implements AuthorizationManager<T> {
 
 	private final Supplier<AuthorizationManager<T>> delegate;
 
-	private MethodAuthorizationDeniedHandler handler = new ThrowingMethodAuthorizationDeniedHandler();
-
-	private MethodAuthorizationDeniedPostProcessor postProcessor = new ThrowingMethodAuthorizationDeniedPostProcessor();
-
 	DeferringObservationAuthorizationManager(ObjectProvider<ObservationRegistry> provider,
 			AuthorizationManager<T> delegate) {
 		this.delegate = SingletonSupplier.of(() -> {
@@ -52,28 +40,11 @@ final class DeferringObservationAuthorizationManager<T>
 			}
 			return new ObservationAuthorizationManager<>(registry, delegate);
 		});
-		if (delegate instanceof MethodAuthorizationDeniedHandler h) {
-			this.handler = h;
-		}
-		if (delegate instanceof MethodAuthorizationDeniedPostProcessor p) {
-			this.postProcessor = p;
-		}
 	}
 
 	@Override
 	public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
 		return this.delegate.get().check(authentication, object);
 	}
 
-	@Override
-	public Object handle(MethodInvocation methodInvocation, AuthorizationResult authorizationResult) {
-		return this.handler.handle(methodInvocation, authorizationResult);
-	}
-
-	@Override
-	public Object postProcessResult(MethodInvocationResult methodInvocationResult,
-			AuthorizationResult authorizationResult) {
-		return this.postProcessor.postProcessResult(methodInvocationResult, authorizationResult);
-	}
-
 }

config/src/main/java/org/springframework/security/config/annotation/method/configuration/DeferringObservationReactiveAuthorizationManager.java

@@ -19,31 +19,19 @@
 import java.util.function.Supplier;
 
 import io.micrometer.observation.ObservationRegistry;
-import org.aopalliance.intercept.MethodInvocation;
 import reactor.core.publisher.Mono;
 
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.security.authorization.AuthorizationDecision;
-import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.authorization.ObservationReactiveAuthorizationManager;
 import org.springframework.security.authorization.ReactiveAuthorizationManager;
-import org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler;
-import org.springframework.security.authorization.method.MethodAuthorizationDeniedPostProcessor;
-import org.springframework.security.authorization.method.MethodInvocationResult;
-import org.springframework.security.authorization.method.ThrowingMethodAuthorizationDeniedHandler;
-import org.springframework.security.authorization.method.ThrowingMethodAuthorizationDeniedPostProcessor;
 import org.springframework.security.core.Authentication;
 import org.springframework.util.function.SingletonSupplier;
 
-final class DeferringObservationReactiveAuthorizationManager<T> implements ReactiveAuthorizationManager<T>,
-		MethodAuthorizationDeniedHandler, MethodAuthorizationDeniedPostProcessor {
+final class DeferringObservationReactiveAuthorizationManager<T> implements ReactiveAuthorizationManager<T> {
 
 	private final Supplier<ReactiveAuthorizationManager<T>> delegate;
 
-	private MethodAuthorizationDeniedHandler handler = new ThrowingMethodAuthorizationDeniedHandler();
-
-	private MethodAuthorizationDeniedPostProcessor postProcessor = new ThrowingMethodAuthorizationDeniedPostProcessor();
-
 	DeferringObservationReactiveAuthorizationManager(ObjectProvider<ObservationRegistry> provider,
 			ReactiveAuthorizationManager<T> delegate) {
 		this.delegate = SingletonSupplier.of(() -> {
@@ -53,28 +41,11 @@ final class DeferringObservationReactiveAuthorizationManager<T> implements React
 			}
 			return new ObservationReactiveAuthorizationManager<>(registry, delegate);
 		});
-		if (delegate instanceof MethodAuthorizationDeniedHandler h) {
-			this.handler = h;
-		}
-		if (delegate instanceof MethodAuthorizationDeniedPostProcessor p) {
-			this.postProcessor = p;
-		}
 	}
 
 	@Override
 	public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object) {
 		return this.delegate.get().check(authentication, object);
 	}
 
-	@Override
-	public Object handle(MethodInvocation methodInvocation, AuthorizationResult authorizationResult) {
-		return this.handler.handle(methodInvocation, authorizationResult);
-	}
-
-	@Override
-	public Object postProcessResult(MethodInvocationResult methodInvocationResult,
-			AuthorizationResult authorizationResult) {
-		return this.postProcessor.postProcessResult(methodInvocationResult, authorizationResult);
-	}
-
 }

config/src/test/java/org/springframework/security/config/annotation/method/configuration/Authz.java

@@ -18,8 +18,6 @@
 
 import reactor.core.publisher.Mono;
 
-import org.springframework.security.authorization.AuthorizationDecision;
-import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.core.Authentication;
 import org.springframework.stereotype.Component;
 
@@ -47,20 +45,4 @@ public boolean check(Authentication authentication, String message) {
 		return message != null && message.contains(authentication.getName());
 	}
 
-	public AuthorizationResult checkResult(boolean result) {
-		return new AuthzResult(result);
-	}
-
-	public Mono<AuthorizationResult> checkReactiveResult(boolean result) {
-		return Mono.just(checkResult(result));
-	}
-
-	public static class AuthzResult extends AuthorizationDecision {
-
-		public AuthzResult(boolean granted) {
-			super(granted);
-		}
-
-	}
-
 }

config/src/test/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityService.java

@@ -173,11 +173,6 @@ public interface MethodSecurityService {
 	@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = UserFallbackDeniedHandler.class)
 	UserRecordWithEmailProtected getUserWithFallbackWhenUnauthorized();
 
-	@PreAuthorize(value = "@authz.checkResult(#result)", handlerClass = MethodAuthorizationDeniedHandler.class)
-	@PostAuthorize(value = "@authz.checkResult(!#result)",
-			postProcessorClass = MethodAuthorizationDeniedPostProcessor.class)
-	String checkCustomResult(boolean result);
-
 	class StarMaskingHandler implements MethodAuthorizationDeniedHandler {
 
 		@Override

config/src/test/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityServiceConfig.java

@@ -28,14 +28,4 @@ MethodSecurityService service() {
 		return new MethodSecurityServiceImpl();
 	}
 
-	@Bean
-	ReactiveMethodSecurityService reactiveService() {
-		return new ReactiveMethodSecurityServiceImpl();
-	}
-
-	@Bean
-	Authz authz() {
-		return new Authz();
-	}
-
 }

config/src/test/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityServiceImpl.java

@@ -197,9 +197,4 @@ public UserRecordWithEmailProtected getUserWithFallbackWhenUnauthorized() {
 		return new UserRecordWithEmailProtected("username", "[email protected]");
 	}
 
-	@Override
-	public String checkCustomResult(boolean result) {
-		return "ok";
-	}
-
 }

config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java

@@ -66,8 +66,6 @@
 import org.springframework.security.authorization.method.AuthorizationInterceptorsOrder;
 import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor;
 import org.springframework.security.authorization.method.AuthorizeReturnObject;
-import org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler;
-import org.springframework.security.authorization.method.MethodAuthorizationDeniedPostProcessor;
 import org.springframework.security.authorization.method.MethodInvocationResult;
 import org.springframework.security.authorization.method.PrePostTemplateDefaults;
 import org.springframework.security.config.Customizer;
@@ -94,8 +92,6 @@
 import static org.mockito.Mockito.atLeastOnce;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.verifyNoInteractions;
-import static org.mockito.Mockito.verifyNoMoreInteractions;
 
 /**
  * Tests for {@link PrePostMethodSecurityConfiguration}.
@@ -929,23 +925,6 @@ void getUserWhenNotAuthorizedAndHandlerFallbackValueThenReturnFallbackValue() {
 		assertThat(user.name()).isEqualTo("Protected");
 	}
 
-	@Test
-	@WithMockUser
-	void getUserWhenNotAuthorizedThenHandlerUsesCustomAuthorizationDecision() {
-		this.spring.register(MethodSecurityServiceConfig.class, CustomResultConfig.class).autowire();
-		MethodSecurityService service = this.spring.getContext().getBean(MethodSecurityService.class);
-		MethodAuthorizationDeniedHandler handler = this.spring.getContext()
-			.getBean(MethodAuthorizationDeniedHandler.class);
-		MethodAuthorizationDeniedPostProcessor postProcessor = this.spring.getContext()
-			.getBean(MethodAuthorizationDeniedPostProcessor.class);
-		assertThat(service.checkCustomResult(false)).isNull();
-		verify(handler).handle(any(), any(Authz.AuthzResult.class));
-		verifyNoInteractions(postProcessor);
-		assertThat(service.checkCustomResult(true)).isNull();
-		verify(postProcessor).postProcessResult(any(), any(Authz.AuthzResult.class));
-		verifyNoMoreInteractions(handler);
-	}
-
 	private static Consumer<ConfigurableWebApplicationContext> disallowBeanOverriding() {
 		return (context) -> ((AnnotationConfigWebApplicationContext) context).setAllowBeanDefinitionOverriding(false);
 	}
@@ -1470,23 +1449,4 @@ public String getName() {
 
 	}
 
-	@EnableMethodSecurity
-	static class CustomResultConfig {
-
-		MethodAuthorizationDeniedHandler handler = mock(MethodAuthorizationDeniedHandler.class);
-
-		MethodAuthorizationDeniedPostProcessor postProcessor = mock(MethodAuthorizationDeniedPostProcessor.class);
-
-		@Bean
-		MethodAuthorizationDeniedHandler methodAuthorizationDeniedHandler() {
-			return this.handler;
-		}
-
-		@Bean
-		MethodAuthorizationDeniedPostProcessor methodAuthorizationDeniedPostProcessor() {
-			return this.postProcessor;
-		}
-
-	}
-
 }

config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityConfigurationTests.java

@@ -47,23 +47,15 @@
 import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory;
 import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.TargetVisitor;
 import org.springframework.security.authorization.method.AuthorizeReturnObject;
-import org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler;
-import org.springframework.security.authorization.method.MethodAuthorizationDeniedPostProcessor;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.ReactiveSecurityContextHolder;
 import org.springframework.security.core.userdetails.User;
-import org.springframework.security.test.context.support.WithMockUser;
 
 import static org.assertj.core.api.Assertions.assertThat;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.verifyNoInteractions;
-import static org.mockito.Mockito.verifyNoMoreInteractions;
 
 /**
  * @author Tadaya Tsuyukubo
@@ -73,7 +65,7 @@ public class ReactiveMethodSecurityConfigurationTests {
 
 	public final SpringTestContext spring = new SpringTestContext(this);
 
-	@Autowired(required = false)
+	@Autowired
 	DefaultMethodSecurityExpressionHandler methodSecurityExpressionHandler;
 
 	@Test
@@ -220,23 +212,6 @@ public void findAllWhenNestedPreAuthorizeThenAuthorizes() {
 			.verifyError(AccessDeniedException.class);
 	}
 
-	@Test
-	@WithMockUser
-	void getUserWhenNotAuthorizedThenHandlerUsesCustomAuthorizationDecision() {
-		this.spring.register(MethodSecurityServiceConfig.class, CustomResultConfig.class).autowire();
-		ReactiveMethodSecurityService service = this.spring.getContext().getBean(ReactiveMethodSecurityService.class);
-		MethodAuthorizationDeniedHandler handler = this.spring.getContext()
-			.getBean(MethodAuthorizationDeniedHandler.class);
-		MethodAuthorizationDeniedPostProcessor postProcessor = this.spring.getContext()
-			.getBean(MethodAuthorizationDeniedPostProcessor.class);
-		assertThat(service.checkCustomResult(false).block()).isNull();
-		verify(handler).handle(any(), any(Authz.AuthzResult.class));
-		verifyNoInteractions(postProcessor);
-		assertThat(service.checkCustomResult(true).block()).isNull();
-		verify(postProcessor).postProcessResult(any(), any(Authz.AuthzResult.class));
-		verifyNoMoreInteractions(handler);
-	}
-
 	private static Consumer<User.UserBuilder> authorities(String... authorities) {
 		return (builder) -> builder.authorities(authorities);
 	}
@@ -378,23 +353,4 @@ public Mono<String> getName() {
 
 	}
 
-	@EnableReactiveMethodSecurity
-	static class CustomResultConfig {
-
-		MethodAuthorizationDeniedHandler handler = mock(MethodAuthorizationDeniedHandler.class);
-
-		MethodAuthorizationDeniedPostProcessor postProcessor = mock(MethodAuthorizationDeniedPostProcessor.class);
-
-		@Bean
-		MethodAuthorizationDeniedHandler methodAuthorizationDeniedHandler() {
-			return this.handler;
-		}
-
-		@Bean
-		MethodAuthorizationDeniedPostProcessor methodAuthorizationDeniedPostProcessor() {
-			return this.postProcessor;
-		}
-
-	}
-
 }

config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityService.java

@@ -85,11 +85,6 @@ public interface ReactiveMethodSecurityService {
 	@Mask(expression = "@myMasker.getMask(returnObject)")
 	Mono<String> postAuthorizeWithMaskAnnotationUsingBean();
 
-	@PreAuthorize(value = "@authz.checkReactiveResult(#result)", handlerClass = MethodAuthorizationDeniedHandler.class)
-	@PostAuthorize(value = "@authz.checkReactiveResult(!#result)",
-			postProcessorClass = MethodAuthorizationDeniedPostProcessor.class)
-	Mono<String> checkCustomResult(boolean result);
-
 	class StarMaskingHandler implements MethodAuthorizationDeniedHandler {
 
 		@Override

config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityServiceImpl.java

@@ -82,9 +82,4 @@ public Mono<String> postAuthorizeWithMaskAnnotationUsingBean() {
 		return Mono.just("ok");
 	}
 
-	@Override
-	public Mono<String> checkCustomResult(boolean result) {
-		return Mono.just("ok");
-	}
-
 }