spring-projects
diff --git a/‎core/src/main/java/org/springframework/security/authorization/method/Jsr250AuthorizationManager.java
Lines changed: 4 additions & 4 deletions b/‎core/src/main/java/org/springframework/security/authorization/method/Jsr250AuthorizationManager.java
Lines changed: 4 additions & 4 deletions
diff --git a/‎core/src/main/java/org/springframework/security/authorization/method/PostAuthorizeExpressionAttributeRegistry.java
Lines changed: 7 additions & 8 deletions b/‎core/src/main/java/org/springframework/security/authorization/method/PostAuthorizeExpressionAttributeRegistry.java
Lines changed: 7 additions & 8 deletions
diff --git a/‎core/src/main/java/org/springframework/security/authorization/method/PostFilterExpressionAttributeRegistry.java
Lines changed: 5 additions & 5 deletions b/‎core/src/main/java/org/springframework/security/authorization/method/PostFilterExpressionAttributeRegistry.java
Lines changed: 5 additions & 5 deletions
diff --git a/‎core/src/main/java/org/springframework/security/authorization/method/PreAuthorizeExpressionAttributeRegistry.java
Lines changed: 7 additions & 8 deletions b/‎core/src/main/java/org/springframework/security/authorization/method/PreAuthorizeExpressionAttributeRegistry.java
Lines changed: 7 additions & 8 deletions
diff --git a/‎core/src/main/java/org/springframework/security/authorization/method/PreFilterExpressionAttributeRegistry.java
Lines changed: 5 additions & 5 deletions b/‎core/src/main/java/org/springframework/security/authorization/method/PreFilterExpressionAttributeRegistry.java
Lines changed: 5 additions & 5 deletions
diff --git a/‎core/src/main/java/org/springframework/security/authorization/method/SecuredAuthorizationManager.java
Lines changed: 4 additions & 4 deletions b/‎core/src/main/java/org/springframework/security/authorization/method/SecuredAuthorizationManager.java
Lines changed: 4 additions & 4 deletions
diff --git a/‎core/src/main/java/org/springframework/security/core/annotation/AbstractSecurityAnnotationScanner.java
Lines changed: 66 additions & 0 deletions b/‎core/src/main/java/org/springframework/security/core/annotation/AbstractSecurityAnnotationScanner.java
Lines changed: 66 additions & 0 deletions
diff --git a/‎core/src/main/java/org/springframework/security/core/annotation/AnnotationSynthesizers.java
Lines changed: 0 additions & 81 deletions b/‎core/src/main/java/org/springframework/security/core/annotation/AnnotationSynthesizers.java
Lines changed: 0 additions & 81 deletions
@@ -34,8 +34,8 @@
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.annotation.AnnotationSynthesizer;
-import org.springframework.security.core.annotation.AnnotationSynthesizers;
+import org.springframework.security.core.annotation.SecurityAnnotationScanner;
+import org.springframework.security.core.annotation.SecurityAnnotationScanners;
 import org.springframework.util.Assert;
 
 /**
@@ -95,7 +95,7 @@ public AuthorizationDecision check(Supplier<Authentication> authentication, Meth
 
 	private final class Jsr250AuthorizationManagerRegistry extends AbstractAuthorizationManagerRegistry {
 
-		private final AnnotationSynthesizer<?> synthesizer = AnnotationSynthesizers
+		private final SecurityAnnotationScanner<?> scanner = SecurityAnnotationScanners
 			.requireUnique(List.of(DenyAll.class, PermitAll.class, RolesAllowed.class));
 
 		@NonNull
@@ -117,7 +117,7 @@ AuthorizationManager<MethodInvocation> resolveManager(Method method, Class<?> ta
 
 		private Annotation findJsr250Annotation(Method method, Class<?> targetClass) {
 			Class<?> targetClassToUse = (targetClass != null) ? targetClass : method.getDeclaringClass();
-			return this.synthesizer.synthesize(method, targetClassToUse);
+			return this.scanner.scan(method, targetClassToUse);
 		}
 
 		private Set<String> getAllowedRolesWithPrefix(RolesAllowed rolesAllowed) {
 
@@ -25,9 +25,9 @@
 import org.springframework.context.ApplicationContext;
 import org.springframework.expression.Expression;
 import org.springframework.security.access.prepost.PostAuthorize;
-import org.springframework.security.core.annotation.AnnotationSynthesizer;
-import org.springframework.security.core.annotation.AnnotationSynthesizers;
 import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
+import org.springframework.security.core.annotation.SecurityAnnotationScanner;
+import org.springframework.security.core.annotation.SecurityAnnotationScanners;
 import org.springframework.util.Assert;
 
 /**
@@ -41,12 +41,12 @@ final class PostAuthorizeExpressionAttributeRegistry extends AbstractExpressionA
 
 	private final MethodAuthorizationDeniedHandler defaultHandler = new ThrowingMethodAuthorizationDeniedHandler();
 
-	private final AnnotationSynthesizer<HandleAuthorizationDenied> handleAuthorizationDeniedSynthesizer = AnnotationSynthesizers
+	private final SecurityAnnotationScanner<HandleAuthorizationDenied> handleAuthorizationDeniedScanner = SecurityAnnotationScanners
 		.requireUnique(HandleAuthorizationDenied.class);
 
 	private Function<Class<? extends MethodAuthorizationDeniedHandler>, MethodAuthorizationDeniedHandler> handlerResolver;
 
-	private AnnotationSynthesizer<PostAuthorize> postAuthorizeSynthesizer = AnnotationSynthesizers
+	private SecurityAnnotationScanner<PostAuthorize> postAuthorizeScanner = SecurityAnnotationScanners
 		.requireUnique(PostAuthorize.class);
 
 	PostAuthorizeExpressionAttributeRegistry() {
@@ -68,8 +68,7 @@ ExpressionAttribute resolveAttribute(Method method, Class<?> targetClass) {
 
 	private MethodAuthorizationDeniedHandler resolveHandler(Method method, Class<?> targetClass) {
 		Class<?> targetClassToUse = targetClass(method, targetClass);
-		HandleAuthorizationDenied deniedHandler = this.handleAuthorizationDeniedSynthesizer.synthesize(method,
-				targetClassToUse);
+		HandleAuthorizationDenied deniedHandler = this.handleAuthorizationDeniedScanner.scan(method, targetClassToUse);
 		if (deniedHandler != null) {
 			return this.handlerResolver.apply(deniedHandler.handlerClass());
 		}
@@ -78,7 +77,7 @@ private MethodAuthorizationDeniedHandler resolveHandler(Method method, Class<?>
 
 	private PostAuthorize findPostAuthorizeAnnotation(Method method, Class<?> targetClass) {
 		Class<?> targetClassToUse = targetClass(method, targetClass);
-		return this.postAuthorizeSynthesizer.synthesize(method, targetClassToUse);
+		return this.postAuthorizeScanner.scan(method, targetClassToUse);
 	}
 
 	/**
@@ -92,7 +91,7 @@ void setApplicationContext(ApplicationContext context) {
 	}
 
 	void setTemplateDefaults(AnnotationTemplateExpressionDefaults templateDefaults) {
-		this.postAuthorizeSynthesizer = AnnotationSynthesizers.requireUnique(PostAuthorize.class, templateDefaults);
+		this.postAuthorizeScanner = SecurityAnnotationScanners.requireUnique(PostAuthorize.class, templateDefaults);
 	}
 
 	private MethodAuthorizationDeniedHandler resolveHandler(ApplicationContext context,
 
@@ -21,9 +21,9 @@
 import org.springframework.expression.Expression;
 import org.springframework.lang.NonNull;
 import org.springframework.security.access.prepost.PostFilter;
-import org.springframework.security.core.annotation.AnnotationSynthesizer;
-import org.springframework.security.core.annotation.AnnotationSynthesizers;
 import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
+import org.springframework.security.core.annotation.SecurityAnnotationScanner;
+import org.springframework.security.core.annotation.SecurityAnnotationScanners;
 
 /**
  * For internal use only, as this contract is likely to change.
@@ -34,7 +34,7 @@
  */
 final class PostFilterExpressionAttributeRegistry extends AbstractExpressionAttributeRegistry<ExpressionAttribute> {
 
-	private AnnotationSynthesizer<PostFilter> synthesizer = AnnotationSynthesizers.requireUnique(PostFilter.class);
+	private SecurityAnnotationScanner<PostFilter> scanner = SecurityAnnotationScanners.requireUnique(PostFilter.class);
 
 	@NonNull
 	@Override
@@ -49,12 +49,12 @@ ExpressionAttribute resolveAttribute(Method method, Class<?> targetClass) {
 	}
 
 	void setTemplateDefaults(AnnotationTemplateExpressionDefaults defaults) {
-		this.synthesizer = AnnotationSynthesizers.requireUnique(PostFilter.class, defaults);
+		this.scanner = SecurityAnnotationScanners.requireUnique(PostFilter.class, defaults);
 	}
 
 	private PostFilter findPostFilterAnnotation(Method method, Class<?> targetClass) {
 		Class<?> targetClassToUse = targetClass(method, targetClass);
-		return this.synthesizer.synthesize(method, targetClassToUse);
+		return this.scanner.scan(method, targetClassToUse);
 	}
 
 }
@@ -25,9 +25,9 @@
 import org.springframework.context.ApplicationContext;
 import org.springframework.expression.Expression;
 import org.springframework.security.access.prepost.PreAuthorize;
-import org.springframework.security.core.annotation.AnnotationSynthesizer;
-import org.springframework.security.core.annotation.AnnotationSynthesizers;
 import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
+import org.springframework.security.core.annotation.SecurityAnnotationScanner;
+import org.springframework.security.core.annotation.SecurityAnnotationScanners;
 import org.springframework.util.Assert;
 
 /**
@@ -41,12 +41,12 @@ final class PreAuthorizeExpressionAttributeRegistry extends AbstractExpressionAt
 
 	private final MethodAuthorizationDeniedHandler defaultHandler = new ThrowingMethodAuthorizationDeniedHandler();
 
-	private final AnnotationSynthesizer<HandleAuthorizationDenied> handleAuthorizationDeniedSynthesizer = AnnotationSynthesizers
+	private final SecurityAnnotationScanner<HandleAuthorizationDenied> handleAuthorizationDeniedScanner = SecurityAnnotationScanners
 		.requireUnique(HandleAuthorizationDenied.class);
 
 	private Function<Class<? extends MethodAuthorizationDeniedHandler>, MethodAuthorizationDeniedHandler> handlerResolver;
 
-	private AnnotationSynthesizer<PreAuthorize> preAuthorizeSynthesizer = AnnotationSynthesizers
+	private SecurityAnnotationScanner<PreAuthorize> preAuthorizeScanner = SecurityAnnotationScanners
 		.requireUnique(PreAuthorize.class);
 
 	PreAuthorizeExpressionAttributeRegistry() {
@@ -68,8 +68,7 @@ ExpressionAttribute resolveAttribute(Method method, Class<?> targetClass) {
 
 	private MethodAuthorizationDeniedHandler resolveHandler(Method method, Class<?> targetClass) {
 		Class<?> targetClassToUse = targetClass(method, targetClass);
-		HandleAuthorizationDenied deniedHandler = this.handleAuthorizationDeniedSynthesizer.synthesize(method,
-				targetClassToUse);
+		HandleAuthorizationDenied deniedHandler = this.handleAuthorizationDeniedScanner.scan(method, targetClassToUse);
 		if (deniedHandler != null) {
 			return this.handlerResolver.apply(deniedHandler.handlerClass());
 		}
@@ -78,7 +77,7 @@ private MethodAuthorizationDeniedHandler resolveHandler(Method method, Class<?>
 
 	private PreAuthorize findPreAuthorizeAnnotation(Method method, Class<?> targetClass) {
 		Class<?> targetClassToUse = targetClass(method, targetClass);
-		return this.preAuthorizeSynthesizer.synthesize(method, targetClassToUse);
+		return this.preAuthorizeScanner.scan(method, targetClassToUse);
 	}
 
 	/**
@@ -92,7 +91,7 @@ void setApplicationContext(ApplicationContext context) {
 	}
 
 	void setTemplateDefaults(AnnotationTemplateExpressionDefaults defaults) {
-		this.preAuthorizeSynthesizer = AnnotationSynthesizers.requireUnique(PreAuthorize.class, defaults);
+		this.preAuthorizeScanner = SecurityAnnotationScanners.requireUnique(PreAuthorize.class, defaults);
 	}
 
 	private MethodAuthorizationDeniedHandler resolveHandler(ApplicationContext context,
 
@@ -21,9 +21,9 @@
 import org.springframework.expression.Expression;
 import org.springframework.lang.NonNull;
 import org.springframework.security.access.prepost.PreFilter;
-import org.springframework.security.core.annotation.AnnotationSynthesizer;
-import org.springframework.security.core.annotation.AnnotationSynthesizers;
 import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
+import org.springframework.security.core.annotation.SecurityAnnotationScanner;
+import org.springframework.security.core.annotation.SecurityAnnotationScanners;
 
 /**
  * For internal use only, as this contract is likely to change.
@@ -35,7 +35,7 @@
 final class PreFilterExpressionAttributeRegistry
 		extends AbstractExpressionAttributeRegistry<PreFilterExpressionAttributeRegistry.PreFilterExpressionAttribute> {
 
-	private AnnotationSynthesizer<PreFilter> synthesizer = AnnotationSynthesizers.requireUnique(PreFilter.class);
+	private SecurityAnnotationScanner<PreFilter> scanner = SecurityAnnotationScanners.requireUnique(PreFilter.class);
 
 	@NonNull
 	@Override
@@ -50,12 +50,12 @@ PreFilterExpressionAttribute resolveAttribute(Method method, Class<?> targetClas
 	}
 
 	void setTemplateDefaults(AnnotationTemplateExpressionDefaults defaults) {
-		this.synthesizer = AnnotationSynthesizers.requireUnique(PreFilter.class, defaults);
+		this.scanner = SecurityAnnotationScanners.requireUnique(PreFilter.class, defaults);
 	}
 
 	private PreFilter findPreFilterAnnotation(Method method, Class<?> targetClass) {
 		Class<?> targetClassToUse = targetClass(method, targetClass);
-		return this.synthesizer.synthesize(method, targetClassToUse);
+		return this.scanner.scan(method, targetClassToUse);
 	}
 
 	static final class PreFilterExpressionAttribute extends ExpressionAttribute {
 
@@ -32,8 +32,8 @@
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.annotation.AnnotationSynthesizer;
-import org.springframework.security.core.annotation.AnnotationSynthesizers;
+import org.springframework.security.core.annotation.SecurityAnnotationScanner;
+import org.springframework.security.core.annotation.SecurityAnnotationScanners;
 import org.springframework.util.Assert;
 
 /**
@@ -51,7 +51,7 @@ public final class SecuredAuthorizationManager implements AuthorizationManager<M
 
 	private final Map<MethodClassKey, Set<String>> cachedAuthorities = new ConcurrentHashMap<>();
 
-	private final AnnotationSynthesizer<Secured> synthesizer = AnnotationSynthesizers.requireUnique(Secured.class);
+	private final SecurityAnnotationScanner<Secured> scanner = SecurityAnnotationScanners.requireUnique(Secured.class);
 
 	/**
 	 * Sets an {@link AuthorizationManager} that accepts a collection of authority
@@ -95,7 +95,7 @@ private Set<String> resolveAuthorities(Method method, Class<?> targetClass) {
 
 	private Secured findSecuredAnnotation(Method method, Class<?> targetClass) {
 		Class<?> targetClassToUse = (targetClass != null) ? targetClass : method.getDeclaringClass();
-		return this.synthesizer.synthesize(method, targetClassToUse);
+		return this.scanner.scan(method, targetClassToUse);
 	}
 
 }
@@ -0,0 +1,66 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.core.annotation;
+
+import java.lang.annotation.Annotation;
+import java.lang.reflect.AnnotatedElement;
+import java.lang.reflect.Method;
+import java.lang.reflect.Parameter;
+
+import org.springframework.core.annotation.MergedAnnotation;
+import org.springframework.lang.Nullable;
+import org.springframework.util.Assert;
+
+/**
+ * An abstract class to hide the {@link MergedAnnotation} implementation details.
+ *
+ * <p>
+ * Also handy for allowing each scanner to delegate to another without needing to
+ * synthesize twice.
+ */
+abstract class AbstractSecurityAnnotationScanner<A extends Annotation> implements SecurityAnnotationScanner<A> {
+
+	/**
+	 * {@inheritDoc}
+	 **/
+	@Nullable
+	@Override
+	public A scan(Method method, Class<?> targetClass) {
+		Assert.notNull(targetClass, "targetClass cannot be null");
+		MergedAnnotation<A> annotation = merge(method, targetClass);
+		if (annotation == null) {
+			return null;
+		}
+		return annotation.synthesize();
+	}
+
+	/**
+	 * {@inheritDoc}
+	 **/
+	@Nullable
+	@Override
+	public A scan(Parameter parameter) {
+		MergedAnnotation<A> annotation = merge(parameter, null);
+		if (annotation == null) {
+			return null;
+		}
+		return annotation.synthesize();
+	}
+
+	abstract MergedAnnotation<A> merge(AnnotatedElement element, Class<?> targetClass);
+
+}