Add AuthorizationProxy Interface

Closes gh-15747

Author: jzheaux

core/src/main/java/org/springframework/security/authorization/method/AuthorizationAdvisorProxyFactory.java

@@ -17,6 +17,7 @@
 package org.springframework.security.authorization.method;
 
 import java.lang.reflect.Array;
+import java.lang.reflect.Method;
 import java.lang.reflect.Modifier;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -37,10 +38,13 @@
 import java.util.function.Supplier;
 import java.util.stream.Stream;
 
+import org.aopalliance.aop.Advice;
+import org.aopalliance.intercept.MethodInvocation;
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
 
 import org.springframework.aop.Advisor;
+import org.springframework.aop.Pointcut;
 import org.springframework.aop.framework.AopInfrastructureBean;
 import org.springframework.aop.framework.ProxyFactory;
 import org.springframework.core.annotation.AnnotationAwareOrderComparator;
@@ -168,9 +172,12 @@ public Object proxy(Object target) {
 			return proxied;
 		}
 		ProxyFactory factory = new ProxyFactory(target);
+		AuthorizationProxyMethodInterceptor unwrapper = new AuthorizationProxyMethodInterceptor();
+		factory.addAdvisors(unwrapper);
 		for (Advisor advisor : this.advisors) {
 			factory.addAdvisors(advisor);
 		}
+		factory.addInterface(AuthorizationProxy.class);
 		factory.setOpaque(true);
 		factory.setProxyTargetClass(!Modifier.isFinal(target.getClass().getModifiers()));
 		return factory.getProxy();
@@ -572,4 +579,34 @@ private Flux<?> proxyFlux(AuthorizationProxyFactory proxyFactory, Flux<?> flux)
 
 	}
 
+	private static final class AuthorizationProxyMethodInterceptor implements AuthorizationAdvisor {
+
+		private static final Method GET_TARGET_METHOD = ClassUtils.getMethod(AuthorizationProxy.class,
+				"toAuthorizedTarget");
+
+		@Override
+		public Object invoke(MethodInvocation invocation) throws Throwable {
+			if (invocation.getMethod().equals(GET_TARGET_METHOD)) {
+				return invocation.getThis();
+			}
+			return invocation.proceed();
+		}
+
+		@Override
+		public Pointcut getPointcut() {
+			return Pointcut.TRUE;
+		}
+
+		@Override
+		public Advice getAdvice() {
+			return this;
+		}
+
+		@Override
+		public int getOrder() {
+			return 0;
+		}
+
+	}
+
 }

core/src/main/java/org/springframework/security/authorization/method/AuthorizationProxy.java

@@ -0,0 +1,56 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authorization.method;
+
+import org.springframework.aop.RawTargetAccess;
+
+/**
+ * An interface that is typically implemented by Spring Security's AOP support to identify
+ * an instance as being proxied by Spring Security.
+ *
+ * <p>
+ * Also provides a way to access the underlying target object, handy for working with the
+ * object without invoking the authorization rules.
+ *
+ * <p>
+ * This can be helpful when taking working with a proxied object and needing to hand it to
+ * a layer of the application that should not invoke the rules, like a Spring Data
+ * repository:
+ *
+ * <pre>
+ *	MyObject object = this.objectRepository.findById(123L); // now an authorized proxy
+ *  object.setProtectedValue(...); // only works if authorized
+ *  if (object instanceof AuthorizationProxy proxy) {
+ *  	// Spring Data wants to be able to persist the entire object
+ *  	// so we'll remove the proxy
+ *      object = (MyObject) proxy.toAuthorizedTarget();
+ *  }
+ *  this.objectRepository.save(object);
+ * </pre>
+ *
+ * @author Josh Cummings
+ * @since 6.4
+ */
+public interface AuthorizationProxy extends RawTargetAccess {
+
+	/**
+	 * Access underlying target object
+	 * @return the target object
+	 */
+	Object toAuthorizedTarget();
+
+}

core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java

@@ -46,6 +46,7 @@
 import org.springframework.security.authorization.method.AuthorizationAdvisor;
 import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory;
 import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.TargetVisitor;
+import org.springframework.security.authorization.method.AuthorizationProxy;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 
@@ -350,6 +351,15 @@ public void serializeWhenAuthorizationProxyObjectThenOnlyIncludesProxiedProperti
 		assertThat(properties).hasSize(3).containsKeys("id", "firstName", "lastName");
 	}
 
+	@Test
+	public void proxyWhenDefaultsThenInstanceOfAuthorizationProxy() {
+		AuthorizationAdvisorProxyFactory factory = AuthorizationAdvisorProxyFactory.withDefaults();
+		Flight flight = proxy(factory, this.flight);
+		assertThat(flight).isInstanceOf(AuthorizationProxy.class);
+		Flight target = (Flight) ((AuthorizationProxy) flight).toAuthorizedTarget();
+		assertThat(target).isSameAs(this.flight);
+	}
+
 	private Authentication authenticated(String user, String... authorities) {
 		return TestAuthentication.authenticated(TestAuthentication.withUsername(user).authorities(authorities).build());
 	}