添加额外的 Spring Security 方法注释

Question

I'm writing a library that uses Spring Security and method security to check whether a user is licensed to perform a certain operation. This is in addition to the usual role-based security, and this is causing a problem.

The annotations look like they do in this test class:

@RestController
class TestController {

    @RolesAllowed("ROLE_USER")
    @Licensed("a")
    public ResponseEntity<String> a() {
        return ResponseEntity.ok("a");
    }

    @RolesAllowed("ROLE_USER")
    @Licensed("b")
    public ResponseEntity<String> b() {
        return ResponseEntity.ok("b");
    }

    @RolesAllowed("ROLE_USER")
    @Licensed("c")
    public ResponseEntity<String> c() {
        return ResponseEntity.ok("c");
    }
}

Having the annotations processed seems simple enough, because you add a customMethodSecurityDataSource :

@EnableGlobalMethodSecurity(
        securedEnabled = true,
        jsr250Enabled = true,
        prePostEnabled = true
)
@Configuration
public class LicenceSecurityConfiguration extends GlobalMethodSecurityConfiguration {

    @Override protected MethodSecurityMetadataSource customMethodSecurityMetadataSource() {
        return new LicensedAnnotationSecurityMetadataSource();
    }

    // more configurations
}

But the problem is in Spring's implementation:

@Override
public Collection<ConfigAttribute> getAttributes(Method method, Class<?> targetClass) {
    DefaultCacheKey cacheKey = new DefaultCacheKey(method, targetClass);
    synchronized (this.attributeCache) {
        Collection<ConfigAttribute> cached = this.attributeCache.get(cacheKey);
        // Check for canonical value indicating there is no config attribute,
        if (cached != null) {
            return cached;
        }
        // No cached value, so query the sources to find a result
        Collection<ConfigAttribute> attributes = null;
        for (MethodSecurityMetadataSource s : this.methodSecurityMetadataSources) {
            attributes = s.getAttributes(method, targetClass);
            if (attributes != null && !attributes.isEmpty()) {
                break;
            }
        }
        // Put it in the cache.
        if (attributes == null || attributes.isEmpty()) {
            this.attributeCache.put(cacheKey, NULL_CONFIG_ATTRIBUTE);
            return NULL_CONFIG_ATTRIBUTE;
        }
        this.logger.debug(LogMessage.format("Caching method [%s] with attributes %s", cacheKey, attributes));
        this.attributeCache.put(cacheKey, attributes);
        return attributes;
    }

My custom metadata source is processed first, and as soon as it finds an annotation that it recognises, it stops processing. Specifically, in this if-block:

if (attributes != null && !attributes.isEmpty()) {
    break;
}

The result is that my LicenceDecisionVoter votes to abstain; after all, there could be other annotation processors that check roles. And because there are no more attributes to vote upon, only ACCESS_ABSTAIN is returned, and as per Spring's default and recommended configuration, access is denied. The roles are never checked.

Do I have an alternative, other than to implement scanning for Spring's own annotation processors, like the @Secured and JSR-250 annotations?

Or was the mistake to use Spring Security in the first place for this specific purpose?

Answer 1

As promised, the solution. It was more work than I imagined, and the code may have issues because it is partly copied from Spring, and some of that code looks dodgy (or at least, IntelliJ thinks it does).

The key is to remove the GlobalMethodSecurityConfiguration . Leave that to the application itself. The (auto) configuration class looks like the following:

@EnableConfigurationProperties(LicenceProperties.class)
@Configuration
@Import(LicensedMetadataSourceAdvisorRegistrar.class)
public class LicenceAutoConfiguration {

    @Bean public <T extends Licence> LicenceChecker<T> licenceChecker(
            @Lazy @Autowired final LicenceProperties properties,
            @Lazy @Autowired final LicenceFactory<T> factory
    ) throws InvalidSignatureException, LicenceExpiredException, WrappedApiException,
             IOException, ParseException, InvalidKeySpecException {
        final LicenceLoader loader = new LicenceLoader(factory.getPublicKey());
        final T licence = loader.load(properties.getLicenceFile(), factory.getType());
        return factory.getChecker(licence);
    }

    @Bean MethodSecurityInterceptor licenceSecurityInterceptor(
            final LicensedMetadataSource metadataSource,
            final LicenceChecker<?> licenceChecker
    ) {
        final MethodSecurityInterceptor interceptor = new MethodSecurityInterceptor();
        interceptor.setAccessDecisionManager(decisionManager(licenceChecker));
        interceptor.setSecurityMetadataSource(metadataSource);
        return interceptor;
    }

    @Bean LicenceAccessDecisionManager decisionManager(@Autowired final LicenceChecker<?> licenceChecker) {
        return new LicenceAccessDecisionManager(licenceChecker);
    }

    @Bean LicensedMetadataSource licensedMetadataSource() {
        return new LicensedMetadataSource();
    }
}

The registrar:

public class LicensedMetadataSourceAdvisorRegistrar implements ImportBeanDefinitionRegistrar {

    @Override
    public void registerBeanDefinitions(final AnnotationMetadata importingClassMetadata,
                                        final BeanDefinitionRegistry registry) {
        final BeanDefinitionBuilder advisor = BeanDefinitionBuilder
                .rootBeanDefinition(LicensedMetadataSourceAdvisor.class);
        advisor.setRole(BeanDefinition.ROLE_INFRASTRUCTURE);
        advisor.addConstructorArgReference("licensedMetadataSource");
        registry.registerBeanDefinition("licensedMetadataSourceAdvisor", advisor.getBeanDefinition());
    }
}

And finally, the advisor:

public class LicensedMetadataSourceAdvisor extends AbstractPointcutAdvisor implements BeanFactoryAware {

    private final LicenceMetadataSourcePointcut pointcut = new LicenceMetadataSourcePointcut();

    private transient LicensedMetadataSource attributeSource;

    private transient BeanFactory beanFactory;
    private transient MethodInterceptor interceptor;

    private transient volatile Object adviceMonitor = new Object();

    public LicensedMetadataSourceAdvisor(final LicensedMetadataSource attributeSource) {
        this.attributeSource = attributeSource;
    }

    @Override public void setBeanFactory(final BeanFactory beanFactory) throws BeansException {
        this.beanFactory = beanFactory;
    }

    @Override public Pointcut getPointcut() {
        return pointcut;
    }

    @Override public Advice getAdvice() {
        synchronized (this.adviceMonitor) {
            if (this.interceptor == null) {
                Assert.state(this.beanFactory != null, "BeanFactory must be set to resolve 'adviceBeanName'");
                this.interceptor = this.beanFactory.getBean("licenceSecurityInterceptor", MethodInterceptor.class);
            }
            return this.interceptor;
        }
    }

    class LicenceMetadataSourcePointcut extends StaticMethodMatcherPointcut implements Serializable {

        @Override public boolean matches(final Method method, final Class<?> targetClass) {
            final LicensedMetadataSource source = LicensedMetadataSourceAdvisor.this.attributeSource;
            final Collection<ConfigAttribute> attributes = source.getAttributes(method, targetClass);
            return attributes != null && !attributes.isEmpty();
        }
    }
}

The latter two classes are copied and modified from Spring. The advisor was copied from MethodSecurityMetadataSourceAdvisor , and that's a class that somebody at Spring might have a look at, because of the transient volatile synchronisation object (which I copied, because I can't yet establish if it should be final instead), and because it has a private method that is never used.