Add support for handling access denied with @PreAuthorize and @PostAuthorize

Author: marcusdacoregio

config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodAccessDeniedHandlerConfiguration.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.method.configuration;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authorization.method.DefaultPostInvocationMethodAccessDeniedHandler;
+import org.springframework.security.authorization.method.DefaultPreInvocationMethodAccessDeniedHandler;
+
+@Configuration(proxyBeanMethods = false)
+class MethodAccessDeniedHandlerConfiguration {
+
+	@Bean
+	DefaultPreInvocationMethodAccessDeniedHandler defaultPreAuthorizeMethodAccessDeniedHandler() {
+		return new DefaultPreInvocationMethodAccessDeniedHandler();
+	}
+
+	@Bean
+	DefaultPostInvocationMethodAccessDeniedHandler defaultPostAuthorizeMethodAccessDeniedHandler() {
+		return new DefaultPostInvocationMethodAccessDeniedHandler();
+	}
+
+}

config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecuritySelector.java

@@ -57,6 +57,7 @@ public String[] selectImports(@NonNull AnnotationMetadata importMetadata) {
 			imports.add(Jsr250MethodSecurityConfiguration.class.getName());
 		}
 		imports.add(AuthorizationProxyConfiguration.class.getName());
+		imports.add(MethodAccessDeniedHandlerConfiguration.class.getName());
 		return imports.toArray(new String[0]);
 	}
 

config/src/main/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.java

@@ -101,6 +101,7 @@ static MethodInterceptor preAuthorizeAuthorizationMethodInterceptor(
 		AuthorizationManagerBeforeMethodInterceptor preAuthorize = AuthorizationManagerBeforeMethodInterceptor
 			.preAuthorize(manager(manager, registryProvider));
 		preAuthorize.setOrder(preAuthorize.getOrder() + configuration.interceptorOrderOffset);
+		preAuthorize.setApplicationContext(context);
 		return new DeferringMethodInterceptor<>(preAuthorize, (f) -> {
 			methodSecurityDefaultsProvider.ifAvailable(manager::setTemplateDefaults);
 			manager.setExpressionHandler(expressionHandlerProvider
@@ -124,6 +125,7 @@ static MethodInterceptor postAuthorizeAuthorizationMethodInterceptor(
 		AuthorizationManagerAfterMethodInterceptor postAuthorize = AuthorizationManagerAfterMethodInterceptor
 			.postAuthorize(manager(manager, registryProvider));
 		postAuthorize.setOrder(postAuthorize.getOrder() + configuration.interceptorOrderOffset);
+		postAuthorize.setApplicationContext(context);
 		return new DeferringMethodInterceptor<>(postAuthorize, (f) -> {
 			methodSecurityDefaultsProvider.ifAvailable(manager::setTemplateDefaults);
 			manager.setExpressionHandler(expressionHandlerProvider

config/src/test/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityService.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,12 +21,16 @@
 import jakarta.annotation.security.DenyAll;
 import jakarta.annotation.security.PermitAll;
 import jakarta.annotation.security.RolesAllowed;
+import org.aopalliance.intercept.MethodInvocation;
 
 import org.springframework.security.access.annotation.Secured;
 import org.springframework.security.access.prepost.PostAuthorize;
 import org.springframework.security.access.prepost.PostFilter;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.access.prepost.PreFilter;
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.method.MethodAccessDeniedHandler;
+import org.springframework.security.authorization.method.MethodInvocationResult;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.parameters.P;
 
@@ -108,4 +112,59 @@ public interface MethodSecurityService {
 	@RequireAdminRole
 	void repeatedAnnotations();
 
+	@PostAuthorize(value = "hasRole('ADMIN')", handlerClass = CardNumberMaskingHandler.class)
+	String postAuthorizeGetCardNumberIfAdmin(String cardNumber);
+
+	@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = MaskingHandler.class)
+	String preAuthorizeGetCardNumberIfAdmin(String cardNumber);
+
+	@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = MaskingHandlerChild.class)
+	String preAuthorizeWithHandlerChildGetCardNumberIfAdmin(String cardNumber);
+
+	@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = MaskingHandler.class)
+	String preAuthorizeThrowAccessDeniedManually();
+
+	@PostAuthorize(value = "hasRole('ADMIN')", handlerClass = PostMaskingHandler.class)
+	String postAuthorizeThrowAccessDeniedManually();
+
+	class MaskingHandler implements MethodAccessDeniedHandler<MethodInvocation> {
+
+		@Override
+		public Object handle(MethodInvocation deniedObject, AuthorizationDecision decision) {
+			return "***";
+		}
+
+	}
+
+	class MaskingHandlerChild extends MaskingHandler {
+
+		@Override
+		public Object handle(MethodInvocation deniedObject, AuthorizationDecision decision) {
+			Object mask = super.handle(deniedObject, decision);
+			return mask + "-child";
+		}
+
+	}
+
+	class PostMaskingHandler implements MethodAccessDeniedHandler<MethodInvocationResult> {
+
+		@Override
+		public Object handle(MethodInvocationResult deniedObject, AuthorizationDecision decision) {
+			return "***";
+		}
+
+	}
+
+	class CardNumberMaskingHandler implements MethodAccessDeniedHandler<MethodInvocationResult> {
+
+		static String MASK = "****-****-****-";
+
+		@Override
+		public Object handle(MethodInvocationResult mi, AuthorizationDecision decision) {
+			String cardNumber = (String) mi.getResult();
+			return MASK + cardNumber.substring(cardNumber.length() - 4);
+		}
+
+	}
+
 }

config/src/test/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityServiceImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@
 
 import java.util.List;
 
+import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 
@@ -126,4 +127,29 @@ public List<String> allAnnotations(List<String> list) {
 	public void repeatedAnnotations() {
 	}
 
+	@Override
+	public String postAuthorizeGetCardNumberIfAdmin(String cardNumber) {
+		return cardNumber;
+	}
+
+	@Override
+	public String preAuthorizeGetCardNumberIfAdmin(String cardNumber) {
+		return cardNumber;
+	}
+
+	@Override
+	public String preAuthorizeWithHandlerChildGetCardNumberIfAdmin(String cardNumber) {
+		return cardNumber;
+	}
+
+	@Override
+	public String preAuthorizeThrowAccessDeniedManually() {
+		throw new AccessDeniedException("Access Denied");
+	}
+
+	@Override
+	public String postAuthorizeThrowAccessDeniedManually() {
+		throw new AccessDeniedException("Access Denied");
+	}
+
 }

config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java

@@ -662,6 +662,66 @@ public void methodWhenPostFilterMetaAnnotationThenFilters() {
 			.containsExactly("dave");
 	}
 
+	@Test
+	@WithMockUser
+	void getCardNumberWhenPostAuthorizeAndNotAdminThenReturnMasked() {
+		this.spring
+			.register(AuthzConfig.class, MethodSecurityServiceEnabledConfig.class,
+					MethodSecurityService.CardNumberMaskingHandler.class, MethodSecurityService.MaskingHandler.class)
+			.autowire();
+		MethodSecurityService service = this.spring.getContext().getBean(MethodSecurityService.class);
+		String cardNumber = service.postAuthorizeGetCardNumberIfAdmin("4444-3333-2222-1111");
+		assertThat(cardNumber).isEqualTo("****-****-****-1111");
+	}
+
+	@Test
+	@WithMockUser
+	void getCardNumberWhenPreAuthorizeAndNotAdminThenReturnMasked() {
+		this.spring
+			.register(AuthzConfig.class, MethodSecurityServiceEnabledConfig.class,
+					MethodSecurityService.MaskingHandler.class)
+			.autowire();
+		MethodSecurityService service = this.spring.getContext().getBean(MethodSecurityService.class);
+		String cardNumber = service.preAuthorizeGetCardNumberIfAdmin("4444-3333-2222-1111");
+		assertThat(cardNumber).isEqualTo("***");
+	}
+
+	@Test
+	@WithMockUser
+	void getCardNumberWhenPreAuthorizeAndNotAdminAndChildHandlerThenResolveCorrectHandlerAndReturnMasked() {
+		this.spring
+				.register(AuthzConfig.class, MethodSecurityServiceEnabledConfig.class,
+						MethodSecurityService.MaskingHandler.class, MethodSecurityService.MaskingHandlerChild.class)
+				.autowire();
+		MethodSecurityService service = this.spring.getContext().getBean(MethodSecurityService.class);
+		String cardNumber = service.preAuthorizeWithHandlerChildGetCardNumberIfAdmin("4444-3333-2222-1111");
+		assertThat(cardNumber).isEqualTo("***-child");
+	}
+
+	@Test
+	@WithMockUser(roles = "ADMIN")
+	void preAuthorizeWhenHandlerAndAccessDeniedNotThrownFromPreAuthorizeThenNotHandled() {
+		this.spring
+			.register(AuthzConfig.class, MethodSecurityServiceEnabledConfig.class,
+					MethodSecurityService.MaskingHandler.class)
+			.autowire();
+		MethodSecurityService service = this.spring.getContext().getBean(MethodSecurityService.class);
+		assertThatExceptionOfType(AccessDeniedException.class)
+			.isThrownBy(service::preAuthorizeThrowAccessDeniedManually);
+	}
+
+	@Test
+	@WithMockUser(roles = "ADMIN")
+	void postAuthorizeWhenHandlerAndAccessDeniedNotThrownFromPostAuthorizeThenNotHandled() {
+		this.spring
+			.register(AuthzConfig.class, MethodSecurityServiceEnabledConfig.class,
+					MethodSecurityService.PostMaskingHandler.class)
+			.autowire();
+		MethodSecurityService service = this.spring.getContext().getBean(MethodSecurityService.class);
+		assertThatExceptionOfType(AccessDeniedException.class)
+			.isThrownBy(service::postAuthorizeThrowAccessDeniedManually);
+	}
+
 	private static Consumer<ConfigurableWebApplicationContext> disallowBeanOverriding() {
 		return (context) -> ((AnnotationConfigWebApplicationContext) context).setAllowBeanDefinitionOverriding(false);
 	}
@@ -675,6 +735,16 @@ private static Advisor returnAdvisor(int order) {
 		return advisor;
 	}
 
+	@Configuration
+	static class AuthzConfig {
+
+		@Bean
+		Authz authz() {
+			return new Authz();
+		}
+
+	}
+
 	@Configuration
 	@EnableCustomMethodSecurity
 	static class CustomMethodSecurityServiceConfig {

core/src/main/java/org/springframework/security/access/prepost/PostAuthorize.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,6 +23,10 @@
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 
+import org.springframework.security.authorization.method.DefaultPostInvocationMethodAccessDeniedHandler;
+import org.springframework.security.authorization.method.MethodAccessDeniedHandler;
+import org.springframework.security.authorization.method.MethodInvocationResult;
+
 /**
  * Annotation for specifying a method access-control expression which will be evaluated
  * after a method has been invoked.
@@ -42,4 +46,6 @@
 	 */
 	String value();
 
+	Class<? extends MethodAccessDeniedHandler<MethodInvocationResult>> handlerClass() default DefaultPostInvocationMethodAccessDeniedHandler.class;
+
 }

core/src/main/java/org/springframework/security/access/prepost/PreAuthorize.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,6 +23,11 @@
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 
+import org.aopalliance.intercept.MethodInvocation;
+
+import org.springframework.security.authorization.method.DefaultPreInvocationMethodAccessDeniedHandler;
+import org.springframework.security.authorization.method.MethodAccessDeniedHandler;
+
 /**
  * Annotation for specifying a method access-control expression which will be evaluated to
  * decide whether a method invocation is allowed or not.
@@ -42,4 +47,6 @@
 	 */
 	String value();
 
+	Class<? extends MethodAccessDeniedHandler<MethodInvocation>> handlerClass() default DefaultPreInvocationMethodAccessDeniedHandler.class;
+
 }

core/src/main/java/org/springframework/security/authorization/DecisionAwareAccessDeniedException.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authorization;
+
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.util.Assert;
+
+public class DecisionAwareAccessDeniedException extends AccessDeniedException {
+
+	private final AuthorizationDecision decision;
+
+	public DecisionAwareAccessDeniedException(String msg, AuthorizationDecision decision) {
+		super(msg);
+		Assert.notNull(decision, "decision cannot be null");
+		this.decision = decision;
+	}
+
+	public AuthorizationDecision getDecision() {
+		return this.decision;
+	}
+
+}