Instrument Authentication and Authorization

Closes gh-11989
Closes gh-11990

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/method/configuration/Jsr250MethodSecurityConfiguration.java

@@ -16,12 +16,17 @@
 
 package org.springframework.security.config.annotation.method.configuration;
 
+import io.micrometer.observation.ObservationRegistry;
+import org.aopalliance.intercept.MethodInvocation;
+
 import org.springframework.aop.Advisor;
-import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Role;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.ObservationAuthorizationManager;
 import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor;
 import org.springframework.security.authorization.method.Jsr250AuthorizationManager;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
@@ -40,28 +45,28 @@
 @Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 final class Jsr250MethodSecurityConfiguration {
 
-	private final Jsr250AuthorizationManager jsr250AuthorizationManager = new Jsr250AuthorizationManager();
-
-	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
-			.getContextHolderStrategy();
-
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
-	Advisor jsr250AuthorizationMethodInterceptor() {
+	static Advisor jsr250AuthorizationMethodInterceptor(ObjectProvider<GrantedAuthorityDefaults> defaultsProvider,
+			ObjectProvider<SecurityContextHolderStrategy> strategyProvider,
+			ObjectProvider<ObservationRegistry> registryProvider) {
+		Jsr250AuthorizationManager jsr250 = new Jsr250AuthorizationManager();
+		defaultsProvider.ifAvailable((d) -> jsr250.setRolePrefix(d.getRolePrefix()));
+		SecurityContextHolderStrategy strategy = strategyProvider
+				.getIfAvailable(SecurityContextHolder::getContextHolderStrategy);
+		ObservationRegistry registry = registryProvider.getIfAvailable(() -> ObservationRegistry.NOOP);
+		AuthorizationManager<MethodInvocation> manager = manager(jsr250, registry);
 		AuthorizationManagerBeforeMethodInterceptor interceptor = AuthorizationManagerBeforeMethodInterceptor
-				.jsr250(this.jsr250AuthorizationManager);
-		interceptor.setSecurityContextHolderStrategy(this.securityContextHolderStrategy);
+				.jsr250(manager);
+		interceptor.setSecurityContextHolderStrategy(strategy);
 		return interceptor;
 	}
 
-	@Autowired(required = false)
-	void setGrantedAuthorityDefaults(GrantedAuthorityDefaults grantedAuthorityDefaults) {
-		this.jsr250AuthorizationManager.setRolePrefix(grantedAuthorityDefaults.getRolePrefix());
-	}
-
-	@Autowired(required = false)
-	void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
-		this.securityContextHolderStrategy = securityContextHolderStrategy;
+	static <T> AuthorizationManager<T> manager(AuthorizationManager<T> jsr250, ObservationRegistry registry) {
+		if (registry.isNoop()) {
+			return jsr250;
+		}
+		return new ObservationAuthorizationManager<>(registry, jsr250);
 	}
 
 }

config/src/main/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.java

@@ -16,8 +16,10 @@
 
 package org.springframework.security.config.annotation.method.configuration;
 
+import io.micrometer.observation.ObservationRegistry;
+
 import org.springframework.aop.Advisor;
-import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
@@ -26,7 +28,8 @@
 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
 import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
 import org.springframework.security.authorization.AuthorizationEventPublisher;
-import org.springframework.security.authorization.SpringAuthorizationEventPublisher;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.ObservationAuthorizationManager;
 import org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor;
 import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor;
 import org.springframework.security.authorization.method.PostAuthorizeAuthorizationManager;
@@ -48,85 +51,80 @@
 @Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 final class PrePostMethodSecurityConfiguration {
 
-	private final PreFilterAuthorizationMethodInterceptor preFilterAuthorizationMethodInterceptor = new PreFilterAuthorizationMethodInterceptor();
-
-	private final AuthorizationManagerBeforeMethodInterceptor preAuthorizeAuthorizationMethodInterceptor;
-
-	private final PreAuthorizeAuthorizationManager preAuthorizeAuthorizationManager = new PreAuthorizeAuthorizationManager();
-
-	private final AuthorizationManagerAfterMethodInterceptor postAuthorizeAuthorizaitonMethodInterceptor;
-
-	private final PostAuthorizeAuthorizationManager postAuthorizeAuthorizationManager = new PostAuthorizeAuthorizationManager();
-
-	private final PostFilterAuthorizationMethodInterceptor postFilterAuthorizationMethodInterceptor = new PostFilterAuthorizationMethodInterceptor();
-
-	private final DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
-
-	@Autowired
-	PrePostMethodSecurityConfiguration(ApplicationContext context) {
-		this.preAuthorizeAuthorizationManager.setExpressionHandler(this.expressionHandler);
-		this.preAuthorizeAuthorizationMethodInterceptor = AuthorizationManagerBeforeMethodInterceptor
-				.preAuthorize(this.preAuthorizeAuthorizationManager);
-		this.postAuthorizeAuthorizationManager.setExpressionHandler(this.expressionHandler);
-		this.postAuthorizeAuthorizaitonMethodInterceptor = AuthorizationManagerAfterMethodInterceptor
-				.postAuthorize(this.postAuthorizeAuthorizationManager);
-		this.preFilterAuthorizationMethodInterceptor.setExpressionHandler(this.expressionHandler);
-		this.postFilterAuthorizationMethodInterceptor.setExpressionHandler(this.expressionHandler);
-		this.expressionHandler.setApplicationContext(context);
-		AuthorizationEventPublisher publisher = new SpringAuthorizationEventPublisher(context);
-		this.preAuthorizeAuthorizationMethodInterceptor.setAuthorizationEventPublisher(publisher);
-		this.postAuthorizeAuthorizaitonMethodInterceptor.setAuthorizationEventPublisher(publisher);
-	}
-
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
-	Advisor preFilterAuthorizationMethodInterceptor() {
-		return this.preFilterAuthorizationMethodInterceptor;
+	static Advisor preFilterAuthorizationMethodInterceptor(ObjectProvider<GrantedAuthorityDefaults> defaultsProvider,
+			ObjectProvider<MethodSecurityExpressionHandler> expressionHandlerProvider,
+			ObjectProvider<SecurityContextHolderStrategy> strategyProvider, ApplicationContext context) {
+		PreFilterAuthorizationMethodInterceptor preFilter = new PreFilterAuthorizationMethodInterceptor();
+		strategyProvider.ifAvailable(preFilter::setSecurityContextHolderStrategy);
+		preFilter.setExpressionHandler(
+				expressionHandlerProvider.getIfAvailable(() -> defaultExpressionHandler(defaultsProvider, context)));
+		return preFilter;
 	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
-	Advisor preAuthorizeAuthorizationMethodInterceptor() {
-		return this.preAuthorizeAuthorizationMethodInterceptor;
+	static Advisor preAuthorizeAuthorizationMethodInterceptor(ObjectProvider<GrantedAuthorityDefaults> defaultsProvider,
+			ObjectProvider<MethodSecurityExpressionHandler> expressionHandlerProvider,
+			ObjectProvider<SecurityContextHolderStrategy> strategyProvider,
+			ObjectProvider<AuthorizationEventPublisher> eventPublisherProvider,
+			ObjectProvider<ObservationRegistry> registryProvider, ApplicationContext context) {
+		PreAuthorizeAuthorizationManager manager = new PreAuthorizeAuthorizationManager();
+		manager.setExpressionHandler(
+				expressionHandlerProvider.getIfAvailable(() -> defaultExpressionHandler(defaultsProvider, context)));
+		AuthorizationManagerBeforeMethodInterceptor preAuthorize = AuthorizationManagerBeforeMethodInterceptor
+				.preAuthorize(manager(manager, registryProvider));
+		strategyProvider.ifAvailable(preAuthorize::setSecurityContextHolderStrategy);
+		eventPublisherProvider.ifAvailable(preAuthorize::setAuthorizationEventPublisher);
+		return preAuthorize;
 	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
-	Advisor postAuthorizeAuthorizationMethodInterceptor() {
-		return this.postAuthorizeAuthorizaitonMethodInterceptor;
+	static Advisor postAuthorizeAuthorizationMethodInterceptor(
+			ObjectProvider<GrantedAuthorityDefaults> defaultsProvider,
+			ObjectProvider<MethodSecurityExpressionHandler> expressionHandlerProvider,
+			ObjectProvider<SecurityContextHolderStrategy> strategyProvider,
+			ObjectProvider<AuthorizationEventPublisher> eventPublisherProvider,
+			ObjectProvider<ObservationRegistry> registryProvider, ApplicationContext context) {
+		PostAuthorizeAuthorizationManager manager = new PostAuthorizeAuthorizationManager();
+		manager.setExpressionHandler(
+				expressionHandlerProvider.getIfAvailable(() -> defaultExpressionHandler(defaultsProvider, context)));
+		AuthorizationManagerAfterMethodInterceptor postAuthorize = AuthorizationManagerAfterMethodInterceptor
+				.postAuthorize(manager(manager, registryProvider));
+		strategyProvider.ifAvailable(postAuthorize::setSecurityContextHolderStrategy);
+		eventPublisherProvider.ifAvailable(postAuthorize::setAuthorizationEventPublisher);
+		return postAuthorize;
 	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
-	Advisor postFilterAuthorizationMethodInterceptor() {
-		return this.postFilterAuthorizationMethodInterceptor;
-	}
-
-	@Autowired(required = false)
-	void setMethodSecurityExpressionHandler(MethodSecurityExpressionHandler methodSecurityExpressionHandler) {
-		this.preFilterAuthorizationMethodInterceptor.setExpressionHandler(methodSecurityExpressionHandler);
-		this.preAuthorizeAuthorizationManager.setExpressionHandler(methodSecurityExpressionHandler);
-		this.postAuthorizeAuthorizationManager.setExpressionHandler(methodSecurityExpressionHandler);
-		this.postFilterAuthorizationMethodInterceptor.setExpressionHandler(methodSecurityExpressionHandler);
-	}
-
-	@Autowired(required = false)
-	void setSecurityContextHolderStrategy(SecurityContextHolderStrategy strategy) {
-		this.preFilterAuthorizationMethodInterceptor.setSecurityContextHolderStrategy(strategy);
-		this.preAuthorizeAuthorizationMethodInterceptor.setSecurityContextHolderStrategy(strategy);
-		this.postAuthorizeAuthorizaitonMethodInterceptor.setSecurityContextHolderStrategy(strategy);
-		this.postFilterAuthorizationMethodInterceptor.setSecurityContextHolderStrategy(strategy);
+	static Advisor postFilterAuthorizationMethodInterceptor(ObjectProvider<GrantedAuthorityDefaults> defaultsProvider,
+			ObjectProvider<MethodSecurityExpressionHandler> expressionHandlerProvider,
+			ObjectProvider<SecurityContextHolderStrategy> strategyProvider, ApplicationContext context) {
+		PostFilterAuthorizationMethodInterceptor postFilter = new PostFilterAuthorizationMethodInterceptor();
+		strategyProvider.ifAvailable(postFilter::setSecurityContextHolderStrategy);
+		postFilter.setExpressionHandler(
+				expressionHandlerProvider.getIfAvailable(() -> defaultExpressionHandler(defaultsProvider, context)));
+		return postFilter;
 	}
 
-	@Autowired(required = false)
-	void setGrantedAuthorityDefaults(GrantedAuthorityDefaults grantedAuthorityDefaults) {
-		this.expressionHandler.setDefaultRolePrefix(grantedAuthorityDefaults.getRolePrefix());
+	private static MethodSecurityExpressionHandler defaultExpressionHandler(
+			ObjectProvider<GrantedAuthorityDefaults> defaultsProvider, ApplicationContext context) {
+		DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler();
+		defaultsProvider.ifAvailable((d) -> handler.setDefaultRolePrefix(d.getRolePrefix()));
+		handler.setApplicationContext(context);
+		return handler;
 	}
 
-	@Autowired(required = false)
-	void setAuthorizationEventPublisher(AuthorizationEventPublisher eventPublisher) {
-		this.preAuthorizeAuthorizationMethodInterceptor.setAuthorizationEventPublisher(eventPublisher);
-		this.postAuthorizeAuthorizaitonMethodInterceptor.setAuthorizationEventPublisher(eventPublisher);
+	static <T> AuthorizationManager<T> manager(AuthorizationManager<T> delegate,
+			ObjectProvider<ObservationRegistry> registryProvider) {
+		ObservationRegistry registry = registryProvider.getIfAvailable(() -> ObservationRegistry.NOOP);
+		if (registry.isNoop()) {
+			return delegate;
+		}
+		return new ObservationAuthorizationManager<>(registry, delegate);
 	}
 
 }

config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveAuthorizationManagerMethodSecurityConfiguration.java

@@ -16,6 +16,10 @@
 
 package org.springframework.security.config.annotation.method.configuration;
 
+import io.micrometer.observation.ObservationRegistry;
+import org.aopalliance.intercept.MethodInvocation;
+
+import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.Bean;
@@ -24,8 +28,11 @@
 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
 import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
 import org.springframework.security.authentication.ReactiveAuthenticationManager;
+import org.springframework.security.authorization.ObservationReactiveAuthorizationManager;
+import org.springframework.security.authorization.ReactiveAuthorizationManager;
 import org.springframework.security.authorization.method.AuthorizationManagerAfterReactiveMethodInterceptor;
 import org.springframework.security.authorization.method.AuthorizationManagerBeforeReactiveMethodInterceptor;
+import org.springframework.security.authorization.method.MethodInvocationResult;
 import org.springframework.security.authorization.method.PostAuthorizeReactiveAuthorizationManager;
 import org.springframework.security.authorization.method.PostFilterAuthorizationReactiveMethodInterceptor;
 import org.springframework.security.authorization.method.PreAuthorizeReactiveAuthorizationManager;
@@ -43,39 +50,39 @@ final class ReactiveAuthorizationManagerMethodSecurityConfiguration {
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
-	PreFilterAuthorizationReactiveMethodInterceptor preFilterInterceptor(
+	static PreFilterAuthorizationReactiveMethodInterceptor preFilterInterceptor(
 			MethodSecurityExpressionHandler expressionHandler) {
 		return new PreFilterAuthorizationReactiveMethodInterceptor(expressionHandler);
 	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
-	AuthorizationManagerBeforeReactiveMethodInterceptor preAuthorizeInterceptor(
-			MethodSecurityExpressionHandler expressionHandler) {
-		PreAuthorizeReactiveAuthorizationManager authorizationManager = new PreAuthorizeReactiveAuthorizationManager(
-				expressionHandler);
+	static AuthorizationManagerBeforeReactiveMethodInterceptor preAuthorizeInterceptor(
+			MethodSecurityExpressionHandler expressionHandler, ObjectProvider<ObservationRegistry> registryProvider) {
+		ReactiveAuthorizationManager<MethodInvocation> authorizationManager = manager(
+				new PreAuthorizeReactiveAuthorizationManager(expressionHandler), registryProvider);
 		return AuthorizationManagerBeforeReactiveMethodInterceptor.preAuthorize(authorizationManager);
 	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
-	PostFilterAuthorizationReactiveMethodInterceptor postFilterInterceptor(
+	static PostFilterAuthorizationReactiveMethodInterceptor postFilterInterceptor(
 			MethodSecurityExpressionHandler expressionHandler) {
 		return new PostFilterAuthorizationReactiveMethodInterceptor(expressionHandler);
 	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
-	AuthorizationManagerAfterReactiveMethodInterceptor postAuthorizeInterceptor(
-			MethodSecurityExpressionHandler expressionHandler) {
-		PostAuthorizeReactiveAuthorizationManager authorizationManager = new PostAuthorizeReactiveAuthorizationManager(
-				expressionHandler);
+	static AuthorizationManagerAfterReactiveMethodInterceptor postAuthorizeInterceptor(
+			MethodSecurityExpressionHandler expressionHandler, ObjectProvider<ObservationRegistry> registryProvider) {
+		ReactiveAuthorizationManager<MethodInvocationResult> authorizationManager = manager(
+				new PostAuthorizeReactiveAuthorizationManager(expressionHandler), registryProvider);
 		return AuthorizationManagerAfterReactiveMethodInterceptor.postAuthorize(authorizationManager);
 	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
-	DefaultMethodSecurityExpressionHandler methodSecurityExpressionHandler(
+	static DefaultMethodSecurityExpressionHandler methodSecurityExpressionHandler(
 			@Autowired(required = false) GrantedAuthorityDefaults grantedAuthorityDefaults) {
 		DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler();
 		if (grantedAuthorityDefaults != null) {
@@ -84,4 +91,13 @@ DefaultMethodSecurityExpressionHandler methodSecurityExpressionHandler(
 		return handler;
 	}
 
+	static <T> ReactiveAuthorizationManager<T> manager(ReactiveAuthorizationManager<T> delegate,
+			ObjectProvider<ObservationRegistry> registryProvider) {
+		ObservationRegistry registry = registryProvider.getIfAvailable(() -> ObservationRegistry.NOOP);
+		if (registry.isNoop()) {
+			return delegate;
+		}
+		return new ObservationReactiveAuthorizationManager<>(registry, delegate);
+	}
+
 }