Polish use-authorization-manager

- Use SecurityContextHolderStrategy
- Allow empty role prefix
- Disallow access-decision-manager-ref and authorization-manager-ref
together

Issue gh-11305

Author: jzheaux

config/src/main/java/org/springframework/security/config/http/AuthorizationFilterParser.java

@@ -50,6 +50,8 @@ class AuthorizationFilterParser implements BeanDefinitionParser {
 
 	private static final String ATT_USE_EXPRESSIONS = "use-expressions";
 
+	private static final String ATT_ACCESS_DECISION_MANAGER_REF = "access-decision-manager-ref";
+
 	private static final String ATT_HTTP_METHOD = "method";
 
 	private static final String ATT_PATTERN = "pattern";
@@ -60,17 +62,29 @@ class AuthorizationFilterParser implements BeanDefinitionParser {
 
 	private String authorizationManagerRef;
 
+	private final BeanMetadataElement securityContextHolderStrategy;
+
+	AuthorizationFilterParser(BeanMetadataElement securityContextHolderStrategy) {
+		this.securityContextHolderStrategy = securityContextHolderStrategy;
+	}
+
 	@Override
 	public BeanDefinition parse(Element element, ParserContext parserContext) {
 		if (!isUseExpressions(element)) {
 			parserContext.getReaderContext().error("AuthorizationManager must be used with `use-expressions=\"true\"",
 					element);
 			return null;
 		}
+		if (StringUtils.hasText(element.getAttribute(ATT_ACCESS_DECISION_MANAGER_REF))) {
+			parserContext.getReaderContext().error(
+					"AuthorizationManager cannot be used in conjunction with `access-decision-manager-ref`", element);
+			return null;
+		}
 		this.authorizationManagerRef = createAuthorizationManager(element, parserContext);
 		BeanDefinitionBuilder filterBuilder = BeanDefinitionBuilder.rootBeanDefinition(AuthorizationFilter.class);
 		filterBuilder.getRawBeanDefinition().setSource(parserContext.extractSource(element));
 		BeanDefinition filter = filterBuilder.addConstructorArgReference(this.authorizationManagerRef)
+				.addPropertyValue("securityContextHolderStrategy", this.securityContextHolderStrategy)
 				.getBeanDefinition();
 		String id = element.getAttribute(AbstractBeanDefinitionParser.ID_ATTRIBUTE);
 		if (StringUtils.hasText(id)) {
@@ -172,7 +186,9 @@ static class DefaultWebSecurityExpressionHandlerBeanFactory
 
 		@Override
 		public DefaultHttpSecurityExpressionHandler getBean() {
-			this.handler.setDefaultRolePrefix(this.rolePrefix);
+			if (this.rolePrefix != null) {
+				this.handler.setDefaultRolePrefix(this.rolePrefix);
+			}
 			return this.handler;
 		}
 

config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java

@@ -729,7 +729,7 @@ private void createFilterSecurity(BeanReference authManager) {
 	}
 
 	private void createAuthorizationFilter() {
-		AuthorizationFilterParser authorizationFilterParser = new AuthorizationFilterParser();
+		AuthorizationFilterParser authorizationFilterParser = new AuthorizationFilterParser(this.holderStrategyRef);
 		BeanDefinition fsiBean = authorizationFilterParser.parse(this.httpElt, this.pc);
 		String fsiId = this.pc.getReaderContext().generateBeanName(fsiBean);
 		this.pc.registerBeanComponent(new BeanComponentDefinition(fsiBean, fsiId));