-
Notifications
You must be signed in to change notification settings - Fork 6.2k
Add hasScope as a valid SpEL expression to PreAuthorize #18151
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
ngocnhan-tran1996
wants to merge
3
commits into
spring-projects:main
Choose a base branch
from
ngocnhan-tran1996:gh-18013
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+322
−0
Open
Changes from all commits
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
89 changes: 89 additions & 0 deletions
89
...ramework/security/oauth2/core/authorization/DefaultOAuth2AuthorizationManagerFactory.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,89 @@ | ||
| /* | ||
| * Copyright 2025-present the original author or authors. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| package org.springframework.security.oauth2.core.authorization; | ||
|
|
||
| import org.springframework.security.authorization.AuthorizationManager; | ||
| import org.springframework.security.authorization.AuthorizationManagerFactory; | ||
| import org.springframework.security.authorization.DefaultAuthorizationManagerFactory; | ||
| import org.springframework.util.Assert; | ||
|
|
||
| /** | ||
| * A factory for creating different kinds of {@link AuthorizationManager} instances. | ||
| * | ||
| * @param <T> the type of object that the authorization check is being done on | ||
| * @author Ngoc Nhan | ||
| * @since 7.1 | ||
| */ | ||
| public final class DefaultOAuth2AuthorizationManagerFactory<T> implements OAuth2AuthorizationManagerFactory<T> { | ||
|
|
||
| private String scopePrefix = "SCOPE_"; | ||
|
|
||
| private final AuthorizationManagerFactory<T> authorizationManagerFactory; | ||
|
|
||
| public DefaultOAuth2AuthorizationManagerFactory() { | ||
| this(new DefaultAuthorizationManagerFactory<>()); | ||
| } | ||
|
|
||
| public DefaultOAuth2AuthorizationManagerFactory(AuthorizationManagerFactory<T> authorizationManagerFactory) { | ||
| Assert.notNull(authorizationManagerFactory, "authorizationManagerFactory can not be null"); | ||
| this.authorizationManagerFactory = authorizationManagerFactory; | ||
| } | ||
|
|
||
| /** | ||
| * Sets the prefix used to create an authority name from a scope name. Can be an empty | ||
| * string. | ||
| * @param scopePrefix the scope prefix to use | ||
| */ | ||
| public void setScopePrefix(String scopePrefix) { | ||
| Assert.notNull(scopePrefix, "scopePrefix can not be null"); | ||
| this.scopePrefix = scopePrefix; | ||
| } | ||
|
|
||
| @Override | ||
| public AuthorizationManager<T> hasScope(String scope) { | ||
| Assert.notNull(scope, "scope can not be null"); | ||
| assertScope(scope); | ||
| return this.authorizationManagerFactory.hasAuthority(this.scopePrefix + scope); | ||
| } | ||
|
|
||
| @Override | ||
| public AuthorizationManager<T> hasAnyScope(String... scopes) { | ||
| return this.authorizationManagerFactory.hasAnyAuthority(this.mappedScopes(scopes)); | ||
| } | ||
|
|
||
| @Override | ||
| public AuthorizationManager<T> hasAllScopes(String... scopes) { | ||
| return this.authorizationManagerFactory.hasAllAuthorities(this.mappedScopes(scopes)); | ||
| } | ||
|
|
||
| private String[] mappedScopes(String... scopes) { | ||
| Assert.notNull(scopes, "scopes can not be null"); | ||
| String[] mappedScopes = new String[scopes.length]; | ||
| for (int i = 0; i < scopes.length; i++) { | ||
| assertScope(scopes[i]); | ||
| mappedScopes[i] = this.scopePrefix + scopes[i]; | ||
| } | ||
| return mappedScopes; | ||
| } | ||
|
|
||
| private void assertScope(String scope) { | ||
| Assert.isTrue(!scope.startsWith(this.scopePrefix), () -> scope + " should not start with '" + this.scopePrefix | ||
| + "' since '" + this.scopePrefix | ||
| + "' is automatically prepended when using hasScope and hasAnyScope. Consider using AuthorizationManagerFactory#hasAuthority or #hasAnyAuthority instead."); | ||
| } | ||
|
|
||
| } | ||
95 changes: 95 additions & 0 deletions
95
...springframework/security/oauth2/core/authorization/OAuth2AuthorizationManagerFactory.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| /* | ||
| * Copyright 2025-present the original author or authors. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| package org.springframework.security.oauth2.core.authorization; | ||
|
|
||
| import org.springframework.security.authorization.AuthorizationManager; | ||
| import org.springframework.security.core.Authentication; | ||
|
|
||
| /** | ||
| * A factory for creating different kinds of {@link AuthorizationManager} instances. | ||
| * | ||
| * @param <T> the type of object that the authorization check is being done on | ||
| * @author Ngoc Nhan | ||
| * @since 7.1 | ||
| */ | ||
| public interface OAuth2AuthorizationManagerFactory<T> { | ||
|
|
||
| /** | ||
| * Create an {@link AuthorizationManager} that requires an {@link Authentication} to | ||
| * have a {@code SCOPE_scope} authority. | ||
| * | ||
| * <p> | ||
| * For example, if you call {@code hasScope("read")}, then this will require that each | ||
| * authentication have a {@link org.springframework.security.core.GrantedAuthority} | ||
| * whose value is {@code SCOPE_read}. | ||
| * | ||
| * <p> | ||
| * This would equivalent to calling | ||
| * {@code AuthorityAuthorizationManager#hasAuthority("SCOPE_read")}. | ||
| * @param scope the scope value to require | ||
| * @return an {@link AuthorizationManager} that requires a {@code "SCOPE_scope"} | ||
| * authority | ||
| */ | ||
| default AuthorizationManager<T> hasScope(String scope) { | ||
| return OAuth2AuthorizationManagers.hasScope(scope); | ||
| } | ||
|
|
||
| /** | ||
| * Create an {@link AuthorizationManager} that requires an {@link Authentication} to | ||
| * have at least one authority among {@code SCOPE_scope1}, {@code SCOPE_scope2}, ... | ||
| * {@code SCOPE_scopeN}. | ||
| * | ||
| * <p> | ||
| * For example, if you call {@code hasAnyScope("read", "write")}, then this will | ||
| * require that each authentication have at least a | ||
| * {@link org.springframework.security.core.GrantedAuthority} whose value is either | ||
| * {@code SCOPE_read} or {@code SCOPE_write}. | ||
| * | ||
| * <p> | ||
| * This would equivalent to calling | ||
| * {@code AuthorityAuthorizationManager#hasAnyAuthority("SCOPE_read", "SCOPE_write")}. | ||
| * @param scopes the scope values to allow | ||
| * @return an {@link AuthorizationManager} that requires at least one authority among | ||
| * {@code "SCOPE_scope1"}, {@code SCOPE_scope2}, ... {@code SCOPE_scopeN}. | ||
| */ | ||
| default AuthorizationManager<T> hasAnyScope(String... scopes) { | ||
| return OAuth2AuthorizationManagers.hasAnyScope(scopes); | ||
| } | ||
|
|
||
| /** | ||
| * Create an {@link AuthorizationManager} that requires an {@link Authentication} to | ||
| * have all authorities {@code SCOPE_scope1}, {@code SCOPE_scope2}, ... | ||
| * {@code SCOPE_scopeN}. | ||
| * | ||
| * <p> | ||
| * For example, if you call {@code hasAllScopes("read", "write")}, then each | ||
| * {@link org.springframework.security.core.Authentication} must have all | ||
| * {@link org.springframework.security.core.GrantedAuthority} values of | ||
| * {@code SCOPE_read} and {@code SCOPE_write}. | ||
| * | ||
| * <p> | ||
| * This would be equivalent to calling | ||
| * {@code AllAuthoritiesAuthorizationManager#hasAllAuthorities("SCOPE_read", "SCOPE_write")}. | ||
| * @param scopes the scope values to require | ||
| * @return an {@link AuthorizationManager} that requires all authorities | ||
| * {@code SCOPE_scope1}, {@code SCOPE_scope2}, ... {@code SCOPE_scopeN}. | ||
| */ | ||
| default AuthorizationManager<T> hasAllScopes(String... scopes) { | ||
| return OAuth2AuthorizationManagers.hasAllScopes(scopes); | ||
| } | ||
|
|
||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
108 changes: 108 additions & 0 deletions
108
...gframework/security/oauth2/core/authorization/OAuth2AuthorizationManagerFactoryTests.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,108 @@ | ||
| /* | ||
| * Copyright 2025-present the original author or authors. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| package org.springframework.security.oauth2.core.authorization; | ||
|
|
||
| import org.junit.jupiter.api.Test; | ||
|
|
||
| import org.springframework.security.authentication.TestingAuthenticationToken; | ||
| import org.springframework.security.authorization.AuthorityAuthorizationManager; | ||
| import org.springframework.security.authorization.AuthorizationManager; | ||
| import org.springframework.security.authorization.AuthorizationManagerFactories; | ||
| import org.springframework.security.authorization.AuthorizationResult; | ||
|
|
||
| import static org.assertj.core.api.Assertions.assertThat; | ||
|
|
||
| /** | ||
| * Tests for {@link OAuth2AuthorizationManagerFactory}. | ||
| * | ||
| * @author Ngoc Nhan | ||
| */ | ||
| public class OAuth2AuthorizationManagerFactoryTests { | ||
|
|
||
| private static final String MSG_READ = "message:read"; | ||
|
|
||
| private static final String MSG_WRITE = "message:write"; | ||
|
|
||
| private static final String SCOPE_MSG_READ = "SCOPE_message:read"; | ||
|
|
||
| private static final String SCOPE_MSG_WRITE = "SCOPE_message:write"; | ||
|
|
||
| @Test | ||
| public void hasScopeReturnsAuthorityAuthorizationManagerByDefault() { | ||
| OAuth2AuthorizationManagerFactory<String> factory = new DefaultOAuth2AuthorizationManagerFactory<>(); | ||
| AuthorizationManager<String> authorizationManager = factory.hasScope(MSG_READ); | ||
| assertThat(authorizationManager).isInstanceOf(AuthorityAuthorizationManager.class); | ||
| } | ||
|
|
||
| @Test | ||
| public void hasAnyScopeReturnsAuthorityAuthorizationManagerByDefault() { | ||
| OAuth2AuthorizationManagerFactory<String> factory = new DefaultOAuth2AuthorizationManagerFactory<>(); | ||
| AuthorizationManager<String> authorizationManager = factory.hasAnyScope(MSG_READ, MSG_WRITE); | ||
| assertThat(authorizationManager).isInstanceOf(AuthorityAuthorizationManager.class); | ||
| } | ||
|
|
||
| @Test | ||
| public void hasAllScopesReturnsAuthorityAuthorizationManagerByDefault() { | ||
| OAuth2AuthorizationManagerFactory<String> factory = new DefaultOAuth2AuthorizationManagerFactory<>(); | ||
| AuthorizationManager<String> authorizationManager = factory.hasAnyScope(MSG_READ, MSG_WRITE); | ||
| assertThat(authorizationManager).isInstanceOf(AuthorityAuthorizationManager.class); | ||
| } | ||
|
|
||
| @Test | ||
| public void hasScopeWhenSetAuthorizationManagerFactories() { | ||
| DefaultOAuth2AuthorizationManagerFactory<String> factory = new DefaultOAuth2AuthorizationManagerFactory<>( | ||
| AuthorizationManagerFactories.<String>multiFactor().requireFactors(SCOPE_MSG_READ).build()); | ||
| assertUserGranted(factory.hasScope(MSG_READ), SCOPE_MSG_READ); | ||
| assertUserDenied(factory.hasScope(MSG_WRITE), SCOPE_MSG_READ); | ||
| } | ||
|
|
||
| @Test | ||
| public void hasAnyScopeWhenSetAuthorizationManagerFactories() { | ||
| DefaultOAuth2AuthorizationManagerFactory<String> factory = new DefaultOAuth2AuthorizationManagerFactory<>( | ||
| AuthorizationManagerFactories.<String>multiFactor().requireFactors(SCOPE_MSG_READ).build()); | ||
| assertUserGranted(factory.hasAnyScope(MSG_READ), SCOPE_MSG_READ); | ||
| assertUserDenied(factory.hasAnyScope(MSG_WRITE), SCOPE_MSG_READ); | ||
| } | ||
|
|
||
| @Test | ||
| public void hasAllScopesWhenSetAuthorizationManagerFactories() { | ||
| DefaultOAuth2AuthorizationManagerFactory<String> factory = new DefaultOAuth2AuthorizationManagerFactory<>( | ||
| AuthorizationManagerFactories.<String>multiFactor() | ||
| .requireFactors(SCOPE_MSG_READ, SCOPE_MSG_WRITE) | ||
| .build()); | ||
| assertUserGranted(factory.hasAllScopes(MSG_READ, MSG_WRITE), SCOPE_MSG_READ, SCOPE_MSG_WRITE); | ||
| assertUserDenied(factory.hasAllScopes(MSG_READ, MSG_WRITE), SCOPE_MSG_READ); | ||
| } | ||
|
|
||
| private void assertUserGranted(AuthorizationManager<String> manager, String... authorities) { | ||
| AuthorizationResult authorizationResult = createAuthorizationResult(manager, authorities); | ||
| assertThat(authorizationResult).isNotNull(); | ||
| assertThat(authorizationResult.isGranted()).isTrue(); | ||
| } | ||
|
|
||
| private void assertUserDenied(AuthorizationManager<String> manager, String... authorities) { | ||
| AuthorizationResult authorizationResult = createAuthorizationResult(manager, authorities); | ||
| assertThat(authorizationResult).isNotNull(); | ||
| assertThat(authorizationResult.isGranted()).isFalse(); | ||
| } | ||
|
|
||
| private AuthorizationResult createAuthorizationResult(AuthorizationManager<String> manager, String... authorities) { | ||
| TestingAuthenticationToken authenticatedUser = new TestingAuthenticationToken("user", "pass", authorities); | ||
| return manager.authorize(() -> authenticatedUser, ""); | ||
| } | ||
|
|
||
| } |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will you please add
hasAllScopes? It can callAuthorizationManagerFactory#hasAllAuthorities