Skip to content

Add ExpressionTemplateValueProvider #17448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+95 −0
Open

Add ExpressionTemplateValueProvider #17448

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions ...springframework/security/core/annotation/ExpressionTemplateSecurityAnnotationScanner.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,12 +57,17 @@
* {@code @HasRole} annotation found on a given {@link AnnotatedElement}.
*
* <p>
* Meta-annotations that use enum values can use {@link ExpressionTemplateValueProvider} to
* provide custom placeholder values.
*
* <p>
* Since the process of synthesis is expensive, it is recommended to cache the synthesized
* result to prevent multiple computations.
*
* @param <A> the annotation to search for and synthesize
* @author Josh Cummings
* @author DingHao
* @author Mike Heath
* @since 6.4
*/
final class ExpressionTemplateSecurityAnnotationScanner<A extends Annotation>
Expand All @@ -72,6 +77,7 @@ final class ExpressionTemplateSecurityAnnotationScanner<A extends Annotation>

static {
conversionService.addConverter(new ClassToStringConverter());
conversionService.addConverter(new ExpressionTemplateValueProviderConverter());
}

private final Class<A> type;
Expand Down Expand Up @@ -160,4 +166,18 @@ public Object convert(Object source, TypeDescriptor sourceType, TypeDescriptor t

}

static class ExpressionTemplateValueProviderConverter implements GenericConverter {

@Override
public Set<ConvertiblePair> getConvertibleTypes() {
return Collections.singleton(new ConvertiblePair(ExpressionTemplateValueProvider.class, String.class));
}

@Override
public Object convert(Object source, TypeDescriptor sourceType, TypeDescriptor targetType) {
return (source != null) ? ((ExpressionTemplateValueProvider)source).getExpressionTemplateValue() : null;
}

}

}
35 changes: 35 additions & 0 deletions ...in/java/org/springframework/security/core/annotation/ExpressionTemplateValueProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
package org.springframework.security.core.annotation;

/**
* Provides a mechanism for providing custom values from enum types used in security
* meta-annotation expressions. For example:
*
* <pre>
* enum Permission implements ExpressionTemplateValueProvider {
* READ,
* WRITE;
*
* &#64;Override
* public String getExpressionTemplateValue() {
* return switch (this) {
* case READ -> "user.permission-read";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While not a guarantee, I imagine that most folks will want to inject a value as a string, which will mean applying single quotes around it. Because it won't work to do '{permissions}' in an expression, it seems preferable to always surround the value in single quotes, thus allowing a template to do {permissions} or {permission} and still have the template compile.

If you agree with that, will you please place single quotes around each returned value?

* case WRITE -> "user.permission-write";
* }
* }
*
* }
* </pre>
*
* @since 6.5
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will you update this to 7.0 now that that's the target release?

* @author Mike Heath
*/
public interface ExpressionTemplateValueProvider {

/**
* Returns the value to be used in an expression template.
*
* @return the value to be used in an expression template
*/
String getExpressionTemplateValue();

}
40 changes: 40 additions & 0 deletions ...gframework/security/core/annotation/ExpressionTemplateSecurityAnnotationScannerTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,43 @@ void parseMultipleMetaSourceAnnotationParameterWithAliasFor() throws Exception {
assertThat(preAuthorize.value()).isEqualTo("check(#name)");
}

@Test
void parseMetaSourceAnnotationWithEnumImplementingExpressionTemplateValueProvider() throws Exception {
Method method = MessageService.class.getDeclaredMethod("process");
PreAuthorize preAuthorize = this.scanner.scan(method, method.getDeclaringClass());
assertThat(preAuthorize.value()).isEqualTo("hasAnyAuthority(user.READ,user.WRITE)");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The resulting expression may not be useful since SpEL may try and interpret user as a method on the root object. I think it should be:

hasAnyAuthority('user.READ','user.WRITE')

which I believe you can achieve by placing single quotes in Permission#getExpressionTemplateValue

}

enum Permission implements ExpressionTemplateValueProvider {
READ,
WRITE;

@Override
public String getExpressionTemplateValue() {
return switch (this) {
case READ -> "user.READ";
case WRITE -> "user.WRITE";
};
}
}

@Documented
@Retention(RetentionPolicy.RUNTIME)
@Target({ ElementType.TYPE, ElementType.METHOD })
@PreAuthorize("hasAnyAuthority({permissions})")
@interface HasAnyCustomPermissions {

Permission[] permissions();

}

@Documented
@Retention(RetentionPolicy.RUNTIME)
@Target({ ElementType.TYPE, ElementType.METHOD })
@HasAnyCustomPermissions(permissions = { Permission.READ, Permission.WRITE })
@interface HasAllCustomPermissions {
}

@Documented
@Retention(RetentionPolicy.RUNTIME)
@Target({ ElementType.TYPE, ElementType.METHOD })
Expand Down Expand Up @@ -86,6 +123,9 @@ void parseMultipleMetaSourceAnnotationParameterWithAliasFor() throws Exception {

private interface MessageService {

@HasAllCustomPermissions
void process();

@HasReadPermission("#name")
String sayHello(String name);

Expand Down
Loading