Revise AuthorizationAnnotationUtils
#14407
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This commit revises
AuthorizationAnnotationUtils
as follows.Removes code duplication by treating both
Class
andMethod
asAnnotatedElement
.Avoids duplicated annotation searches by processing merged annotations in a single Stream instead of first using the
MergedAnnotations
API to find possible duplicates and then again searching for a single annotation viaAnnotationUtils
(which effectively performs the same search using theMergedAnnotations
API internally).Uses
.distinct()
within the Stream to avoid the need for the workaround introduced in AnnotationConfigurationException when using PreAuthorize, CGLIB and EnableMethodSecurity #13625. Note that the semantics here result in duplicate "equivalent" annotations being ignored. In other words, if@PreAuthorize("hasRole('someRole')")
is present multiple times as a meta-annotation, no exception will be thrown and the first such annotation found will be used.Improves the error message when competing annotations are found by including the competing annotations in the error message.
Updates
AuthorizationAnnotationUtilsTests
to cover all known, supported use cases.Configures correct role in
@RequireUserRole
.Please note this commit uses
.map(MergedAnnotation::withNonMergedAttributes)
to retain backward compatibility with previous versions of Spring Security. However, that line can be deleted if the Spring Security team decides that it wishes to support merged annotation attributes via custom composed annotations. If that decision is made, thecomposedMergedAnnotationsAreNotSupported()
test should be renamed and updated as explained in the comment in that method.Related Issues
MergedAnnotations
finds duplicate annotations on method in multi-level interface hierarchy spring-framework#31803