spring-projects · evgeniycheban · Apr 18, 2025 · franticticktick · Apr 22, 2025 · evgeniycheban
diff --git a/...work/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java b/...work/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -85,6 +85,7 @@
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.mockito.BDDMockito.given;
 import static org.mockito.Mockito.any;
 import static org.mockito.Mockito.atLeastOnce;
 import static org.mockito.Mockito.doCallRealMethod;
@@ -153,6 +154,7 @@ public void configureWhenMvcMatcherAfterAnyRequestThenException() {
 	@Test
 	public void configureMvcMatcherAccessAuthorizationManagerWhenNotNullThenVerifyUse() throws Exception {
 		CustomAuthorizationManagerConfig.authorizationManager = mock(AuthorizationManager.class);
+		given(CustomAuthorizationManagerConfig.authorizationManager.authorize(any(), any())).willCallRealMethod();
 		this.spring.register(CustomAuthorizationManagerConfig.class, BasicController.class).autowire();
 		this.mvc.perform(get("/")).andExpect(status().isOk());
 		verify(CustomAuthorizationManagerConfig.authorizationManager).check(any(), any());
@@ -161,6 +163,8 @@ public void configureMvcMatcherAccessAuthorizationManagerWhenNotNullThenVerifyUs
 	@Test
 	public void configureNoParameterMvcMatcherAccessAuthorizationManagerWhenNotNullThenVerifyUse() throws Exception {
 		CustomAuthorizationManagerNoParameterConfig.authorizationManager = mock(AuthorizationManager.class);
+		given(CustomAuthorizationManagerNoParameterConfig.authorizationManager.authorize(any(), any()))
+			.willCallRealMethod();
 		this.spring.register(CustomAuthorizationManagerNoParameterConfig.class, BasicController.class).autowire();
 		this.mvc.perform(get("/")).andExpect(status().isOk());
 		verify(CustomAuthorizationManagerNoParameterConfig.authorizationManager).check(any(), any());

diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/AuthorizationManager.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -39,9 +39,9 @@ public interface AuthorizationManager<T> {
 	 * @throws AccessDeniedException if access is not granted
 	 */
 	default void verify(Supplier<Authentication> authentication, T object) {
-		AuthorizationDecision decision = check(authentication, object);
-		if (decision != null && !decision.isGranted()) {
-			throw new AuthorizationDeniedException("Access Denied", decision);
+		AuthorizationResult result = authorize(authentication, object);
+		if (result != null && !result.isGranted()) {
+			throw new AuthorizationDeniedException("Access Denied", result);
 		}
 	}
 

diff --git a/...main/java/org/springframework/security/authorization/ObservationAuthorizationManager.java b/...main/java/org/springframework/security/authorization/ObservationAuthorizationManager.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -67,20 +67,33 @@ public ObservationAuthorizationManager(ObservationRegistry registry, Authorizati
 	@Deprecated
 	@Override
 	public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
+		AuthorizationResult result = authorize(authentication, object);
+		if (result == null) {
+			return null;
+		}
+		if (result instanceof AuthorizationDecision decision) {
+			return decision;
+		}
+		throw new IllegalArgumentException(
+				"Please call #authorize or ensure that the returned result is of type AuthorizationDecision");
+	}
+
+	@Override
+	public AuthorizationResult authorize(Supplier<Authentication> authentication, T object) {
 		AuthorizationObservationContext<T> context = new AuthorizationObservationContext<>(object);
 		Supplier<Authentication> wrapped = () -> {
 			context.setAuthentication(authentication.get());
 			return context.getAuthentication();
 		};
 		Observation observation = Observation.createNotStarted(this.convention, () -> context, this.registry).start();
 		try (Observation.Scope scope = observation.openScope()) {
-			AuthorizationDecision decision = this.delegate.check(wrapped, object);
-			context.setAuthorizationResult(decision);
-			if (decision != null && !decision.isGranted()) {
+			AuthorizationResult result = this.delegate.authorize(wrapped, object);
+			context.setAuthorizationResult(result);
+			if (result != null && !result.isGranted()) {
 				observation.error(new AccessDeniedException(
 						this.messages.getMessage("AbstractAccessDecisionManager.accessDenied", "Access Denied")));
 			}
-			return decision;
+			return result;
 		}
 		catch (Throwable ex) {
 			observation.error(ex);

diff --git a/...java/org/springframework/security/authorization/ObservationAuthorizationManagerTests.java b/...java/org/springframework/security/authorization/ObservationAuthorizationManagerTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -74,6 +74,7 @@ void setup() {
 	void verifyWhenDefaultsThenObserves() {
 		given(this.handler.supportsContext(any())).willReturn(true);
 		given(this.authorizationManager.check(any(), any())).willReturn(this.grant);
+		given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
 		this.tested.verify(this.token, this.object);
 		ArgumentCaptor<Observation.Context> captor = ArgumentCaptor.forClass(Observation.Context.class);
 		verify(this.handler).onStart(captor.capture());
@@ -92,6 +93,7 @@ void verifyWhenErrorsThenObserves() {
 		this.tested.setMessageSource(source);
 		given(this.handler.supportsContext(any())).willReturn(true);
 		given(this.authorizationManager.check(any(), any())).willReturn(this.deny);
+		given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
 		given(source.getMessage(eq("AbstractAccessDecisionManager.accessDenied"), any(), any(), any()))
 			.willReturn("accessDenied");
 		assertThatExceptionOfType(AccessDeniedException.class)
@@ -116,6 +118,7 @@ void verifyWhenLooksUpAuthenticationThenObserves() {
 			((Supplier<Authentication>) invocation.getArgument(0)).get();
 			return this.grant;
 		});
+		given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
 		this.tested.verify(this.token, this.object);
 		ArgumentCaptor<Observation.Context> captor = ArgumentCaptor.forClass(Observation.Context.class);
 		verify(this.handler).onStart(captor.capture());

diff --git a/...ork/security/messaging/access/intercept/MessageMatcherDelegatingAuthorizationManager.java b/...ork/security/messaging/access/intercept/MessageMatcherDelegatingAuthorizationManager.java
@@ -30,6 +30,7 @@
 import org.springframework.security.authorization.AuthorityAuthorizationManager;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.authorization.SingleResultAuthorizationManager;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.messaging.util.matcher.MessageMatcher;
@@ -63,11 +64,24 @@ private MessageMatcherDelegatingAuthorizationManager(
 	 * @return an {@link AuthorizationDecision}. If there is no {@link MessageMatcher}
 	 * matching the message, or the {@link AuthorizationManager} could not decide, then
 	 * null is returned
-	 * @deprecated please use {@link #authorize(Supplier, Object)} instead
+	 * @deprecated please use {@link #authorize(Supplier, Message)} instead
 	 */
 	@Deprecated
 	@Override
 	public AuthorizationDecision check(Supplier<Authentication> authentication, Message<?> message) {
+		AuthorizationResult result = authorize(authentication, message);
+		if (result == null) {
+			return null;
+		}
+		if (result instanceof AuthorizationDecision decision) {
+			return decision;
+		}
+		throw new IllegalArgumentException(
+				"Please call #authorize or ensure that the returned result is of type AuthorizationDecision");
+	}
+
+	@Override
+	public AuthorizationResult authorize(Supplier<Authentication> authentication, Message<?> message) {
 		if (this.logger.isTraceEnabled()) {
 			this.logger.trace(LogMessage.format("Authorizing message"));
 		}
@@ -79,7 +93,7 @@ public AuthorizationDecision check(Supplier<Authentication> authentication, Mess
 				if (this.logger.isTraceEnabled()) {
 					this.logger.trace(LogMessage.format("Checking authorization on message using %s", manager));
 				}
-				return manager.check(authentication, authorizationContext);
+				return manager.authorize(authentication, authorizationContext);
 			}
 		}
 		this.logger.trace("Abstaining since did not find matching MessageMatcher");

diff --git a/...framework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManager.java b/...framework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManager.java
@@ -30,6 +30,7 @@
 import org.springframework.security.authorization.AuthorityAuthorizationManager;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.authorization.SingleResultAuthorizationManager;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.web.util.UrlUtils;
@@ -69,11 +70,24 @@ private RequestMatcherDelegatingAuthorizationManager(
 	 * @return an {@link AuthorizationDecision}. If there is no {@link RequestMatcher}
 	 * matching the request, or the {@link AuthorizationManager} could not decide, then
 	 * null is returned
-	 * @deprecated please use {@link #authorize(Supplier, Object)} instead
+	 * @deprecated please use {@link #authorize(Supplier, HttpServletRequest)} instead
 	 */
 	@Deprecated
 	@Override
 	public AuthorizationDecision check(Supplier<Authentication> authentication, HttpServletRequest request) {
+		AuthorizationResult result = authorize(authentication, request);
+		if (result == null) {
+			return null;
+		}
+		if (result instanceof AuthorizationDecision decision) {
+			return decision;
+		}
+		throw new IllegalArgumentException(
+				"Please call #authorize or ensure that the returned result is of type AuthorizationDecision");
+	}
+
+	@Override
+	public AuthorizationResult authorize(Supplier<Authentication> authentication, HttpServletRequest request) {
 		if (this.logger.isTraceEnabled()) {
 			this.logger.trace(LogMessage.format("Authorizing %s", requestLine(request)));
 		}
@@ -87,7 +101,7 @@ public AuthorizationDecision check(Supplier<Authentication> authentication, Http
 					this.logger.trace(
 							LogMessage.format("Checking authorization on %s using %s", requestLine(request), manager));
 				}
-				return manager.check(authentication,
+				return manager.authorize(authentication,
 						new RequestAuthorizationContext(request, matchResult.getVariables()));
 			}
 		}