Pass Defaults Class to Managers

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.java

@@ -45,7 +45,7 @@
 import org.springframework.security.authorization.method.PostFilterAuthorizationMethodInterceptor;
 import org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager;
 import org.springframework.security.authorization.method.PreFilterAuthorizationMethodInterceptor;
-import org.springframework.security.config.authorization.PrePostMethodSecurityDefaults;
+import org.springframework.security.authorization.method.PrePostTemplateDefaults;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
@@ -69,15 +69,15 @@ final class PrePostMethodSecurityConfiguration implements ImportAware {
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	static MethodInterceptor preFilterAuthorizationMethodInterceptor(
 			ObjectProvider<GrantedAuthorityDefaults> defaultsProvider,
-			ObjectProvider<PrePostMethodSecurityDefaults> methodSecurityDefaultsProvider,
+			ObjectProvider<PrePostTemplateDefaults> methodSecurityDefaultsProvider,
 			ObjectProvider<MethodSecurityExpressionHandler> expressionHandlerProvider,
 			ObjectProvider<SecurityContextHolderStrategy> strategyProvider,
 			ObjectProvider<RoleHierarchy> roleHierarchyProvider, PrePostMethodSecurityConfiguration configuration,
 			ApplicationContext context) {
 		PreFilterAuthorizationMethodInterceptor preFilter = new PreFilterAuthorizationMethodInterceptor();
 		preFilter.setOrder(preFilter.getOrder() + configuration.interceptorOrderOffset);
 		strategyProvider.ifAvailable(preFilter::setSecurityContextHolderStrategy);
-		methodSecurityDefaultsProvider.ifAvailable((defaults) -> preFilter.setUseTemplates(defaults.isUseTemplates()));
+		methodSecurityDefaultsProvider.ifAvailable(preFilter::setTemplateDefaults);
 		preFilter.setExpressionHandler(new DeferringMethodSecurityExpressionHandler(expressionHandlerProvider,
 				defaultsProvider, roleHierarchyProvider, context));
 		return preFilter;
@@ -87,14 +87,14 @@ static MethodInterceptor preFilterAuthorizationMethodInterceptor(
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	static MethodInterceptor preAuthorizeAuthorizationMethodInterceptor(
 			ObjectProvider<GrantedAuthorityDefaults> defaultsProvider,
-			ObjectProvider<PrePostMethodSecurityDefaults> methodSecurityDefaultsProvider,
+			ObjectProvider<PrePostTemplateDefaults> methodSecurityDefaultsProvider,
 			ObjectProvider<MethodSecurityExpressionHandler> expressionHandlerProvider,
 			ObjectProvider<SecurityContextHolderStrategy> strategyProvider,
 			ObjectProvider<AuthorizationEventPublisher> eventPublisherProvider,
 			ObjectProvider<ObservationRegistry> registryProvider, ObjectProvider<RoleHierarchy> roleHierarchyProvider,
 			PrePostMethodSecurityConfiguration configuration, ApplicationContext context) {
 		PreAuthorizeAuthorizationManager manager = new PreAuthorizeAuthorizationManager();
-		methodSecurityDefaultsProvider.ifAvailable((defaults) -> manager.setUseTemplates(defaults.isUseTemplates()));
+		methodSecurityDefaultsProvider.ifAvailable(manager::setTemplateDefaults);
 		manager.setExpressionHandler(new DeferringMethodSecurityExpressionHandler(expressionHandlerProvider,
 				defaultsProvider, roleHierarchyProvider, context));
 		AuthorizationManagerBeforeMethodInterceptor preAuthorize = AuthorizationManagerBeforeMethodInterceptor
@@ -109,14 +109,14 @@ static MethodInterceptor preAuthorizeAuthorizationMethodInterceptor(
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	static MethodInterceptor postAuthorizeAuthorizationMethodInterceptor(
 			ObjectProvider<GrantedAuthorityDefaults> defaultsProvider,
-			ObjectProvider<PrePostMethodSecurityDefaults> methodSecurityDefaultsProvider,
+			ObjectProvider<PrePostTemplateDefaults> methodSecurityDefaultsProvider,
 			ObjectProvider<MethodSecurityExpressionHandler> expressionHandlerProvider,
 			ObjectProvider<SecurityContextHolderStrategy> strategyProvider,
 			ObjectProvider<AuthorizationEventPublisher> eventPublisherProvider,
 			ObjectProvider<ObservationRegistry> registryProvider, ObjectProvider<RoleHierarchy> roleHierarchyProvider,
 			PrePostMethodSecurityConfiguration configuration, ApplicationContext context) {
 		PostAuthorizeAuthorizationManager manager = new PostAuthorizeAuthorizationManager();
-		methodSecurityDefaultsProvider.ifAvailable((defaults) -> manager.setUseTemplates(defaults.isUseTemplates()));
+		methodSecurityDefaultsProvider.ifAvailable(manager::setTemplateDefaults);
 		manager.setExpressionHandler(new DeferringMethodSecurityExpressionHandler(expressionHandlerProvider,
 				defaultsProvider, roleHierarchyProvider, context));
 		AuthorizationManagerAfterMethodInterceptor postAuthorize = AuthorizationManagerAfterMethodInterceptor
@@ -131,15 +131,15 @@ static MethodInterceptor postAuthorizeAuthorizationMethodInterceptor(
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	static MethodInterceptor postFilterAuthorizationMethodInterceptor(
 			ObjectProvider<GrantedAuthorityDefaults> defaultsProvider,
-			ObjectProvider<PrePostMethodSecurityDefaults> methodSecurityDefaultsProvider,
+			ObjectProvider<PrePostTemplateDefaults> methodSecurityDefaultsProvider,
 			ObjectProvider<MethodSecurityExpressionHandler> expressionHandlerProvider,
 			ObjectProvider<SecurityContextHolderStrategy> strategyProvider,
 			ObjectProvider<RoleHierarchy> roleHierarchyProvider, PrePostMethodSecurityConfiguration configuration,
 			ApplicationContext context) {
 		PostFilterAuthorizationMethodInterceptor postFilter = new PostFilterAuthorizationMethodInterceptor();
 		postFilter.setOrder(postFilter.getOrder() + configuration.interceptorOrderOffset);
 		strategyProvider.ifAvailable(postFilter::setSecurityContextHolderStrategy);
-		methodSecurityDefaultsProvider.ifAvailable((defaults) -> postFilter.setUseTemplates(defaults.isUseTemplates()));
+		methodSecurityDefaultsProvider.ifAvailable(postFilter::setTemplateDefaults);
 		postFilter.setExpressionHandler(new DeferringMethodSecurityExpressionHandler(expressionHandlerProvider,
 				defaultsProvider, roleHierarchyProvider, context));
 		return postFilter;

config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveAuthorizationManagerMethodSecurityConfiguration.java

@@ -36,7 +36,7 @@
 import org.springframework.security.authorization.method.PostFilterAuthorizationReactiveMethodInterceptor;
 import org.springframework.security.authorization.method.PreAuthorizeReactiveAuthorizationManager;
 import org.springframework.security.authorization.method.PreFilterAuthorizationReactiveMethodInterceptor;
-import org.springframework.security.config.authorization.PrePostMethodSecurityDefaults;
+import org.springframework.security.authorization.method.PrePostTemplateDefaults;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
 
 /**
@@ -52,22 +52,22 @@ final class ReactiveAuthorizationManagerMethodSecurityConfiguration {
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	static PreFilterAuthorizationReactiveMethodInterceptor preFilterInterceptor(
 			MethodSecurityExpressionHandler expressionHandler,
-			ObjectProvider<PrePostMethodSecurityDefaults> defaultsObjectProvider) {
+			ObjectProvider<PrePostTemplateDefaults> defaultsObjectProvider) {
 		PreFilterAuthorizationReactiveMethodInterceptor interceptor = new PreFilterAuthorizationReactiveMethodInterceptor(
 				expressionHandler);
-		defaultsObjectProvider.ifAvailable((defaults) -> interceptor.setUseTemplates(defaults.isUseTemplates()));
+		defaultsObjectProvider.ifAvailable(interceptor::setTemplateDefaults);
 		return interceptor;
 	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	static AuthorizationManagerBeforeReactiveMethodInterceptor preAuthorizeInterceptor(
 			MethodSecurityExpressionHandler expressionHandler,
-			ObjectProvider<PrePostMethodSecurityDefaults> defaultsObjectProvider,
+			ObjectProvider<PrePostTemplateDefaults> defaultsObjectProvider,
 			ObjectProvider<ObservationRegistry> registryProvider) {
 		PreAuthorizeReactiveAuthorizationManager manager = new PreAuthorizeReactiveAuthorizationManager(
 				expressionHandler);
-		defaultsObjectProvider.ifAvailable((defaults) -> manager.setUseTemplates(defaults.isUseTemplates()));
+		defaultsObjectProvider.ifAvailable(manager::setTemplateDefaults);
 		ReactiveAuthorizationManager<MethodInvocation> authorizationManager = manager(manager, registryProvider);
 		return AuthorizationManagerBeforeReactiveMethodInterceptor.preAuthorize(authorizationManager);
 	}
@@ -76,23 +76,23 @@ static AuthorizationManagerBeforeReactiveMethodInterceptor preAuthorizeIntercept
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	static PostFilterAuthorizationReactiveMethodInterceptor postFilterInterceptor(
 			MethodSecurityExpressionHandler expressionHandler,
-			ObjectProvider<PrePostMethodSecurityDefaults> defaultsObjectProvider) {
+			ObjectProvider<PrePostTemplateDefaults> defaultsObjectProvider) {
 		PostFilterAuthorizationReactiveMethodInterceptor interceptor = new PostFilterAuthorizationReactiveMethodInterceptor(
 				expressionHandler);
-		defaultsObjectProvider.ifAvailable((defaults) -> interceptor.setUseTemplates(defaults.isUseTemplates()));
+		defaultsObjectProvider.ifAvailable(interceptor::setTemplateDefaults);
 		return interceptor;
 	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	static AuthorizationManagerAfterReactiveMethodInterceptor postAuthorizeInterceptor(
 			MethodSecurityExpressionHandler expressionHandler,
-			ObjectProvider<PrePostMethodSecurityDefaults> defaultsObjectProvider,
+			ObjectProvider<PrePostTemplateDefaults> defaultsObjectProvider,
 			ObjectProvider<ObservationRegistry> registryProvider) {
 		PostAuthorizeReactiveAuthorizationManager manager = new PostAuthorizeReactiveAuthorizationManager(
 				expressionHandler);
 		ReactiveAuthorizationManager<MethodInvocationResult> authorizationManager = manager(manager, registryProvider);
-		defaultsObjectProvider.ifAvailable((defaults) -> manager.setUseTemplates(defaults.isUseTemplates()));
+		defaultsObjectProvider.ifAvailable(manager::setTemplateDefaults);
 		return AuthorizationManagerAfterReactiveMethodInterceptor.postAuthorize(authorizationManager);
 	}
 

config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java

@@ -61,8 +61,8 @@
 import org.springframework.security.authorization.method.AuthorizationInterceptorsOrder;
 import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor;
 import org.springframework.security.authorization.method.MethodInvocationResult;
+import org.springframework.security.authorization.method.PrePostTemplateDefaults;
 import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig;
-import org.springframework.security.config.authorization.PrePostMethodSecurityDefaults;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
@@ -970,10 +970,8 @@ Authz authz() {
 	static class MetaAnnotationPlaceholderConfig {
 
 		@Bean
-		PrePostMethodSecurityDefaults methodSecurityDefaults() {
-			PrePostMethodSecurityDefaults defaults = new PrePostMethodSecurityDefaults();
-			defaults.setUseTemplates(true);
-			return defaults;
+		PrePostTemplateDefaults methodSecurityDefaults() {
+			return new PrePostTemplateDefaults();
 		}
 
 		@Bean

core/src/main/java/org/springframework/security/authorization/method/AbstractExpressionAttributeRegistry.java

@@ -43,7 +43,7 @@ abstract class AbstractExpressionAttributeRegistry<T extends ExpressionAttribute
 
 	private MethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
 
-	private boolean useTemplates;
+	private PrePostTemplateDefaults defaults;
 
 	/**
 	 * Returns an {@link ExpressionAttribute} for the {@link MethodInvocation}.
@@ -69,7 +69,7 @@ final T getAttribute(Method method, Class<?> targetClass) {
 	}
 
 	final <A extends Annotation> Function<AnnotatedElement, A> findUniqueAnnotation(Class<A> type) {
-		return (this.useTemplates) ? AuthorizationAnnotationUtils.withTemplateResolver(type)
+		return (this.defaults != null) ? AuthorizationAnnotationUtils.withDefaults(type, this.defaults)
 				: AuthorizationAnnotationUtils.withDefaults(type);
 	}
 
@@ -86,8 +86,8 @@ void setExpressionHandler(MethodSecurityExpressionHandler expressionHandler) {
 		this.expressionHandler = expressionHandler;
 	}
 
-	void setUseTemplates(boolean useTemplates) {
-		this.useTemplates = useTemplates;
+	void setTemplateDefaults(PrePostTemplateDefaults defaults) {
+		this.defaults = defaults;
 	}
 
 	/**

core/src/main/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtils.java

@@ -56,12 +56,14 @@
  */
 final class AuthorizationAnnotationUtils {
 
-	static <A extends Annotation> Function<AnnotatedElement, A> withTemplateResolver(Class<A> type) {
+	static <A extends Annotation> Function<AnnotatedElement, A> withDefaults(Class<A> type,
+			PrePostTemplateDefaults defaults) {
 		Function<MergedAnnotation<A>, A> map = (mergedAnnotation) -> {
 			if (mergedAnnotation.getMetaSource() == null) {
 				return mergedAnnotation.synthesize();
 			}
-			PropertyPlaceholderHelper helper = new PropertyPlaceholderHelper("{", "}");
+			PropertyPlaceholderHelper helper = new PropertyPlaceholderHelper("{", "}", null,
+					defaults.isIgnoreUnknown());
 			String expression = (String) mergedAnnotation.asMap().get("value");
 			Map<String, Object> annotationProperties = mergedAnnotation.getMetaSource().asMap();
 			Map<String, String> stringProperties = new HashMap<>();

core/src/main/java/org/springframework/security/authorization/method/PostAuthorizeAuthorizationManager.java

@@ -50,15 +50,15 @@ public void setExpressionHandler(MethodSecurityExpressionHandler expressionHandl
 	}
 
 	/**
-	 * Activate support for resolving authorization templates with annotation parameters
+	 * Configure pre/post-authorization template resolution
 	 * <p>
-	 * By default, this value is <code>false</code>.
-	 * @param useTemplates - whether to resolve authorization templates with annotation
-	 * parameters
+	 * By default, this value is <code>null</code>, which indicates that templates should
+	 * not be resolved.
+	 * @param defaults - whether to resolve pre/post-authorization templates parameters
 	 * @since 6.3
 	 */
-	public void setUseTemplates(boolean useTemplates) {
-		this.registry.setUseTemplates(useTemplates);
+	public void setTemplateDefaults(PrePostTemplateDefaults defaults) {
+		this.registry.setTemplateDefaults(defaults);
 	}
 
 	/**

core/src/main/java/org/springframework/security/authorization/method/PostAuthorizeReactiveAuthorizationManager.java

@@ -50,15 +50,15 @@ public PostAuthorizeReactiveAuthorizationManager(MethodSecurityExpressionHandler
 	}
 
 	/**
-	 * Activate support for resolving authorization templates with annotation parameters
+	 * Configure pre/post-authorization template resolution
 	 * <p>
-	 * By default, this value is <code>false</code>.
-	 * @param useTemplates - whether to resolve authorization templates with annotation
-	 * parameters
+	 * By default, this value is <code>null</code>, which indicates that templates should
+	 * not be resolved.
+	 * @param defaults - whether to resolve pre/post-authorization templates parameters
 	 * @since 6.3
 	 */
-	public void setUseTemplates(boolean useTemplates) {
-		this.registry.setUseTemplates(useTemplates);
+	public void setTemplateDefaults(PrePostTemplateDefaults defaults) {
+		this.registry.setTemplateDefaults(defaults);
 	}
 
 	/**

core/src/main/java/org/springframework/security/authorization/method/PostFilterAuthorizationMethodInterceptor.java

@@ -71,15 +71,15 @@ public void setExpressionHandler(MethodSecurityExpressionHandler expressionHandl
 	}
 
 	/**
-	 * Activate support for resolving authorization templates with annotation parameters
+	 * Configure pre/post-authorization template resolution
 	 * <p>
-	 * By default, this value is <code>false</code>.
-	 * @param useTemplates - whether to resolve authorization templates with annotation
-	 * parameters
+	 * By default, this value is <code>null</code>, which indicates that templates should
+	 * not be resolved.
+	 * @param defaults - whether to resolve pre/post-authorization templates parameters
 	 * @since 6.3
 	 */
-	public void setUseTemplates(boolean useTemplates) {
-		this.registry.setUseTemplates(useTemplates);
+	public void setTemplateDefaults(PrePostTemplateDefaults defaults) {
+		this.registry.setTemplateDefaults(defaults);
 	}
 
 	/**

core/src/main/java/org/springframework/security/authorization/method/PostFilterAuthorizationReactiveMethodInterceptor.java

@@ -71,15 +71,15 @@ public PostFilterAuthorizationReactiveMethodInterceptor(MethodSecurityExpression
 	}
 
 	/**
-	 * Activate support for resolving authorization templates with annotation parameters
+	 * Configure pre/post-authorization template resolution
 	 * <p>
-	 * By default, this value is <code>false</code>.
-	 * @param useTemplates - whether to resolve authorization templates with annotation
-	 * parameters
+	 * By default, this value is <code>null</code>, which indicates that templates should
+	 * not be resolved.
+	 * @param defaults - whether to resolve pre/post-authorization templates parameters
 	 * @since 6.3
 	 */
-	public void setUseTemplates(boolean useTemplates) {
-		this.registry.setUseTemplates(useTemplates);
+	public void setTemplateDefaults(PrePostTemplateDefaults defaults) {
+		this.registry.setTemplateDefaults(defaults);
 	}
 
 	/**

core/src/main/java/org/springframework/security/authorization/method/PreAuthorizeAuthorizationManager.java

@@ -50,15 +50,15 @@ public void setExpressionHandler(MethodSecurityExpressionHandler expressionHandl
 	}
 
 	/**
-	 * Activate support for resolving authorization templates with annotation parameters
+	 * Configure pre/post-authorization template resolution
 	 * <p>
-	 * By default, this value is <code>false</code>.
-	 * @param useTemplates - whether to resolve authorization templates with annotation
-	 * parameters
+	 * By default, this value is <code>null</code>, which indicates that templates should
+	 * not be resolved.
+	 * @param defaults - whether to resolve pre/post-authorization templates parameters
 	 * @since 6.3
 	 */
-	public void setUseTemplates(boolean useTemplates) {
-		this.registry.setUseTemplates(useTemplates);
+	public void setTemplateDefaults(PrePostTemplateDefaults defaults) {
+		this.registry.setTemplateDefaults(defaults);
 	}
 
 	/**

core/src/main/java/org/springframework/security/authorization/method/PreAuthorizeReactiveAuthorizationManager.java

@@ -49,15 +49,15 @@ public PreAuthorizeReactiveAuthorizationManager(MethodSecurityExpressionHandler
 	}
 
 	/**
-	 * Activate support for resolving authorization templates with annotation parameters
+	 * Configure pre/post-authorization template resolution
 	 * <p>
-	 * By default, this value is <code>false</code>.
-	 * @param useTemplates - whether to resolve authorization templates with annotation
-	 * parameters
+	 * By default, this value is <code>null</code>, which indicates that templates should
+	 * not be resolved.
+	 * @param defaults - whether to resolve pre/post-authorization templates parameters
 	 * @since 6.3
 	 */
-	public void setUseTemplates(boolean useTemplates) {
-		this.registry.setUseTemplates(useTemplates);
+	public void setTemplateDefaults(PrePostTemplateDefaults defaults) {
+		this.registry.setTemplateDefaults(defaults);
 	}
 
 	/**

core/src/main/java/org/springframework/security/authorization/method/PreFilterAuthorizationMethodInterceptor.java

@@ -72,15 +72,15 @@ public void setExpressionHandler(MethodSecurityExpressionHandler expressionHandl
 	}
 
 	/**
-	 * Activate support for resolving authorization templates with annotation parameters
+	 * Configure pre/post-authorization template resolution
 	 * <p>
-	 * By default, this value is <code>false</code>.
-	 * @param useTemplates - whether to resolve authorization templates with annotation
-	 * parameters
+	 * By default, this value is <code>null</code>, which indicates that templates should
+	 * not be resolved.
+	 * @param defaults - whether to resolve pre/post-authorization templates parameters
 	 * @since 6.3
 	 */
-	public void setUseTemplates(boolean useTemplates) {
-		this.registry.setUseTemplates(useTemplates);
+	public void setTemplateDefaults(PrePostTemplateDefaults defaults) {
+		this.registry.setTemplateDefaults(defaults);
 	}
 
 	/**

core/src/main/java/org/springframework/security/authorization/method/PreFilterAuthorizationReactiveMethodInterceptor.java

@@ -74,15 +74,15 @@ public PreFilterAuthorizationReactiveMethodInterceptor(MethodSecurityExpressionH
 	}
 
 	/**
-	 * Activate support for resolving authorization templates with annotation parameters
+	 * Configure pre/post-authorization template resolution
 	 * <p>
-	 * By default, this value is <code>false</code>.
-	 * @param useTemplates - whether to resolve authorization templates with annotation
-	 * parameters
+	 * By default, this value is <code>null</code>, which indicates that templates should
+	 * not be resolved.
+	 * @param defaults - whether to resolve pre/post-authorization templates parameters
 	 * @since 6.3
 	 */
-	public void setUseTemplates(boolean useTemplates) {
-		this.registry.setUseTemplates(useTemplates);
+	public void setTemplateDefaults(PrePostTemplateDefaults defaults) {
+		this.registry.setTemplateDefaults(defaults);
 	}
 
 	/**