Polish ReactiveMethodSecurity Support

- Changed annotation property to useAuthorizationManager
to match related XML support
- Moved support found in bean post-processors back into
interceptors directly. This reduces the number of components to
maintain and simplifies ongoing support
- Added @deprecated annotation to indicate that applications
should use AuthorizationManagerBeforeReactiveMethodInterceptor and
AuthorizationManagerAfterReactiveMethodInterceptor instead. While
true that the new support does not support coroutines, the existing
coroutine support is problematic since it cannot be reliably paired
with other method interceptors
- Moved expression handler configuration to the constructors
- Constrain all method security interceptors to require publisher types
- Use ReactiveAdapter to check for single-value types as well

Issue gh-9401

Polish

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/method/configuration/EnableReactiveMethodSecurity.java

@@ -75,6 +75,6 @@
 	 * used.
 	 * @since 5.8
 	 */
-	boolean authorizationManager() default false;
+	boolean useAuthorizationManager() default false;
 
 }

config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveAuthorizationManagerMethodSecurityConfiguration.java

@@ -45,35 +45,31 @@ final class ReactiveAuthorizationManagerMethodSecurityConfiguration {
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	PreFilterAuthorizationReactiveMethodInterceptor preFilterInterceptor(
 			MethodSecurityExpressionHandler expressionHandler) {
-		PreFilterAuthorizationReactiveMethodInterceptor preFilter = new PreFilterAuthorizationReactiveMethodInterceptor();
-		preFilter.setExpressionHandler(expressionHandler);
-		return preFilter;
+		return new PreFilterAuthorizationReactiveMethodInterceptor(expressionHandler);
 	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	AuthorizationManagerBeforeReactiveMethodInterceptor preAuthorizeInterceptor(
 			MethodSecurityExpressionHandler expressionHandler) {
-		PreAuthorizeReactiveAuthorizationManager authorizationManager = new PreAuthorizeReactiveAuthorizationManager();
-		authorizationManager.setExpressionHandler(expressionHandler);
+		PreAuthorizeReactiveAuthorizationManager authorizationManager = new PreAuthorizeReactiveAuthorizationManager(
+				expressionHandler);
 		return AuthorizationManagerBeforeReactiveMethodInterceptor.preAuthorize(authorizationManager);
 	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	PostFilterAuthorizationReactiveMethodInterceptor postFilterInterceptor(
 			MethodSecurityExpressionHandler expressionHandler) {
-		PostFilterAuthorizationReactiveMethodInterceptor postFilter = new PostFilterAuthorizationReactiveMethodInterceptor();
-		postFilter.setExpressionHandler(expressionHandler);
-		return postFilter;
+		return new PostFilterAuthorizationReactiveMethodInterceptor(expressionHandler);
 	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	AuthorizationManagerAfterReactiveMethodInterceptor postAuthorizeInterceptor(
 			MethodSecurityExpressionHandler expressionHandler) {
-		PostAuthorizeReactiveAuthorizationManager authorizationManager = new PostAuthorizeReactiveAuthorizationManager();
-		authorizationManager.setExpressionHandler(expressionHandler);
+		PostAuthorizeReactiveAuthorizationManager authorizationManager = new PostAuthorizeReactiveAuthorizationManager(
+				expressionHandler);
 		return AuthorizationManagerAfterReactiveMethodInterceptor.postAuthorize(authorizationManager);
 	}
 

config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecuritySelector.java

@@ -44,7 +44,7 @@ public String[] selectImports(AnnotationMetadata importMetadata) {
 		EnableReactiveMethodSecurity annotation = importMetadata.getAnnotations()
 				.get(EnableReactiveMethodSecurity.class).synthesize();
 		List<String> imports = new ArrayList<>(Arrays.asList(this.autoProxy.selectImports(importMetadata)));
-		if (annotation.authorizationManager()) {
+		if (annotation.useAuthorizationManager()) {
 			imports.add(ReactiveAuthorizationManagerMethodSecurityConfiguration.class.getName());
 		}
 		else {

config/src/test/java/org/springframework/security/config/annotation/method/configuration/DelegatingReactiveMessageService.java

@@ -112,6 +112,11 @@ public Flux<String> fluxManyAnnotations(Flux<String> flux) {
 		return flux;
 	}
 
+	@PostFilter("filterObject.length > 5")
+	public Flux<String> fluxPostFilter(Flux<String> flux) {
+		return flux;
+	}
+
 	@Override
 	public Publisher<String> publisherFindById(long id) {
 		return this.delegate.publisherFindById(id);

config/src/test/java/org/springframework/security/config/annotation/method/configuration/EnableAuthorizationManagerReactiveMethodSecurityTests.java

@@ -42,7 +42,7 @@
 
 /**
  * Tests for {@link EnableReactiveMethodSecurity} with the
- * {@link EnableReactiveMethodSecurity#authorizationManager()} flag set to true.
+ * {@link EnableReactiveMethodSecurity#useAuthorizationManager()} flag set to true.
  *
  * @author Evgeniy Cheban
  */
@@ -79,8 +79,7 @@ public void notPublisherPreAuthorizeFindByIdThenThrowsIllegalStateException() {
 				.withMessage("The returnType class java.lang.String on public abstract java.lang.String "
 						+ "org.springframework.security.config.annotation.method.configuration.ReactiveMessageService"
 						+ ".notPublisherPreAuthorizeFindById(long) must return an instance of org.reactivestreams"
-						+ ".Publisher (i.e. Mono / Flux) or the function must be a Kotlin coroutine "
-						+ "function in order to support Reactor Context");
+						+ ".Publisher (for example, a Mono or Flux) in order to support Reactor Context");
 	}
 
 	@Test
@@ -340,6 +339,13 @@ public void fluxManyAnnotationsWhenNameNotAllowedThenFails() {
 		StepVerifier.create(flux).expectNext("harold", "jonathan").expectError(AccessDeniedException.class).verify();
 	}
 
+	@Test
+	public void fluxPostFilterWhenFilteringThenWorks() {
+		Flux<String> flux = this.messageService.fluxPostFilter(Flux.just("harold", "jonathan", "michael", "pete", "bo"))
+				.contextWrite(this.withAdmin);
+		StepVerifier.create(flux).expectNext("harold", "jonathan", "michael").verifyComplete();
+	}
+
 	// Publisher tests
 	@Test
 	public void publisherWhenPermitAllThenAopDoesNotSubscribe() {
@@ -458,7 +464,7 @@ static <T> Publisher<T> publisherJust(T... data) {
 		return publisher(Flux.just(data));
 	}
 
-	@EnableReactiveMethodSecurity(authorizationManager = true)
+	@EnableReactiveMethodSecurity(useAuthorizationManager = true)
 	static class Config {
 
 		ReactiveMessageService delegate = mock(ReactiveMessageService.class);

config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMessageService.java

@@ -48,6 +48,8 @@ public interface ReactiveMessageService {
 
 	Flux<String> fluxManyAnnotations(Flux<String> flux);
 
+	Flux<String> fluxPostFilter(Flux<String> flux);
+
 	Publisher<String> publisherFindById(long id);
 
 	Publisher<String> publisherPreAuthorizeHasRoleFindById(long id);

core/src/main/java/org/springframework/security/access/prepost/PrePostAdviceReactiveMethodInterceptor.java

@@ -52,7 +52,12 @@
  * @author Rob Winch
  * @author Eleftheria Stein
  * @since 5.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerBeforeReactiveMethodInterceptor}
+ * or
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterReactiveMethodInterceptor}
  */
+@Deprecated
 public class PrePostAdviceReactiveMethodInterceptor implements MethodInterceptor {
 
 	private Authentication anonymous = new AnonymousAuthenticationToken("key", "anonymous",