Add AuthorizationManagerFactory

[sjohnr]

This PR is a work in progress. cc: @rwinch

[rwinch]

Thanks for the updates @sjohnr! I've provided feedback inline.

[sjohnr]

@rwinch Thanks for the review! Changing the generic type of MessageSecurityExpressionRoot to Message<T> is a breaking change. Please confirm if that's something we want to do here and I will work on this and the other changes from your review.

[rwinch]

@sjohnr

@rwinch Thanks for the review! Changing the generic type of MessageSecurityExpressionRoot to Message<T> is a breaking change. Please confirm if that's something we want to do here and I will work on this and the other changes from your review.

I think that this can work if we update the constructor too. For example:

public class MessageSecurityExpressionRoot<T> extends SecurityExpressionRoot {

	public final Message<T> message;

	public MessageSecurityExpressionRoot(Authentication authentication, Message<T> message) {
	  ...
	public MessageSecurityExpressionRoot(Supplier<Authentication> authentication, Message<T> message) {
	  ...

Then this will compile:

Message<?> message = ...
MessageSecurityExpressionRoot root = new MessageSecurityExpressionRoot<>(authentication, message);

[sjohnr]

@rwinch I've working through the changes and it's looking really good. The only thing I'm noticing is that a few packages are missing nullability defaults.

• org.springframework.security.web.access.expression has a package-info.java but no @NullMarked. Is this intended or perhaps it should be addressed separately?
• org.springframework.security.messaging.access.expression is missing package-info.java along with all the other packages in spring-security-messaging.

As it stands now, classes in these packages show as having inconsistent nullability. These show up as IntelliJ inspections for me, similar to our conversation a few weeks ago. I think adding @NullMarked at the package level will address this, but if omitting that was intentional, let me know. I've added @NullMarked at the class level to show where these issues are but I will revert that after you review.

[rwinch]

This is looking great @sjohnr!

I think we are very close 😄 I provided a few minor comments inline.

Now that we are almost done, please also add documentation (using include-code).

After those are addressed, I think we will be ready to merge!

[rwinch]

Rather than exposing a getter here, I'd prefer that DefaultMethodSecurityExpressionHandler keep a copy of the TrustResolver and return that.

public class DefaultMethodSecurityExpressionHandler .... {
    ...
    public void setTrustResolver(AuthenticationTrustResolver trustResolver) {
        this.trustResolver = trustResolver;
        getDefaultMethodSecurityExpressionHandler().setTrustResolver(trustResolver);
    }

    public AuthenticationTrustResolver getTrustResolver() {
        return this.trustResolver;
    }
}

The rational is twofold:

1. As we've seen in places like DefaultMethodSecurityExpressionHandler, exposing getters unnecessarily makes refactoring more difficult

2. The trustResolver property is deprecated and so we only need to keep the copy around until it is removed. When we remove it, I don't want to be stuck with a getter on DefaultAuthorizationManagerFactory that we only created for a deprecated property.

[rwinch]

Similar to trustResolver, I'd prefer to remove this getter and keep a copy of RoleHiearchy in the classes that need access to it.

[rwinch]

Similar to trustResolver, I'd prefer to remove this getter and keep a copy of rolePrefix in the classes that need access to it.

[rwinch]

I think that if you make the constructor for FilterInvocationExpressionRoot package-private, then you can remove RedundantModifier.

[rwinch]

I think that this makes more sense to be called HttpServletRequestExpressionRoot rather than FilterInvocationExpressionRoot (I know I proposed using FilterInvocationExpressionRoot, but seeing it shows me that it doesn't make sense - sorry about that!). It would then accept just the HttpServletRequest instance.

[rwinch]

FYI As per this comment I created gh-17781

[rwinch]

We've only added nullability for crypto and core so feel free to leave as is. We'll get the rest of the module in a different ticket commit.