SEC-2424: Document ObjectPostProcessor

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/AuthorizedRequestsWithPostProcessorConfig.java

@@ -0,0 +1,51 @@
+/*
+ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.annotation.web.configurers;
+
+import org.springframework.context.ApplicationListener;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.access.event.AuthorizedEvent;
+import org.springframework.security.config.annotation.ObjectPostProcessor;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
+
+@Configuration
+@EnableWebSecurity
+public class AuthorizedRequestsWithPostProcessorConfig extends WebSecurityConfigurerAdapter {
+    static ApplicationListener<AuthorizedEvent> AL;
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+            .authorizeRequests()
+                .anyRequest().permitAll()
+                .withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
+                    public <O extends FilterSecurityInterceptor> O postProcess(
+                            O fsi) {
+                        fsi.setPublishAuthorizationSuccess(true);
+                        return fsi;
+                    }
+                });
+    }
+
+    @Bean
+    public ApplicationListener<AuthorizedEvent> applicationListener() {
+        return AL;
+    }
+}

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationsTests.groovy

@@ -20,7 +20,9 @@ import static org.springframework.security.config.annotation.web.configurers.Exp
 import javax.servlet.http.HttpServletResponse
 
 import org.springframework.beans.factory.BeanCreationException
+import org.springframework.context.ApplicationListener
 import org.springframework.context.annotation.Configuration
+import org.springframework.security.access.event.AuthorizedEvent
 import org.springframework.security.access.vote.AffirmativeBased
 import org.springframework.security.authentication.RememberMeAuthenticationToken
 import org.springframework.security.config.annotation.BaseSpringSpec
@@ -462,4 +464,15 @@ public class ExpressionUrlAuthorizationConfigurerTests extends BaseSpringSpec {
         then:
             noExceptionThrown()
     }
+
+    def "AuthorizedRequests withPostProcessor"() {
+        setup:
+            ApplicationListener al = Mock()
+            AuthorizedRequestsWithPostProcessorConfig.AL = al
+            loadConfig(AuthorizedRequestsWithPostProcessorConfig)
+        when:
+            springSecurityFilterChain.doFilter(request, response, chain)
+        then:
+            1 * al.onApplicationEvent(_ as AuthorizedEvent)
+    }
 }

docs/manual/src/asciidoc/index.adoc

@@ -730,6 +730,29 @@ public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
 
 For additional information about methods that can be overriden, refer to the `GlobalMethodSecurityConfiguration` Javadoc.
 
+=== Post Processing Configured Objects
+
+Spring Security's Java Configuration does not expose every property of every object that it configures. This simplifies the configuration for a majority of users. Afterall, if every property was exposed, users could use standard bean configuration.
+
+While there are good reasons to not directly expose every property, users may still need more advanced configuration options. To address this Spring Security introduces the concept of an `ObjectPostProcessor` which can used to modify or replace many of the Object instances created by the Java Configuration. For example, if you wanted to configure the `filterSecurityPublishAuthorizationSuccess` property on `FilterSecurityInterceptor` you could use the following:
+
+[source,java]
+----
+@Override
+protected void configure(HttpSecurity http) throws Exception {
+    http
+        .authorizeRequests()
+            .anyRequest().authenticated()
+            .withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
+                public <O extends FilterSecurityInterceptor> O postProcess(
+                        O fsi) {
+                    fsi.setPublishAuthorizationSuccess(true);
+                    return fsi;
+                }
+            });
+}
+----
+
 [[ns-config]]
 == Security Namespace Configuration