SEC-1690: Refactor expression PropertyAccessor for dealing with properties as beans in the ApplicationContext.

core/src/main/java/org/springframework/security/access/expression/AbstractSecurityExpressionHandler.java

@@ -21,9 +21,8 @@ import org.springframework.security.core.Authentication;
 public abstract class AbstractSecurityExpressionHandler<T> implements SecurityExpressionHandler<T>, ApplicationContextAware {
     private final AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
     private final ExpressionParser expressionParser = new SpelExpressionParser();
-    private final SecurityExpressionRootPropertyAccessor sxrpa = new SecurityExpressionRootPropertyAccessor();
+    private ApplicationContextPropertyAccessor sxrpa = new ApplicationContextPropertyAccessor(null);
     private RoleHierarchy roleHierarchy;
-    private ApplicationContext applicationContext;
 
     public final ExpressionParser getExpressionParser() {
         return expressionParser;
@@ -42,7 +41,6 @@ public abstract class AbstractSecurityExpressionHandler<T> implements SecurityEx
         SecurityExpressionRoot root = createSecurityExpressionRoot(authentication, invocation);
         root.setTrustResolver(trustResolver);
         root.setRoleHierarchy(roleHierarchy);
-        root.setApplicationContext(applicationContext);
         StandardEvaluationContext ctx = createEvaluationContextInternal(authentication, invocation);
         ctx.addPropertyAccessor(sxrpa);
         ctx.setRootObject(root);
@@ -69,7 +67,7 @@ public abstract class AbstractSecurityExpressionHandler<T> implements SecurityEx
      *
      * @param authentication the current authentication object
      * @param invocation the invocation (filter, method, channel)
-     * @return a
+     * @return the object wh
      */
     protected abstract SecurityExpressionRoot createSecurityExpressionRoot(Authentication authentication, T invocation);
 
@@ -78,6 +76,6 @@ public abstract class AbstractSecurityExpressionHandler<T> implements SecurityEx
     }
 
     public void setApplicationContext(ApplicationContext applicationContext) {
-        this.applicationContext = applicationContext;
+        sxrpa = new ApplicationContextPropertyAccessor(applicationContext);
     }
 }

core/src/main/java/org/springframework/security/access/expression/SecurityExpressionRootPropertyAccessor.java → core/src/main/java/org/springframework/security/access/expression/ApplicationContextPropertyAccessor.java

@@ -6,13 +6,17 @@ import org.springframework.expression.EvaluationContext;
 import org.springframework.expression.PropertyAccessor;
 import org.springframework.expression.TypedValue;
 
-@SuppressWarnings("unchecked")
-final class SecurityExpressionRootPropertyAccessor implements PropertyAccessor {
-    public final Class[] CLASSES = {SecurityExpressionRoot.class};
+/**
+ * General property accessor which resolves properties as bean names within an {@code ApplicationContext}.
+ */
+final class ApplicationContextPropertyAccessor implements PropertyAccessor {
+    private final ApplicationContext ctx;
+
+    ApplicationContextPropertyAccessor(ApplicationContext ctx) {
+        this.ctx = ctx;
+    }
 
     public boolean canRead(EvaluationContext context, Object target, String name) throws AccessException {
-        ApplicationContext ctx = ((SecurityExpressionRoot)target).getApplicationContext();
-
         if (ctx == null) {
             return false;
         }
@@ -21,7 +25,7 @@ final class SecurityExpressionRootPropertyAccessor implements PropertyAccessor {
     }
 
     public TypedValue read(EvaluationContext context, Object target, String name) throws AccessException {
-        return new TypedValue(((SecurityExpressionRoot)target).getApplicationContext().getBean(name));
+        return new TypedValue(ctx.getBean(name));
     }
 
     public boolean canWrite(EvaluationContext context, Object target, String name) throws AccessException {
@@ -32,7 +36,7 @@ final class SecurityExpressionRootPropertyAccessor implements PropertyAccessor {
     }
 
     public Class[] getSpecificTargetClasses() {
-        return CLASSES;
+        return null;
     }
 
 }

core/src/main/java/org/springframework/security/access/expression/SecurityExpressionRoot.java

@@ -25,7 +25,6 @@ public abstract class SecurityExpressionRoot {
     private AuthenticationTrustResolver trustResolver;
     private RoleHierarchy roleHierarchy;
     private Set<String> roles;
-    private ApplicationContext applicationContext;
 
     /** Allows "permitAll" expression */
     public final boolean permitAll = true;
@@ -110,14 +109,6 @@ public abstract class SecurityExpressionRoot {
         this.roleHierarchy = roleHierarchy;
     }
 
-    ApplicationContext getApplicationContext() {
-        return applicationContext;
-    }
-
-    public void setApplicationContext(ApplicationContext applicationContext) {
-        this.applicationContext = applicationContext;
-    }
-
     private Set<String> getAuthoritySet() {
         if (roles == null) {
             roles = new HashSet<String>();