SEC-1558: Changed signatures of PrePostInvocationAttributeFactory to take strings rather than annotation types to allow the metadata to be obtained from other sources (not just annotations).

core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedAnnotationAttributeFactory.java

@@ -6,11 +6,7 @@ package org.springframework.security.access.expression.method;
 import org.springframework.expression.Expression;
 import org.springframework.expression.ExpressionParser;
 import org.springframework.expression.ParseException;
-import org.springframework.security.access.prepost.PostAuthorize;
-import org.springframework.security.access.prepost.PostFilter;
 import org.springframework.security.access.prepost.PostInvocationAttribute;
-import org.springframework.security.access.prepost.PreAuthorize;
-import org.springframework.security.access.prepost.PreFilter;
 import org.springframework.security.access.prepost.PreInvocationAttribute;
 import org.springframework.security.access.prepost.PrePostInvocationAttributeFactory;
 
@@ -28,22 +24,21 @@ public class ExpressionBasedAnnotationAttributeFactory implements PrePostInvocat
         parser = handler.getExpressionParser();
     }
 
-    public PreInvocationAttribute createPreInvocationAttribute(PreFilter preFilter, PreAuthorize preAuthorize) {
+    public PreInvocationAttribute createPreInvocationAttribute(String preFilterAttribute, String filterObject, String preAuthorizeAttribute) {
         try {
          // TODO: Optimization of permitAll
-            Expression preAuthorizeExpression = preAuthorize == null ? parser.parseExpression("permitAll") : parser.parseExpression(preAuthorize.value());
-            Expression preFilterExpression = preFilter == null ? null : parser.parseExpression(preFilter.value());
-            String filterObject = preFilter == null ? null : preFilter.filterTarget();
+            Expression preAuthorizeExpression = preAuthorizeAttribute == null ? parser.parseExpression("permitAll") : parser.parseExpression(preAuthorizeAttribute);
+            Expression preFilterExpression = preFilterAttribute == null ? null : parser.parseExpression(preFilterAttribute);
             return new PreInvocationExpressionAttribute(preFilterExpression, filterObject, preAuthorizeExpression);
         } catch (ParseException e) {
             throw new IllegalArgumentException("Failed to parse expression '" + e.getExpressionString() + "'", e);
         }
     }
 
-    public PostInvocationAttribute createPostInvocationAttribute(PostFilter postFilter, PostAuthorize postAuthorize) {
+    public PostInvocationAttribute createPostInvocationAttribute(String postFilterAttribute, String postAuthorizeAttribute) {
         try {
-            Expression postAuthorizeExpression = postAuthorize == null ? null : parser.parseExpression(postAuthorize.value());
-            Expression postFilterExpression = postFilter == null ? null : parser.parseExpression(postFilter.value());
+            Expression postAuthorizeExpression = postAuthorizeAttribute == null ? null : parser.parseExpression(postAuthorizeAttribute);
+            Expression postFilterExpression = postFilterAttribute == null ? null : parser.parseExpression(postFilterAttribute);
 
             if (postFilterExpression != null || postAuthorizeExpression != null) {
                 return new PostInvocationExpressionAttribute(postFilterExpression, postAuthorizeExpression);

core/src/main/java/org/springframework/security/access/prepost/PrePostAnnotationSecurityMetadataSource.java

@@ -44,6 +44,7 @@ public class PrePostAnnotationSecurityMetadataSource extends AbstractMethodSecur
         logger.trace("Looking for Pre/Post annotations for method '" +
                 method.getName() + "' on target class '" + targetClass + "'");
         PreFilter preFilter = findAnnotation(method, targetClass, PreFilter.class);
+
         PreAuthorize preAuthorize = findAnnotation(method, targetClass, PreAuthorize.class);
         PostFilter postFilter = findAnnotation(method, targetClass, PostFilter.class);
      // TODO: Can we check for void methods and throw an exception here?
@@ -55,15 +56,21 @@ public class PrePostAnnotationSecurityMetadataSource extends AbstractMethodSecur
             return null;
         }
 
-        ArrayList<ConfigAttribute> attrs = new ArrayList<ConfigAttribute>();
+        String preFilterAttribute = preFilter == null ? null : preFilter.value();
+        String filterObject = preFilter == null ? null : preFilter.filterTarget();
+        String preAuthorizeAttribute = preAuthorize == null ? null : preAuthorize.value();
+        String postFilterAttribute = postFilter == null ? null : postFilter.value();
+        String postAuthorizeAttribute = postAuthorize == null ? null : postAuthorize.value();
+
+        ArrayList<ConfigAttribute> attrs = new ArrayList<ConfigAttribute>(2);
 
-        PreInvocationAttribute pre = attributeFactory.createPreInvocationAttribute(preFilter, preAuthorize);
+        PreInvocationAttribute pre = attributeFactory.createPreInvocationAttribute(preFilterAttribute, filterObject, preAuthorizeAttribute);
 
         if (pre != null) {
             attrs.add(pre);
         }
 
-        PostInvocationAttribute post = attributeFactory.createPostInvocationAttribute(postFilter, postAuthorize);
+        PostInvocationAttribute post = attributeFactory.createPostInvocationAttribute(postFilterAttribute, postAuthorizeAttribute);
 
         if (post != null) {
             attrs.add(post);

core/src/main/java/org/springframework/security/access/prepost/PrePostInvocationAttributeFactory.java

@@ -9,7 +9,7 @@ import org.springframework.aop.framework.AopInfrastructureBean;
  */
 public interface PrePostInvocationAttributeFactory extends AopInfrastructureBean {
 
-    PreInvocationAttribute createPreInvocationAttribute(PreFilter preFilter, PreAuthorize preAuthorize);
+    PreInvocationAttribute createPreInvocationAttribute(String preFilterAttribute, String filterObject, String preAuthorizeAttribute);
 
-    PostInvocationAttribute createPostInvocationAttribute(PostFilter postFilter, PostAuthorize postAuthorize);
+    PostInvocationAttribute createPostInvocationAttribute(String postFilterAttribute, String postAuthorizeAttribute);
 }

itest/context/src/main/java/org/springframework/security/integration/python/PythonInterpreterPrePostInvocationAttributeFactory.java

@@ -1,11 +1,7 @@
 package org.springframework.security.integration.python;
 
 import org.python.util.PythonInterpreter;
-import org.springframework.security.access.prepost.PostAuthorize;
-import org.springframework.security.access.prepost.PostFilter;
 import org.springframework.security.access.prepost.PostInvocationAttribute;
-import org.springframework.security.access.prepost.PreAuthorize;
-import org.springframework.security.access.prepost.PreFilter;
 import org.springframework.security.access.prepost.PreInvocationAttribute;
 import org.springframework.security.access.prepost.PrePostInvocationAttributeFactory;
 
@@ -16,11 +12,11 @@ public class PythonInterpreterPrePostInvocationAttributeFactory implements PrePo
     }
 
 
-    public PreInvocationAttribute createPreInvocationAttribute(PreFilter preFilter, PreAuthorize preAuthorize) {
-        return new PythonInterpreterPreInvocationAttribute(preAuthorize.value());
+    public PreInvocationAttribute createPreInvocationAttribute(String preFilterAttribute, String filterObject, String preAuthorizeAttribute) {
+        return new PythonInterpreterPreInvocationAttribute(preAuthorizeAttribute    );
     }
 
-    public PostInvocationAttribute createPostInvocationAttribute(PostFilter postFilter, PostAuthorize postAuthorize) {
+    public PostInvocationAttribute createPostInvocationAttribute(String postFilterAttribute, String postAuthorizeAttribute) {
         return null;
     }
 }