SEC-2332: GlobalMethodSecurityConfiguration includes proper voters

Previously GlobalMethodSecurityConfiguration did not include the correct
voters. This updates the code and the tests to ensure that the proper
voters are added. Note this got past testing previously due to all the
voters abstaining, so tests were added for ensuring that methods could also
be invoked sucessfully using the configured annotation.

config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java

@@ -40,6 +40,7 @@ import org.springframework.security.access.AccessDecisionManager;
 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.AfterInvocationProvider;
 import org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource;
+import org.springframework.security.access.annotation.Jsr250Voter;
 import org.springframework.security.access.annotation.SecuredAnnotationSecurityMetadataSource;
 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
 import org.springframework.security.access.expression.method.ExpressionBasedAnnotationAttributeFactory;
@@ -178,9 +179,13 @@ public class GlobalMethodSecurityConfiguration implements ImportAware {
         List<AccessDecisionVoter> decisionVoters = new ArrayList<AccessDecisionVoter>();
         ExpressionBasedPreInvocationAdvice expressionAdvice = new ExpressionBasedPreInvocationAdvice();
         expressionAdvice.setExpressionHandler(getExpressionHandler());
-
-        decisionVoters.add(new PreInvocationAuthorizationAdviceVoter(
+        if(prePostEnabled()) {
+            decisionVoters.add(new PreInvocationAuthorizationAdviceVoter(
                 expressionAdvice));
+        }
+        if(jsr250Enabled()) {
+            decisionVoters.add(new Jsr250Voter());
+        }
         decisionVoters.add(new RoleVoter());
         decisionVoters.add(new AuthenticatedVoter());
         return new AffirmativeBased(decisionVoters);

config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/MethodSecurityService.groovy

@@ -16,6 +16,7 @@
 package org.springframework.security.config.annotation.method.configuration;
 
 import javax.annotation.security.DenyAll
+import javax.annotation.security.PermitAll;
 
 import org.springframework.security.access.annotation.Secured
 import org.springframework.security.access.prepost.PostAuthorize;
@@ -34,9 +35,15 @@ public interface MethodSecurityService {
     @Secured("ROLE_ADMIN")
     public String secured();
 
+    @Secured("ROLE_USER")
+    public String securedUser();
+
     @DenyAll
     public String jsr250();
 
+    @PermitAll
+    public String jsr250PermitAll();
+
     @Secured(["ROLE_USER","RUN_AS_SUPER"])
     public Authentication runAs();
 

config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/MethodSecurityServiceImpl.groovy

@@ -35,11 +35,21 @@ public class MethodSecurityServiceImpl implements MethodSecurityService {
         return null;
     }
 
+    @Override
+    public String securedUser() {
+        return null;
+    }
+
     @Override
     public String jsr250() {
         return null;
     }
 
+    @Override
+    public String jsr250PermitAll() {
+        return null;
+    }
+
     @Override
     public Authentication runAs() {
         return SecurityContextHolder.getContext().getAuthentication();

config/src/test/groovy/org/springframework/security/config/annotation/method/configuration/NamespaceGlobalMethodSecurityTests.groovy

@@ -134,6 +134,10 @@ public class NamespaceGlobalMethodSecurityTests extends BaseSpringSpec {
             service.jsr250()
         then: "access is denied"
             thrown(AccessDeniedException)
+        when: "@PermitAll method invoked"
+            String jsr250PermitAll = service.jsr250PermitAll()
+        then: "access is allowed"
+            jsr250PermitAll == null
     }
 
     @EnableGlobalMethodSecurity(jsr250Enabled = true)
@@ -345,6 +349,9 @@ public class NamespaceGlobalMethodSecurityTests extends BaseSpringSpec {
             service.secured()
         then:
             thrown(AccessDeniedException)
+        and: "service with ROLE_USER allowed"
+            service.securedUser() == null
+        and:
             service.preAuthorize() == null
             service.jsr250() == null
     }