/*
* Copyright 2002-2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.access.expression.method;
import java.lang.reflect.Method;
import org.aopalliance.intercept.MethodInvocation;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.aop.framework.AopProxyUtils;
import org.springframework.aop.support.AopUtils;
import org.springframework.core.ParameterNameDiscoverer;
import org.springframework.expression.spel.support.StandardEvaluationContext;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.parameters.DefaultSecurityParameterNameDiscoverer;
/**
* Internal security-specific EvaluationContext implementation which lazily adds the
* method parameter values as variables (with the corresponding parameter names) if and
* when they are required.
*
* @author Luke Taylor
* @since 3.0
*/
class MethodSecurityEvaluationContext extends StandardEvaluationContext {
private static final Log logger = LogFactory
.getLog(MethodSecurityEvaluationContext.class);
private ParameterNameDiscoverer parameterNameDiscoverer;
private final MethodInvocation mi;
private boolean argumentsAdded;
/**
* Intended for testing. Don't use in practice as it creates a new parameter resolver
* for each instance. Use the constructor which takes the resolver, as an argument
* thus allowing for caching.
*/
public MethodSecurityEvaluationContext(Authentication user, MethodInvocation mi) {
this(user, mi, new DefaultSecurityParameterNameDiscoverer());
}
public MethodSecurityEvaluationContext(Authentication user, MethodInvocation mi,
ParameterNameDiscoverer parameterNameDiscoverer) {
this.mi = mi;
this.parameterNameDiscoverer = parameterNameDiscoverer;
}
@Override
public Object lookupVariable(String name) {
Object variable = super.lookupVariable(name);
if (variable != null) {
return variable;
}
if (!argumentsAdded) {
addArgumentsAsVariables();
argumentsAdded = true;
}
variable = super.lookupVariable(name);
if (variable != null) {
return variable;
}
return null;
}
public void setParameterNameDiscoverer(ParameterNameDiscoverer parameterNameDiscoverer) {
this.parameterNameDiscoverer = parameterNameDiscoverer;
}
private void addArgumentsAsVariables() {
Object[] args = mi.getArguments();
if (args.length == 0) {
return;
}
Object targetObject = mi.getThis();
// SEC-1454
Class<?> targetClass = AopProxyUtils.ultimateTargetClass(targetObject);
if (targetClass == null) {
// TODO: Spring should do this, but there's a bug in ultimateTargetClass()
// which returns null
targetClass = targetObject.getClass();
}
Method method = AopUtils.getMostSpecificMethod(mi.getMethod(), targetClass);
String[] paramNames = parameterNameDiscoverer.getParameterNames(method);
if (paramNames == null) {
logger.warn("Unable to resolve method parameter names for method: "
+ method
+ ". Debug symbol information is required if you are using parameter names in expressions.");
return;
}
for (int i = 0; i < args.length; i++) {
super.setVariable(paramNames[i], args[i]);
}
}
}