Consider supporting Spring Data container types for AuthorizeReturnObject

Closes spring-projectsgh-15994

Signed-off-by: Evgeniy Cheban <[email protected]>

Author: evgeniycheban

Diff for: config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java

@@ -62,6 +62,8 @@
 import org.springframework.core.annotation.AnnotationAwareOrderComparator;
 import org.springframework.core.annotation.AnnotationConfigurationException;
 import org.springframework.core.annotation.Order;
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.PageImpl;
 import org.springframework.http.HttpStatusCode;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.AccessDeniedException;
@@ -94,6 +96,7 @@
 import org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler;
 import org.springframework.security.authorization.method.MethodInvocationResult;
 import org.springframework.security.authorization.method.PrePostTemplateDefaults;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
 import org.springframework.security.config.observation.SecurityObservationSettings;
@@ -103,6 +106,7 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
+import org.springframework.security.data.repository.query.DataSecurityContainerTypeVisitor;
 import org.springframework.security.test.context.support.WithAnonymousUser;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener;
@@ -804,6 +808,16 @@ public void findAllWhenPostFilterThenFilters() {
 				.doesNotContain("Kevin Mitnick"));
 	}
 
+	@Test
+	@WithMockUser(authorities = "airplane:read")
+	public void findPageWhenPostFilterThenFilters() {
+		this.spring.register(AuthorizeDataContainerTypeResultConfig.class).autowire();
+		FlightRepository flights = this.spring.getContext().getBean(FlightRepository.class);
+		flights.findPage()
+			.forEach((flight) -> assertThat(flight.getPassengers()).extracting(Passenger::getName)
+				.doesNotContain("Kevin Mitnick"));
+	}
+
 	@Test
 	@WithMockUser(authorities = "airplane:read")
 	public void findAllWhenPreFilterThenFilters() {
@@ -1679,6 +1693,35 @@ RoleHierarchy roleHierarchy() {
 
 	}
 
+	@EnableMethodSecurity
+	@Configuration
+	static class AuthorizeDataContainerTypeResultConfig {
+
+		@Bean
+		Customizer<AuthorizationAdvisorProxyFactory> dataSecurityContainerTypeVisitor() {
+			return (f) -> f
+				.setTargetVisitor(TargetVisitor.of(new DataSecurityContainerTypeVisitor(), TargetVisitor.defaults()));
+		}
+
+		@Bean
+		FlightRepository flights() {
+			FlightRepository flights = new FlightRepository();
+			Flight one = new Flight("1", 35000d, 35);
+			one.board(new ArrayList<>(List.of("Marie Curie", "Kevin Mitnick", "Ada Lovelace")));
+			flights.save(one);
+			Flight two = new Flight("2", 32000d, 72);
+			two.board(new ArrayList<>(List.of("Albert Einstein")));
+			flights.save(two);
+			return flights;
+		}
+
+		@Bean
+		RoleHierarchy roleHierarchy() {
+			return RoleHierarchyImpl.withRolePrefix("").role("airplane:read").implies("seating:read").build();
+		}
+
+	}
+
 	@AuthorizeReturnObject
 	static class FlightRepository {
 
@@ -1688,6 +1731,10 @@ Iterator<Flight> findAll() {
 			return this.flights.values().iterator();
 		}
 
+		Page<Flight> findPage() {
+			return new PageImpl<>(new ArrayList<>(this.flights.values()));
+		}
+
 		Flight findById(String id) {
 			return this.flights.get(id);
 		}

Diff for: data/src/main/java/org/springframework/security/data/repository/query/DataSecurityContainerTypeVisitor.java

@@ -0,0 +1,79 @@
+/*
+ * Copyright 2002-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.data.repository.query;
+
+import java.util.List;
+
+import org.springframework.data.domain.PageImpl;
+import org.springframework.data.domain.SliceImpl;
+import org.springframework.data.geo.GeoPage;
+import org.springframework.data.geo.GeoResult;
+import org.springframework.data.geo.GeoResults;
+import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory;
+
+/**
+ * A
+ * {@link org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.TargetVisitor}
+ * that adds support for Spring Data container types to be proxied, it can be used as
+ * follows: <pre>
+ * &#064;Bean
+ * Customizer&lt;AuthorizationAdvisorProxyFactory&gt; dataSecurityContainerTypeVisitor() {
+ *   return (f) -> f.setTargetVisitor(
+ *     TargetVisitor.of(new DataSecurityContainerTypeVisitor(), TargetVisitor.defaults()));
+ * }
+ * </pre>
+ *
+ * @author Evgeniy Cheban
+ * @since 6.5
+ * @see GeoResults
+ * @see GeoResult
+ * @see GeoPage
+ * @see PageImpl
+ * @see SliceImpl
+ */
+public final class DataSecurityContainerTypeVisitor implements AuthorizationAdvisorProxyFactory.TargetVisitor {
+
+	@Override
+	public Object visit(AuthorizationAdvisorProxyFactory proxyFactory, Object target) {
+		if (target instanceof GeoResults<?> geoResults) {
+			return new GeoResults<>(proxyCast(proxyFactory, geoResults.getContent()), geoResults.getAverageDistance());
+		}
+		if (target instanceof GeoResult<?> geoResult) {
+			return new GeoResult<>(proxyCast(proxyFactory, geoResult.getContent()), geoResult.getDistance());
+		}
+		if (target instanceof GeoPage<?> geoPage) {
+			GeoResults<?> results = new GeoResults<>(proxyCast(proxyFactory, geoPage.getContent()),
+					geoPage.getAverageDistance());
+			return new GeoPage<>(results, geoPage.getPageable(), geoPage.getTotalElements());
+		}
+		if (target instanceof PageImpl<?> page) {
+			List<?> content = proxyCast(proxyFactory, page.getContent());
+			return new PageImpl<>(content, page.getPageable(), page.getTotalElements());
+		}
+		if (target instanceof SliceImpl<?> slice) {
+			List<?> content = proxyCast(proxyFactory, slice.getContent());
+			return new SliceImpl<>(content, slice.getPageable(), slice.hasNext());
+		}
+		return null;
+	}
+
+	@SuppressWarnings("unchecked")
+	private <T> T proxyCast(AuthorizationAdvisorProxyFactory proxyFactory, T target) {
+		return (T) proxyFactory.proxy(target);
+	}
+
+}

Diff for: data/src/test/java/org/springframework/security/data/repository/query/DataSecurityContainerTypeVisitorTests.java

@@ -0,0 +1,151 @@
+/*
+ * Copyright 2002-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.data.repository.query;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.data.domain.PageImpl;
+import org.springframework.data.domain.SliceImpl;
+import org.springframework.data.geo.Distance;
+import org.springframework.data.geo.GeoPage;
+import org.springframework.data.geo.GeoResult;
+import org.springframework.data.geo.GeoResults;
+import org.springframework.security.access.prepost.PostFilter;
+import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.InstanceOfAssertFactories.list;
+import static org.assertj.core.api.InstanceOfAssertFactories.type;
+
+/**
+ * Tests for {@link DataSecurityContainerTypeVisitor}.
+ *
+ * @author Evgeniy Cheban
+ */
+class DataSecurityContainerTypeVisitorTests {
+
+	private final DataSecurityContainerTypeVisitor visitor = new DataSecurityContainerTypeVisitor();
+
+	@Test
+	void visitWhenTargetGeoResultsThenValuesFiltered() {
+		AuthorizationAdvisorProxyFactory proxyFactory = AuthorizationAdvisorProxyFactory.withDefaults();
+		proxyFactory.setTargetVisitor(AuthorizationAdvisorProxyFactory.TargetVisitor.of(this.visitor,
+				AuthorizationAdvisorProxyFactory.TargetVisitor.defaults()));
+		GeoResults<AuthorizedObject> geoResults = getGeoResults();
+		Object result = this.visitor.visit(proxyFactory, geoResults);
+		assertThat(result).asInstanceOf(type(GeoResults.class))
+			.extracting(GeoResults::getContent, list(GeoResult.class))
+			.extracting(GeoResult::getContent)
+			.asInstanceOf(list(AuthorizedObject.class))
+			.flatExtracting(AuthorizedObject::getValues)
+			.containsExactly("test2", "test3", "test4", "test5", "test6", "test7", "test8");
+	}
+
+	@Test
+	void visitWhenTargetGeoPageThenValuesFiltered() {
+		AuthorizationAdvisorProxyFactory proxyFactory = AuthorizationAdvisorProxyFactory.withDefaults();
+		proxyFactory.setTargetVisitor(AuthorizationAdvisorProxyFactory.TargetVisitor.of(this.visitor,
+				AuthorizationAdvisorProxyFactory.TargetVisitor.defaults()));
+		GeoPage<AuthorizedObject> geoPage = new GeoPage<>(getGeoResults());
+		Object result = this.visitor.visit(proxyFactory, geoPage);
+		assertThat(result).asInstanceOf(type(GeoPage.class))
+			.extracting(GeoPage::getContent, list(GeoResult.class))
+			.extracting(GeoResult::getContent)
+			.asInstanceOf(list(AuthorizedObject.class))
+			.flatExtracting(AuthorizedObject::getValues)
+			.containsExactly("test2", "test3", "test4", "test5", "test6", "test7", "test8");
+	}
+
+	@Test
+	void visitWhenTargetGeoResultThenValuesFiltered() {
+		AuthorizationAdvisorProxyFactory proxyFactory = AuthorizationAdvisorProxyFactory.withDefaults();
+		proxyFactory.setTargetVisitor(AuthorizationAdvisorProxyFactory.TargetVisitor.of(this.visitor,
+				AuthorizationAdvisorProxyFactory.TargetVisitor.defaults()));
+		AuthorizedObject authorizedObject = new AuthorizedObject("test1", "test2", "test3");
+		GeoResult<AuthorizedObject> geoResult = new GeoResult<>(authorizedObject, new Distance(1.0));
+		Object result = this.visitor.visit(proxyFactory, geoResult);
+		assertThat(result).asInstanceOf(type(GeoResult.class))
+			.extracting(GeoResult::getContent)
+			.asInstanceOf(type(AuthorizedObject.class))
+			.extracting(AuthorizedObject::getValues, list(String.class))
+			.containsExactly("test2", "test3");
+	}
+
+	@Test
+	void visitWhenTargetPageImplThenValuesFiltered() {
+		AuthorizationAdvisorProxyFactory proxyFactory = AuthorizationAdvisorProxyFactory.withDefaults();
+		proxyFactory.setTargetVisitor(AuthorizationAdvisorProxyFactory.TargetVisitor.of(this.visitor,
+				AuthorizationAdvisorProxyFactory.TargetVisitor.defaults()));
+		PageImpl<AuthorizedObject> page = new PageImpl<>(getAuthorizedObjects());
+		Object result = this.visitor.visit(proxyFactory, page);
+		assertThat(result).asInstanceOf(type(PageImpl.class))
+			.extracting(PageImpl::getContent, list(AuthorizedObject.class))
+			.flatExtracting(AuthorizedObject::getValues)
+			.containsExactly("test2", "test3", "test4", "test5", "test6", "test7", "test8");
+	}
+
+	@Test
+	void visitWhenTargetSliceImplThenValuesFiltered() {
+		AuthorizationAdvisorProxyFactory proxyFactory = AuthorizationAdvisorProxyFactory.withDefaults();
+		proxyFactory.setTargetVisitor(AuthorizationAdvisorProxyFactory.TargetVisitor.of(this.visitor,
+				AuthorizationAdvisorProxyFactory.TargetVisitor.defaults()));
+		SliceImpl<AuthorizedObject> page = new SliceImpl<>(getAuthorizedObjects());
+		Object result = this.visitor.visit(proxyFactory, page);
+		assertThat(result).asInstanceOf(type(SliceImpl.class))
+			.extracting(SliceImpl::getContent, list(AuthorizedObject.class))
+			.flatExtracting(AuthorizedObject::getValues)
+			.containsExactly("test2", "test3", "test4", "test5", "test6", "test7", "test8");
+	}
+
+	private GeoResults<AuthorizedObject> getGeoResults() {
+		AuthorizedObject authorizedObject1 = new AuthorizedObject("test1", "test2", "test3");
+		AuthorizedObject authorizedObject2 = new AuthorizedObject("test4", "test5", "test6");
+		AuthorizedObject authorizedObject3 = new AuthorizedObject("test7", "test8", "test9");
+		GeoResult<AuthorizedObject> geoResult1 = new GeoResult<>(authorizedObject1, new Distance(1.0));
+		GeoResult<AuthorizedObject> geoResult2 = new GeoResult<>(authorizedObject2, new Distance(2.0));
+		GeoResult<AuthorizedObject> geoResult3 = new GeoResult<>(authorizedObject3, new Distance(3.0));
+		List<GeoResult<AuthorizedObject>> results = List.of(geoResult1, geoResult2, geoResult3);
+		return new GeoResults<>(results);
+	}
+
+	private List<AuthorizedObject> getAuthorizedObjects() {
+		AuthorizedObject authorizedObject1 = new AuthorizedObject("test1", "test2", "test3");
+		AuthorizedObject authorizedObject2 = new AuthorizedObject("test4", "test5", "test6");
+		AuthorizedObject authorizedObject3 = new AuthorizedObject("test7", "test8", "test9");
+		return List.of(authorizedObject1, authorizedObject2, authorizedObject3);
+	}
+
+	static class AuthorizedObject {
+
+		private final List<String> values;
+
+		AuthorizedObject(String... value) {
+			this.values = new ArrayList<>(Arrays.asList(value));
+		}
+
+		@PostFilter("filterObject != 'test1' and filterObject != 'test9'")
+		List<String> getValues() {
+			return this.values;
+		}
+
+	}
+
+}