diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactory.java b/core/src/main/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactory.java index f8f6707b6e4..64c003a214e 100644 --- a/core/src/main/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactory.java +++ b/core/src/main/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactory.java @@ -254,7 +254,8 @@ public interface TargetVisitor { /** * The default {@link TargetVisitor}, which will proxy {@link Class} instances as * well as instances contained in reactive types (if reactor is present), - * collection types, and other container types like {@link Optional} + * collection types, and other container types like {@link Optional} and + * {@link Supplier} */ static TargetVisitor defaults() { return AuthorizationAdvisorProxyFactory.DEFAULT_VISITOR; diff --git a/core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java b/core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java index 432489175c0..ef3451c60fc 100644 --- a/core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java +++ b/core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java @@ -31,6 +31,7 @@ import java.util.SortedSet; import java.util.TreeMap; import java.util.TreeSet; +import java.util.function.Supplier; import java.util.stream.Stream; import org.jetbrains.annotations.NotNull; @@ -242,6 +243,17 @@ public void proxyWhenPreAuthorizeForOptionalThenHonors() { SecurityContextHolder.clearContext(); } + @Test + public void proxyWhenPreAuthorizeForSupplierThenHonors() { + SecurityContextHolder.getContext().setAuthentication(this.user); + AuthorizationAdvisorProxyFactory factory = AuthorizationAdvisorProxyFactory.withDefaults(); + Supplier flights = () -> this.flight; + assertThat(flights.get().getAltitude()).isEqualTo(35000d); + Supplier secured = proxy(factory, flights); + assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(() -> secured.get().getAltitude()); + SecurityContextHolder.clearContext(); + } + @Test public void proxyWhenPreAuthorizeForStreamThenHonors() { SecurityContextHolder.getContext().setAuthentication(this.user);