Document How to Handle Method Security in Native Image

[asavov]

Expected Behavior

Security SPEL (such as @PreAuthozied) needs custom native-image hints (such as @RegisterReflectionForBinding) when using/referring custom beans by SPEL.

The expectation is to enhance the doc, providing guidelines to consumers of SPEL support within Security.

Current Behavior

Security SPEL (such as @PreAuthozied) works out-of-the-box only for default beans managed by Spring framework.

Context

The problem is reproduced with this simplified snippet run within @jlong’s spring-boot-3-aot project as repro env.

@Configuration
@EnableMethodSecurity(prePostEnabled = true)

// It works in native-image if this line is uncommented
// @RegisterReflectionForBinding(CustomAuthenticationImpl.class)

public class SecurityConfiguration {

	public interface CustomAuthentication extends Authentication {

		boolean isCloudAdmin();
	}

	public static class CustomAuthenticationImpl extends TestingAuthenticationToken implements CustomAuthentication {

		static CustomAuthentication CLOUD_ADMIN = new CustomAuthenticationImpl(true);

		static CustomAuthentication NOT_CLOUD_ADMIN = new CustomAuthenticationImpl(false);

		private final boolean isCloudAdmin;

		private CustomAuthenticationImpl(boolean isCA) {
			super("alex-principle-" + (isCA ? "CA" : "nonCA"), "alex-credentials");
			this.isCloudAdmin = isCA;
		}

		@Override
		public boolean isCloudAdmin() {
			return isCloudAdmin;
		}

	}

	@Service
	public static class MyService {

		public String basicMethod() {
			return "OK";
		}

		// Use method on our CustomAuthentication which seems to need Hint
		@PreAuthorize("authentication.isCloudAdmin()")
		public String isCloudAdminMethod() {
			return "OK";
		}

	}

	@Bean
	ApplicationListener<ApplicationReadyEvent> withSecurity(MyService myService) {
		return event -> {
			SecurityContextHolder.getContext().setAuthentication(CustomAuthenticationImpl.NOT_CLOUD_ADMIN);

			System.out.println("[Security] basicMethod with NOT_CLOUD_ADMIN: " + myService.basicMethod());

			try {
				myService.isCloudAdminMethod();

				System.out.println("[Security] isCloudAdminMethod with NOT_CLOUD_ADMIN: should not happen");
			}
			catch (Exception e) {
				System.out.println("[Security] isCloudAdminMethod with NOT_CLOUD_ADMIN: was secured");
			}

			SecurityContextHolder.getContext().setAuthentication(CustomAuthenticationImpl.CLOUD_ADMIN);

			System.out.println("[Security] isCloudAdminMethod with CLOUD_ADMIN: " + myService.isCloudAdminMethod());
		};
	}

}

which works on JRE and fails on native-image with:

java.lang.IllegalArgumentException: Failed to evaluate expression 'authentication.isCloudAdmin()'
        at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:33) ~[na:na]
        at org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager.check(PreAuthorizeAuthorizationManager.java:68) ~[na:na]
at Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1004E: Method call: Method isCloudAdmin() cannot be found on type com.example.aot.security.SecurityConfiguration$CustomAuthenticationImpl
        at org.springframework.expression.spel.ast.MethodReference.findAccessorForMethod(MethodReference.java:225) ~[na:na]

Here's link to the slack channel discussion.