Check If toBuilder Is Implemented

Since RC1 is right around the corner, let's change the API
footprint as little as possible by using reflection to check
if a class has declared toBuilder themselves. If they have, we
can assume that that class's builder will produce that class.

Issue gh-18052

Author: jzheaux

core/src/test/java/org/springframework/security/authentication/NonBuildableAuthenticationToken.java

@@ -0,0 +1,25 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authentication;
+
+public class NonBuildableAuthenticationToken extends TestingAuthenticationToken {
+
+	public NonBuildableAuthenticationToken(String user, String password, String... authorities) {
+		super(user, password, authorities);
+	}
+
+}

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/authentication/BearerTokenAuthenticationFilter.java

@@ -17,6 +17,7 @@
 package org.springframework.security.oauth2.server.resource.web.authentication;
 
 import java.io.IOException;
+import java.lang.reflect.Method;
 import java.util.Map;
 import java.util.Set;
 import java.util.stream.Collectors;
@@ -56,7 +57,6 @@
 import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.util.Assert;
 import org.springframework.util.CollectionUtils;
-import org.springframework.util.ReflectionUtils;
 import org.springframework.util.StringUtils;
 import org.springframework.web.filter.OncePerRequestFilter;
 
@@ -214,7 +214,12 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 	}
 
 	private static boolean declaresToBuilder(Authentication authentication) {
-		return ReflectionUtils.findMethod(authentication.getClass(), "toBuilder") != null;
+		for (Method method : authentication.getClass().getDeclaredMethods()) {
+			if (method.getName().equals("toBuilder") && method.getParameterTypes().length == 0) {
+				return true;
+			}
+		}
+		return false;
 	}
 
 	/**

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/authentication/BearerTokenAuthenticationFilterTests.java

@@ -38,6 +38,7 @@
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationManagerResolver;
 import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.authentication.NonBuildableAuthenticationToken;
 import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.core.Authentication;
@@ -316,6 +317,24 @@ void doFilterWhenDefaultEqualsGrantedAuthorityThenNoDuplicates() throws Exceptio
 		// @formatter:on
 	}
 
+	@Test
+	void doFilterWhenNonBuildableAuthenticationSubclassThenSkipsToBuilder() throws Exception {
+		TestingAuthenticationToken existingAuthn = new TestingAuthenticationToken("username", "password", "FACTORONE");
+		SecurityContextHolder.setContext(new SecurityContextImpl(existingAuthn));
+		given(this.authenticationManager.authenticate(any()))
+			.willReturn(new NonBuildableAuthenticationToken("username", "password", "FACTORTWO"));
+		given(this.bearerTokenResolver.resolve(any())).willReturn("token");
+		BearerTokenAuthenticationFilter filter = addMocks(
+				new BearerTokenAuthenticationFilter(this.authenticationManager));
+		filter.doFilter(this.request, this.response, this.filterChain);
+		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+		// @formatter:off
+		SecurityAssertions.assertThat(authentication).authorities()
+				.extracting(GrantedAuthority::getAuthority)
+				.containsExactly("FACTORTWO");
+		// @formatter:on
+	}
+
 	@Test
 	public void setAuthenticationEntryPointWhenNullThenThrowsException() {
 		BearerTokenAuthenticationFilter filter = new BearerTokenAuthenticationFilter(this.authenticationManager);

web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java

@@ -17,6 +17,7 @@
 package org.springframework.security.web.authentication;
 
 import java.io.IOException;
+import java.lang.reflect.Method;
 import java.util.Set;
 import java.util.stream.Collectors;
 
@@ -252,7 +253,7 @@ private void doFilter(HttpServletRequest request, HttpServletResponse response,
 				return;
 			}
 			Authentication current = this.securityContextHolderStrategy.getContext().getAuthentication();
-			if (current != null && current.isAuthenticated()) {
+			if (current != null && current.isAuthenticated() && declaresToBuilder(authenticationResult)) {
 				authenticationResult = authenticationResult.toBuilder()
 				// @formatter:off
 					.authorities((a) -> {
@@ -285,6 +286,15 @@ private void doFilter(HttpServletRequest request, HttpServletResponse response,
 		}
 	}
 
+	private static boolean declaresToBuilder(Authentication authentication) {
+		for (Method method : authentication.getClass().getDeclaredMethods()) {
+			if (method.getName().equals("toBuilder") && method.getParameterTypes().length == 0) {
+				return true;
+			}
+		}
+		return false;
+	}
+
 	/**
 	 * Indicates whether this filter should attempt to process a login request for the
 	 * current invocation.

web/src/main/java/org/springframework/security/web/authentication/AuthenticationFilter.java

@@ -17,6 +17,7 @@
 package org.springframework.security.web.authentication;
 
 import java.io.IOException;
+import java.lang.reflect.Method;
 import java.util.Set;
 import java.util.stream.Collectors;
 
@@ -188,7 +189,7 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 				return;
 			}
 			Authentication current = this.securityContextHolderStrategy.getContext().getAuthentication();
-			if (current != null && current.isAuthenticated()) {
+			if (current != null && current.isAuthenticated() && declaresToBuilder(authenticationResult)) {
 				authenticationResult = authenticationResult.toBuilder()
 				// @formatter:off
 					.authorities((a) -> {
@@ -215,6 +216,15 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 		}
 	}
 
+	private static boolean declaresToBuilder(Authentication authentication) {
+		for (Method method : authentication.getClass().getDeclaredMethods()) {
+			if (method.getName().equals("toBuilder") && method.getParameterTypes().length == 0) {
+				return true;
+			}
+		}
+		return false;
+	}
+
 	@Override
 	protected String getAlreadyFilteredAttributeName() {
 		String name = getFilterName();

web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java

@@ -17,6 +17,7 @@
 package org.springframework.security.web.authentication.preauth;
 
 import java.io.IOException;
+import java.lang.reflect.Method;
 import java.util.Set;
 import java.util.stream.Collectors;
 
@@ -208,7 +209,7 @@ private void doAuthenticate(HttpServletRequest request, HttpServletResponse resp
 			authenticationRequest.setDetails(this.authenticationDetailsSource.buildDetails(request));
 			Authentication authenticationResult = this.authenticationManager.authenticate(authenticationRequest);
 			Authentication current = this.securityContextHolderStrategy.getContext().getAuthentication();
-			if (current != null && current.isAuthenticated()) {
+			if (current != null && current.isAuthenticated() && declaresToBuilder(authenticationResult)) {
 				authenticationResult = authenticationResult.toBuilder()
 				// @formatter:off
 					.authorities((a) -> {
@@ -234,6 +235,15 @@ private void doAuthenticate(HttpServletRequest request, HttpServletResponse resp
 		}
 	}
 
+	private static boolean declaresToBuilder(Authentication authentication) {
+		for (Method method : authentication.getClass().getDeclaredMethods()) {
+			if (method.getName().equals("toBuilder") && method.getParameterTypes().length == 0) {
+				return true;
+			}
+		}
+		return false;
+	}
+
 	/**
 	 * Puts the <code>Authentication</code> instance returned by the authentication
 	 * manager into the secure context.

web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilter.java

@@ -17,6 +17,7 @@
 package org.springframework.security.web.authentication.www;
 
 import java.io.IOException;
+import java.lang.reflect.Method;
 import java.nio.charset.Charset;
 import java.util.Set;
 import java.util.stream.Collectors;
@@ -190,7 +191,7 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 			if (authenticationIsRequired(username)) {
 				Authentication authResult = this.authenticationManager.authenticate(authRequest);
 				Authentication current = this.securityContextHolderStrategy.getContext().getAuthentication();
-				if (current != null && current.isAuthenticated()) {
+				if (current != null && current.isAuthenticated() && declaresToBuilder(authResult)) {
 					authResult = authResult.toBuilder()
 					// @formatter:off
 						.authorities((a) -> {
@@ -234,6 +235,15 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 		chain.doFilter(request, response);
 	}
 
+	private static boolean declaresToBuilder(Authentication authentication) {
+		for (Method method : authentication.getClass().getDeclaredMethods()) {
+			if (method.getName().equals("toBuilder") && method.getParameterTypes().length == 0) {
+				return true;
+			}
+		}
+		return false;
+	}
+
 	protected boolean authenticationIsRequired(String username) {
 		// Only reauthenticate if username doesn't match SecurityContextHolder and user
 		// isn't authenticated (see SEC-53)

web/src/main/java/org/springframework/security/web/server/authentication/AuthenticationWebFilter.java

@@ -16,6 +16,7 @@
 
 package org.springframework.security.web.server.authentication;
 
+import java.lang.reflect.Method;
 import java.util.Set;
 import java.util.function.Function;
 import java.util.stream.Collectors;
@@ -141,6 +142,9 @@ private Mono<Authentication> applyCurrentAuthenication(Authentication result) {
 			if (!current.isAuthenticated()) {
 				return result;
 			}
+			if (!declaresToBuilder(result)) {
+				return result;
+			}
 			return result.toBuilder()
 			// @formatter:off
 				.authorities((a) -> {
@@ -158,6 +162,15 @@ private Mono<Authentication> applyCurrentAuthenication(Authentication result) {
 		}).switchIfEmpty(Mono.just(result));
 	}
 
+	private static boolean declaresToBuilder(Authentication authentication) {
+		for (Method method : authentication.getClass().getDeclaredMethods()) {
+			if (method.getName().equals("toBuilder") && method.getParameterTypes().length == 0) {
+				return true;
+			}
+		}
+		return false;
+	}
+
 	protected Mono<Void> onAuthenticationSuccess(Authentication authentication, WebFilterExchange webFilterExchange) {
 		ServerWebExchange exchange = webFilterExchange.getExchange();
 		SecurityContextImpl securityContext = new SecurityContextImpl();

web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java

@@ -37,6 +37,8 @@
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.InternalAuthenticationServiceException;
+import org.springframework.security.authentication.NonBuildableAuthenticationToken;
+import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.authentication.TestAuthentication;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
@@ -480,6 +482,22 @@ void doFilterWhenDefaultEqualsAuthorityThenNoDuplicates() throws Exception {
 			.containsExactly(DefaultEqualsGrantedAuthority.AUTHORITY);
 	}
 
+	@Test
+	void doFilterWhenNotOverridingToBuilderThenDoesNotMergeAuthorities() throws Exception {
+		TestingAuthenticationToken existingAuthn = new TestingAuthenticationToken("username", "password", "FACTORONE");
+		SecurityContextHolder.setContext(new SecurityContextImpl(existingAuthn));
+		MockHttpServletRequest request = createMockAuthenticationRequest();
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		MockAuthenticationFilter filter = new MockAuthenticationFilter(
+				new NonBuildableAuthenticationToken("username", "password", "FACTORTWO"));
+		filter.doFilter(request, response, new MockFilterChain(false));
+		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+		SecurityAssertions.assertThat(authentication)
+			.authorities()
+			.extracting(GrantedAuthority::getAuthority)
+			.containsExactly("FACTORTWO");
+	}
+
 	/**
 	 * https://github.com/spring-projects/spring-security/pull/3905
 	 */

web/src/test/java/org/springframework/security/web/authentication/AuthenticationFilterTests.java

@@ -37,6 +37,8 @@
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationManagerResolver;
 import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.NonBuildableAuthenticationToken;
+import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
@@ -348,6 +350,26 @@ public void doFilterWhenDefaultEqualsGrantedAuthorityThenNoDuplicates() throws E
 			.containsExactlyInAnyOrder(DefaultEqualsGrantedAuthority.AUTHORITY);
 	}
 
+	@Test
+	void doFilterWhenNotOverridingToBuilderThenDoesNotMergeAuthorities() throws Exception {
+		TestingAuthenticationToken existingAuthn = new TestingAuthenticationToken("username", "password", "FACTORONE");
+		SecurityContextHolder.setContext(new SecurityContextImpl(existingAuthn));
+		given(this.authenticationConverter.convert(any())).willReturn(existingAuthn);
+		given(this.authenticationManager.authenticate(any()))
+			.willReturn(new NonBuildableAuthenticationToken("user", "password", "FACTORTWO"));
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/");
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		FilterChain chain = new MockFilterChain();
+		AuthenticationFilter filter = new AuthenticationFilter(this.authenticationManager,
+				this.authenticationConverter);
+		filter.doFilter(request, response, chain);
+		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+		SecurityAssertions.assertThat(authentication)
+			.authorities()
+			.extracting(GrantedAuthority::getAuthority)
+			.containsExactly("FACTORTWO");
+	}
+
 	@Test
 	public void filterWhenCustomSecurityContextRepositoryAndSuccessfulAuthenticationRepositoryUsed() throws Exception {
 		SecurityContextRepository securityContextRepository = mock(SecurityContextRepository.class);