Improve SpEL support in method security annotations

Support use of filterObject and returnObject in PreFilter and PostFilter annotations.

Closes gh-1518

Author: eleftherias

samples/security-method/src/main/java/com/example/methodsecurity/GreetingService.java

@@ -1,11 +1,17 @@
 package com.example.methodsecurity;
 
+import java.util.List;
+
 import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.access.prepost.PreFilter;
 
 public interface GreetingService {
 
     String hello();
 
     @PreAuthorize("hasRole('ADMIN')")
     String adminHello();
+
+    @PreFilter("filterObject == 'Hello'")
+    String echo(List<String> greetings);
 }

samples/security-method/src/main/java/com/example/methodsecurity/GreetingServiceImpl.java

@@ -1,5 +1,7 @@
 package com.example.methodsecurity;
 
+import java.util.List;
+
 import org.springframework.stereotype.Service;
 
 @Service
@@ -14,4 +16,9 @@ public String hello() {
     public String adminHello() {
         return "Goodbye!";
     }
+
+    @Override
+    public String echo(List<String> greetings) {
+        return String.join(",", greetings);
+    }
 }

samples/security-method/src/main/java/com/example/methodsecurity/MainController.java

@@ -1,5 +1,9 @@
 package com.example.methodsecurity;
 
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
@@ -22,5 +26,13 @@ public String hello() {
     public String adminHello() {
         return greetingService.adminHello();
     }
-    
+
+    @GetMapping("/filter/hello")
+    public String helloFilter() {
+        List<String> greetings = new ArrayList<>();
+        greetings.add("Hello");
+        greetings.add("Goodbye");
+        return greetingService.echo(greetings);
+    }
+
 }

samples/security-method/src/test/java/com/example/methodsecurity/MethodSecurityApplicationTests.java

@@ -9,6 +9,7 @@
 import org.springframework.test.web.servlet.MockMvc;
 
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 @SpringBootTest
@@ -43,4 +44,12 @@ public void accessAdminPageAsAdminThenOk() throws Exception {
 		mockMvc.perform(get("/admin/hello"))
 				.andExpect(status().isOk());
 	}
+
+	@Test
+	@WithMockUser
+	public void accessHelloFilterThenOk() throws Exception {
+		mockMvc.perform(get("/filter/hello"))
+				.andExpect(status().isOk())
+				.andExpect(content().string("Hello"));
+	}
 }

samples/security-method/verify.sh

@@ -8,5 +8,6 @@ wait_command_output "curl -I localhost:8080/admin/private" "HTTP/1.1 401" || RC=
 wait_http user:password@localhost:8080/hello "Hello!" || RC=$?
 wait_http admin:password@localhost:8080/admin/hello "Goodbye!" || RC=$?
 wait_http admin:password@localhost:8080/admin/private "bye" || RC=$?
+wait_http user:password@localhost:8080/filter/hello "Hello" || RC=$?
 
 exit $RC

spring-native-configuration/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityHints.java

@@ -23,7 +23,9 @@
 import org.springframework.nativex.type.NativeConfiguration;
 
 @NativeHint(trigger=GlobalMethodSecurityConfiguration.class, types = {
-		@TypeHint(typeNames= "org.springframework.security.access.expression.method.MethodSecurityExpressionRoot", access = TypeAccess.DECLARED_CONSTRUCTORS),
+		@TypeHint(
+				typeNames= "org.springframework.security.access.expression.method.MethodSecurityExpressionRoot",
+				access = {TypeAccess.DECLARED_CONSTRUCTORS, TypeAccess.DECLARED_METHODS, TypeAccess.DECLARED_FIELDS}),
 })
 @NativeHint(jdkProxies = @JdkProxyHint(types = {
 		org.springframework.security.config.annotation.authentication.configuration.EnableGlobalAuthentication.class,