Support @AuthenticationPrincipal on interfaces

Closes gh-16177

Author: kse-music

core/src/main/java/org/springframework/security/core/annotation/UniqueSecurityAnnotationScanner.java

@@ -18,18 +18,23 @@
 
 import java.lang.annotation.Annotation;
 import java.lang.reflect.AnnotatedElement;
+import java.lang.reflect.Executable;
 import java.lang.reflect.Method;
 import java.lang.reflect.Parameter;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 
 import org.springframework.core.MethodClassKey;
+import org.springframework.core.MethodParameter;
+import org.springframework.core.annotation.AnnotatedMethod;
 import org.springframework.core.annotation.AnnotationConfigurationException;
+import org.springframework.core.annotation.AnnotationUtils;
 import org.springframework.core.annotation.MergedAnnotation;
 import org.springframework.core.annotation.MergedAnnotations;
 import org.springframework.core.annotation.RepeatableContainers;
@@ -103,11 +108,45 @@ final class UniqueSecurityAnnotationScanner<A extends Annotation> extends Abstra
 		this.types = types;
 	}
 
+	private A findMethodAnnotation(Class<A> annotationClass, Parameter p) {
+		Executable executable = p.getDeclaringExecutable();
+		if (executable instanceof Method method) {
+			AnnotatedMethod annotatedMethod = new AnnotatedMethod(method);
+			MethodParameter parameter = null;
+			MethodParameter[] methodParameters = annotatedMethod.getMethodParameters();
+			for (MethodParameter methodParameter : methodParameters) {
+				if (p == methodParameter.getParameter()) {
+					parameter = methodParameter;
+					break;
+				}
+			}
+			if (parameter == null) {
+				return null;
+			}
+			A annotation = parameter.getParameterAnnotation(annotationClass);
+			if (annotation != null) {
+				return annotation;
+			}
+			Annotation[] annotationsToSearch = parameter.getParameterAnnotations();
+			for (Annotation toSearch : annotationsToSearch) {
+				annotation = AnnotationUtils.findAnnotation(toSearch.annotationType(), annotationClass);
+				if (annotation != null) {
+					return annotation;
+				}
+			}
+		}
+		return null;
+	}
+
 	@Override
 	MergedAnnotation<A> merge(AnnotatedElement element, Class<?> targetClass) {
 		if (element instanceof Parameter parameter) {
 			return this.uniqueParameterAnnotationCache.computeIfAbsent(parameter, (p) -> {
-				List<MergedAnnotation<A>> annotations = findDirectAnnotations(p);
+				List<MergedAnnotation<A>> annotations = this.types.stream()
+					.map((c) -> findMethodAnnotation(c, p))
+					.filter(Objects::nonNull)
+					.map(MergedAnnotation::from)
+					.toList();
 				return requireUnique(p, annotations);
 			});
 		}

web/src/test/java/org/springframework/security/web/method/annotation/AuthenticationPrincipalArgumentResolverTests.java

@@ -214,6 +214,14 @@ public void resolveArgumentCustomMetaAnnotationTpl() throws Exception {
 			.isEqualTo(this.expectedPrincipal);
 	}
 
+	@Test
+	public void resolveArgumentAnnotationFromInterface() {
+		CustomUserPrincipal principal = new CustomUserPrincipal();
+		setAuthenticationPrincipal(principal);
+		assertThat(this.resolver.supportsParameter(getMethodParameter("getUserByInterface", CustomUserPrincipal.class)))
+			.isTrue();
+	}
+
 	private MethodParameter showUserNoAnnotation() {
 		return getMethodParameter("showUserNoAnnotation", String.class);
 	}
@@ -312,7 +320,18 @@ private void setAuthenticationPrincipal(Object principal) {
 
 	}
 
-	public static class TestController {
+	interface UserApi {
+
+		String getUserByInterface(@AuthenticationPrincipal CustomUserPrincipal user);
+
+	}
+
+	public static class TestController implements UserApi {
+
+		@Override
+		public String getUserByInterface(CustomUserPrincipal user) {
+			return "";
+		}
 
 		public void showUserNoAnnotation(String user) {
 		}