GitHub-Spring
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Allow remote devtools access with Spring Security 

Update `ManagementWebSecurityAutoConfiguration` so that the
`managementSecurityFilterChain` bean has an explicit order.

Prior to this commit, the `managementSecurityFilterChain` would override
the `securityFilterChain` in `RemoteDevtoolsSecurityConfiguration` which
would prevent the remote devtools endpoint from being accessed.

See gh-25868
pull/26691/head
Hatef Palizgar 5 years ago committed by Phillip Webb
parent
c45bb2bd95
commit
9b2e13aace
2 changed files with 95 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfiguration.java
  2. 93
      spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java

3
spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfiguration.java
Unescape View File

@ -26,12 +26,14 @@ import org.springframework.boot.autoconfigure.AutoConfigureBefore; @@ -26,12 +26,14 @@ import org.springframework.boot.autoconfigure.AutoConfigureBefore;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.boot.autoconfigure.security.ConditionalOnDefaultWebSecurity;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration;
import org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerAutoConfiguration;
import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyAutoConfiguration;
import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
@ -58,6 +60,7 @@ import org.springframework.security.web.SecurityFilterChain; @@ -58,6 +60,7 @@ import org.springframework.security.web.SecurityFilterChain;
public class ManagementWebSecurityAutoConfiguration {
@Bean
@Order(SecurityProperties.BASIC_AUTH_ORDER)
SecurityFilterChain managementSecurityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests((requests) -> {
requests.requestMatchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll();

93
spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java
Unescape View File

@ -17,9 +17,19 @@ @@ -17,9 +17,19 @@
package org.springframework.boot.actuate.autoconfigure.security.servlet;
import java.io.IOException;
import java.util.Arrays;
import java.util.Comparator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import java.util.stream.Collectors;
import org.jetbrains.annotations.NotNull;
import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.AnnotatedBeanDefinition;
import org.springframework.beans.factory.config.BeanDefinitionHolder;
import org.springframework.boot.actuate.autoconfigure.endpoint.EndpointAutoConfiguration;
import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointAutoConfiguration;
import org.springframework.boot.actuate.autoconfigure.env.EnvironmentEndpointAutoConfiguration;
@ -27,14 +37,21 @@ import org.springframework.boot.actuate.autoconfigure.health.HealthContributorAu @@ -27,14 +37,21 @@ import org.springframework.boot.actuate.autoconfigure.health.HealthContributorAu
import org.springframework.boot.actuate.autoconfigure.health.HealthEndpointAutoConfiguration;
import org.springframework.boot.actuate.autoconfigure.info.InfoEndpointAutoConfiguration;
import org.springframework.boot.autoconfigure.AutoConfigurations;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerAutoConfiguration;
import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyAutoConfiguration;
import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
import org.springframework.boot.test.context.FilteredClassLoader;
import org.springframework.boot.test.context.assertj.AssertableWebApplicationContext;
import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.Ordered;
import org.springframework.core.ResolvableType;
import org.springframework.core.annotation.AnnotationAttributes;
import org.springframework.core.annotation.AnnotationUtils;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpStatus;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
@ -45,6 +62,7 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity; @@ -45,6 +62,7 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.web.context.WebApplicationContext;
import static org.assertj.core.api.Assertions.assertThat;
@ -121,7 +139,7 @@ class ManagementWebSecurityAutoConfigurationTests { @@ -121,7 +139,7 @@ class ManagementWebSecurityAutoConfigurationTests {
@Test
void backsOffIfSecurityFilterChainBeanIsPresent() {
this.contextRunner.withUserConfiguration(TestSecurityFilterChainConfig.class).run((context) -> {
assertThat(context.getBeansOfType(SecurityFilterChain.class).size()).isEqualTo(1);
assertThat(context.getBeansOfType(SecurityFilterChain.class)).isNotEmpty();
assertThat(context.containsBean("testSecurityFilterChain")).isTrue();
});
}
@ -146,6 +164,28 @@ class ManagementWebSecurityAutoConfigurationTests { @@ -146,6 +164,28 @@ class ManagementWebSecurityAutoConfigurationTests {
.doesNotHaveBean(MANAGEMENT_SECURITY_FILTER_CHAIN_BEAN));
}
@Test
void backOffIfRemoteDevToolsSecurityFilterChainIsPresent() {
this.contextRunner.withUserConfiguration(TestSecurityFilterChainConfig.class).run((context) -> {
List<String> beanNames = getOrderedBeanNames(context);
assertThat(beanNames).containsExactly("testRemoteDevToolsSecurityFilterChain", "testSecurityFilterChain");
assertThat(context.getBeansOfType(SecurityFilterChain.class).size()).isEqualTo(2);
assertThat(context).doesNotHaveBean(ManagementWebSecurityAutoConfiguration.class);
assertThat(context.containsBean("testRemoteDevToolsSecurityFilterChain")).isTrue();
});
}
@NotNull
private List<String> getOrderedBeanNames(AssertableWebApplicationContext context) {
return Arrays.stream(context.getBeanNamesForType(SecurityFilterChain.class))
.map((beanName) -> Optional.of(context).map(ConfigurableApplicationContext::getBeanFactory)
.map((beanFactory) -> beanFactory.getBeanDefinition(beanName))
.map((beanDefinition) -> new BeanDefinitionHolder(beanDefinition, beanName)).orElse(null))
.sorted(OrderAnnotatedBeanDefinitionComparator.INSTANCE).map(BeanDefinitionHolder::getBeanName)
.collect(Collectors.toList());
}
private HttpStatus getResponseStatus(AssertableWebApplicationContext context, String path)
throws IOException, javax.servlet.ServletException {
FilterChainProxy filterChainProxy = context.getBean(FilterChainProxy.class);
@ -183,6 +223,57 @@ class ManagementWebSecurityAutoConfigurationTests { @@ -183,6 +223,57 @@ class ManagementWebSecurityAutoConfigurationTests {
.build();
}
@Bean
@Order(SecurityProperties.BASIC_AUTH_ORDER - 1)
SecurityFilterChain testRemoteDevToolsSecurityFilterChain(HttpSecurity http) throws Exception {
return http.requestMatcher(new AntPathRequestMatcher("/**")).authorizeRequests().anyRequest().anonymous()
.and().csrf().disable().build();
}
}
static class OrderAnnotatedBeanDefinitionComparator implements Comparator<BeanDefinitionHolder> {
static final OrderAnnotatedBeanDefinitionComparator INSTANCE = new OrderAnnotatedBeanDefinitionComparator();
private final Map<String, Integer> beanNameToOrder = new ConcurrentHashMap<>();
@Override
public int compare(BeanDefinitionHolder beanOne, BeanDefinitionHolder beanTwo) {
return getOrder(beanOne).compareTo(getOrder(beanTwo));
}
private Integer getOrder(BeanDefinitionHolder bean) {
return this.beanNameToOrder.computeIfAbsent(bean.getBeanName(),
(beanName) -> Optional.of(bean).map(BeanDefinitionHolder::getBeanDefinition)
.filter(AnnotatedBeanDefinition.class::isInstance).map(AnnotatedBeanDefinition.class::cast)
.map(this::getOrderAnnotationAttributesFromFactoryMethod).map(this::getOrder)
.orElse(Ordered.LOWEST_PRECEDENCE));
}
private Integer getOrder(AnnotationAttributes annotationAttributes) {
return Optional.ofNullable(annotationAttributes)
.map((it) -> it.getOrDefault("value", Ordered.LOWEST_PRECEDENCE)).map(Integer.class::cast)
.orElse(Ordered.LOWEST_PRECEDENCE);
}
private AnnotationAttributes getOrderAnnotationAttributesFromFactoryMethod(
AnnotatedBeanDefinition beanDefinition) {
return Optional.of(beanDefinition).map(AnnotatedBeanDefinition::getFactoryMethodMetadata)
.filter((methodMetadata) -> methodMetadata.isAnnotated(Order.class.getName()))
.map((methodMetadata) -> methodMetadata.getAnnotationAttributes(Order.class.getName()))
.map(AnnotationAttributes::fromMap)
.orElseGet(() -> getOrderAnnotationAttributesFromBeanClass(beanDefinition));
}
private AnnotationAttributes getOrderAnnotationAttributesFromBeanClass(AnnotatedBeanDefinition beanDefinition) {
return Optional.of(beanDefinition).map(AnnotatedBeanDefinition::getResolvableType)
.map(ResolvableType::resolve).filter((beanType) -> beanType.isAnnotationPresent(Order.class))
.map((beanType) -> beanType.getAnnotation(Order.class))
.map(AnnotationUtils::getAnnotationAttributes).map(AnnotationAttributes::fromMap).orElse(null);
}
}
}

Write Preview
Loading…
Cancel
Save