GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Merge branch '6.0.x' 

Closes gh-12593
pull/12609/head
Josh Cummings 3 years ago
parent
fa9c7fb50d c3563df25a
commit
1243d1327e
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
2 changed files with 45 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
  2. 39
      config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java

8
config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
Unescape View File

@ -56,7 +56,9 @@ import org.springframework.security.web.access.expression.DefaultWebSecurityExpr @@ -56,7 +56,9 @@ import org.springframework.security.web.access.expression.DefaultWebSecurityExpr
import org.springframework.security.web.access.intercept.AuthorizationFilter;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.debug.DebugFilter;
import org.springframework.security.web.firewall.CompositeRequestRejectedHandler;
import org.springframework.security.web.firewall.HttpFirewall;
import org.springframework.security.web.firewall.HttpStatusRequestRejectedHandler;
import org.springframework.security.web.firewall.ObservationMarkingRequestRejectedHandler;
import org.springframework.security.web.firewall.RequestRejectedHandler;
import org.springframework.security.web.firewall.StrictHttpFirewall;
@ -309,8 +311,10 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter, @@ -309,8 +311,10 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
filterChainProxy.setRequestRejectedHandler(this.requestRejectedHandler);
}
else if (!this.observationRegistry.isNoop()) {
filterChainProxy
.setRequestRejectedHandler(new ObservationMarkingRequestRejectedHandler(this.observationRegistry));
CompositeRequestRejectedHandler requestRejectedHandler = new CompositeRequestRejectedHandler(
new ObservationMarkingRequestRejectedHandler(this.observationRegistry),
new HttpStatusRequestRejectedHandler());
filterChainProxy.setRequestRejectedHandler(requestRejectedHandler);
}
filterChainProxy.setFilterChainDecorator(getFilterChainDecorator());
filterChainProxy.afterPropertiesSet();

39
config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java
Unescape View File

@ -18,6 +18,8 @@ package org.springframework.security.config.annotation.web.builders; @@ -18,6 +18,8 @@ package org.springframework.security.config.annotation.web.builders;
import java.io.IOException;
import io.micrometer.observation.ObservationRegistry;
import io.micrometer.observation.ObservationTextPublisher;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletResponse;
import org.junit.jupiter.api.AfterEach;
@ -104,6 +106,15 @@ public class WebSecurityTests { @@ -104,6 +106,15 @@ public class WebSecurityTests {
@Test
public void requestRejectedHandlerInvoked() throws ServletException, IOException {
loadConfig(DefaultConfig.class);
this.request.setServletPath("/spring");
this.request.setRequestURI("/spring/\u0019path");
this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_BAD_REQUEST);
}
@Test
public void customRequestRejectedHandlerInvoked() throws ServletException, IOException {
loadConfig(RequestRejectedHandlerConfig.class);
this.request.setServletPath("/spring");
this.request.setRequestURI("/spring/\u0019path");
@ -111,6 +122,16 @@ public class WebSecurityTests { @@ -111,6 +122,16 @@ public class WebSecurityTests {
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_BAD_REQUEST);
}
// gh-12548
@Test
public void requestRejectedHandlerInvokedWhenOperationalObservationRegistry() throws ServletException, IOException {
loadConfig(ObservationRegistryConfig.class);
this.request.setServletPath("/spring");
this.request.setRequestURI("/spring/\u0019path");
this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_BAD_REQUEST);
}
@Test
public void ignoringMvcMatcherServletPath() throws Exception {
loadConfig(MvcMatcherServletPathConfig.class, LegacyMvcMatchingConfig.class);
@ -143,6 +164,11 @@ public class WebSecurityTests { @@ -143,6 +164,11 @@ public class WebSecurityTests {
this.context.getAutowireCapableBeanFactory().autowireBean(this);
}
@EnableWebSecurity
static class DefaultConfig {
}
@EnableWebSecurity
@Configuration
@EnableWebMvc
@ -243,4 +269,17 @@ public class WebSecurityTests { @@ -243,4 +269,17 @@ public class WebSecurityTests {
}
@Configuration
@EnableWebSecurity
static class ObservationRegistryConfig {
@Bean
ObservationRegistry observationRegistry() {
ObservationRegistry observationRegistry = ObservationRegistry.create();
observationRegistry.observationConfig().observationHandler(new ObservationTextPublisher());
return observationRegistry;
}
}
}

Write Preview
Loading…
Cancel
Save