GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Fix AuthorizationFilter incorrectly extending OncePerRequestFilter 

Closes gh-12102
5.5.x
Marcus Da Coregio 3 years ago committed by Steve Riesenberg
parent
e7fe778abc
commit
1f481aafff
No known key found for this signature in database
GPG Key ID: 5F311AB48A55D521
2 changed files with 215 additions and 7 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 97
      web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java
  2. 125
      web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java

97
web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java
Unescape View File

@ -1,5 +1,5 @@ @@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -18,8 +18,11 @@ package org.springframework.security.web.access.intercept; @@ -18,8 +18,11 @@ package org.springframework.security.web.access.intercept;
import java.io.IOException;
import javax.servlet.DispatcherType;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@ -28,7 +31,7 @@ import org.springframework.security.authorization.AuthorizationManager; @@ -28,7 +31,7 @@ import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.util.Assert;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.filter.GenericFilterBean;
/**
* An authorization filter that restricts access to the URL using
@ -37,10 +40,16 @@ import org.springframework.web.filter.OncePerRequestFilter; @@ -37,10 +40,16 @@ import org.springframework.web.filter.OncePerRequestFilter;
* @author Evgeniy Cheban
* @since 5.5
*/
public class AuthorizationFilter extends OncePerRequestFilter {
public class AuthorizationFilter extends GenericFilterBean {
private final AuthorizationManager<HttpServletRequest> authorizationManager;
private boolean observeOncePerRequest = true;
private boolean filterErrorDispatch = false;
private boolean filterAsyncDispatch = false;
/**
* Creates an instance.
* @param authorizationManager the {@link AuthorizationManager} to use
@ -51,11 +60,53 @@ public class AuthorizationFilter extends OncePerRequestFilter { @@ -51,11 +60,53 @@ public class AuthorizationFilter extends OncePerRequestFilter {
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain)
throws ServletException, IOException {
this.authorizationManager.verify(this::getAuthentication, request);
filterChain.doFilter(request, response);
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
if (this.observeOncePerRequest && isApplied(request)) {
chain.doFilter(request, response);
return;
}
if (skipDispatch(request)) {
chain.doFilter(request, response);
return;
}
String alreadyFilteredAttributeName = getAlreadyFilteredAttributeName();
request.setAttribute(alreadyFilteredAttributeName, Boolean.TRUE);
try {
this.authorizationManager.verify(this::getAuthentication, request);
chain.doFilter(request, response);
}
finally {
request.removeAttribute(alreadyFilteredAttributeName);
}
}
private boolean skipDispatch(HttpServletRequest request) {
if (DispatcherType.ERROR.equals(request.getDispatcherType()) && !this.filterErrorDispatch) {
return true;
}
if (DispatcherType.ASYNC.equals(request.getDispatcherType()) && !this.filterAsyncDispatch) {
return true;
}
return false;
}
private boolean isApplied(HttpServletRequest request) {
return request.getAttribute(getAlreadyFilteredAttributeName()) != null;
}
private String getAlreadyFilteredAttributeName() {
String name = getFilterName();
if (name == null) {
name = getClass().getName();
}
return name + ".APPLIED";
}
private Authentication getAuthentication() {
@ -75,4 +126,38 @@ public class AuthorizationFilter extends OncePerRequestFilter { @@ -75,4 +126,38 @@ public class AuthorizationFilter extends OncePerRequestFilter {
return this.authorizationManager;
}
public boolean isObserveOncePerRequest() {
return this.observeOncePerRequest;
}
/**
* Sets whether this filter apply only once per request. By default, this is
* <code>true</code>, meaning the filter will only execute once per request. Sometimes
* users may wish it to execute more than once per request, such as when JSP forwards
* are being used and filter security is desired on each included fragment of the HTTP
* request.
* @param observeOncePerRequest whether the filter should only be applied once per
* request
*/
public void setObserveOncePerRequest(boolean observeOncePerRequest) {
this.observeOncePerRequest = observeOncePerRequest;
}
/**
* If set to true, the filter will be applied to error dispatcher. Defaults to false.
* @param filterErrorDispatch whether the filter should be applied to error dispatcher
*/
public void setFilterErrorDispatch(boolean filterErrorDispatch) {
this.filterErrorDispatch = filterErrorDispatch;
}
/**
* If set to true, the filter will be applied to the async dispatcher. Defaults to
* false.
* @param filterAsyncDispatch whether the filter should be applied to async dispatch
*/
public void setFilterAsyncDispatch(boolean filterAsyncDispatch) {
this.filterAsyncDispatch = filterAsyncDispatch;
}
}

125
web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java
Unescape View File

@ -1,5 +1,5 @@ @@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -16,15 +16,20 @@ @@ -16,15 +16,20 @@
package org.springframework.security.web.access.intercept;
import java.io.IOException;
import java.util.function.Supplier;
import javax.servlet.DispatcherType;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.mockito.ArgumentCaptor;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.access.AccessDeniedException;
@ -36,6 +41,7 @@ import org.springframework.security.core.Authentication; @@ -36,6 +41,7 @@ import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.test.util.ReflectionTestUtils;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@ -43,6 +49,7 @@ import static org.mockito.ArgumentMatchers.any; @@ -43,6 +49,7 @@ import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.BDDMockito.willThrow;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoInteractions;
@ -53,6 +60,24 @@ import static org.mockito.Mockito.verifyNoInteractions; @@ -53,6 +60,24 @@ import static org.mockito.Mockito.verifyNoInteractions;
*/
public class AuthorizationFilterTests {
private static final String ALREADY_FILTERED_ATTRIBUTE_NAME = "org.springframework.security.web.access.intercept.AuthorizationFilter.APPLIED";
private AuthorizationFilter filter;
private AuthorizationManager<HttpServletRequest> authorizationManager;
private MockHttpServletRequest request = new MockHttpServletRequest();
private final MockHttpServletResponse response = new MockHttpServletResponse();
private final FilterChain chain = new MockFilterChain();
@Before
public void setup() {
this.authorizationManager = mock(AuthorizationManager.class);
this.filter = new AuthorizationFilter(this.authorizationManager);
}
@After
public void tearDown() {
SecurityContextHolder.clearContext();
@ -132,4 +157,102 @@ public class AuthorizationFilterTests { @@ -132,4 +157,102 @@ public class AuthorizationFilterTests {
assertThat(authorizationFilter.getAuthorizationManager()).isSameAs(authorizationManager);
}
@Test
public void doFilterWhenObserveOncePerRequestTrueAndIsAppliedThenNotInvoked() throws ServletException, IOException {
setIsAppliedTrue();
this.filter.setObserveOncePerRequest(true);
this.filter.doFilter(this.request, this.response, this.chain);
verifyNoInteractions(this.authorizationManager);
}
@Test
public void doFilterWhenObserveOncePerRequestTrueAndNotAppliedThenInvoked() throws ServletException, IOException {
this.filter.setObserveOncePerRequest(true);
this.filter.doFilter(this.request, this.response, this.chain);
verify(this.authorizationManager).verify(any(), any());
}
@Test
public void doFilterWhenObserveOncePerRequestFalseAndIsAppliedThenInvoked() throws ServletException, IOException {
setIsAppliedTrue();
this.filter.setObserveOncePerRequest(false);
this.filter.doFilter(this.request, this.response, this.chain);
verify(this.authorizationManager).verify(any(), any());
}
@Test
public void doFilterWhenObserveOncePerRequestFalseAndNotAppliedThenInvoked() throws ServletException, IOException {
this.filter.setObserveOncePerRequest(false);
this.filter.doFilter(this.request, this.response, this.chain);
verify(this.authorizationManager).verify(any(), any());
}
@Test
public void doFilterWhenFilterErrorDispatchFalseAndIsErrorThenNotInvoked() throws ServletException, IOException {
this.request.setDispatcherType(DispatcherType.ERROR);
this.filter.setFilterErrorDispatch(false);
this.filter.doFilter(this.request, this.response, this.chain);
verifyNoInteractions(this.authorizationManager);
}
@Test
public void doFilterWhenFilterErrorDispatchTrueAndIsErrorThenInvoked() throws ServletException, IOException {
this.request.setDispatcherType(DispatcherType.ERROR);
this.filter.setFilterErrorDispatch(true);
this.filter.doFilter(this.request, this.response, this.chain);
verify(this.authorizationManager).verify(any(), any());
}
@Test
public void doFilterWhenFilterThenSetAlreadyFilteredAttribute() throws ServletException, IOException {
this.request = mock(MockHttpServletRequest.class);
this.filter.doFilter(this.request, this.response, this.chain);
verify(this.request).setAttribute(ALREADY_FILTERED_ATTRIBUTE_NAME, Boolean.TRUE);
}
@Test
public void doFilterWhenFilterThenRemoveAlreadyFilteredAttribute() throws ServletException, IOException {
this.request = spy(MockHttpServletRequest.class);
this.filter.doFilter(this.request, this.response, this.chain);
verify(this.request).setAttribute(ALREADY_FILTERED_ATTRIBUTE_NAME, Boolean.TRUE);
assertThat(this.request.getAttribute(ALREADY_FILTERED_ATTRIBUTE_NAME)).isNull();
}
@Test
public void doFilterWhenFilterAsyncDispatchTrueAndIsAsyncThenInvoked() throws ServletException, IOException {
this.request.setDispatcherType(DispatcherType.ASYNC);
this.filter.setFilterAsyncDispatch(true);
this.filter.doFilter(this.request, this.response, this.chain);
verify(this.authorizationManager).verify(any(), any());
}
@Test
public void doFilterWhenFilterAsyncDispatchFalseAndIsAsyncThenNotInvoked() throws ServletException, IOException {
this.request.setDispatcherType(DispatcherType.ASYNC);
this.filter.setFilterAsyncDispatch(false);
this.filter.doFilter(this.request, this.response, this.chain);
verifyNoInteractions(this.authorizationManager);
}
@Test
public void filterWhenFilterErrorDispatchDefaultThenFalse() {
Boolean filterErrorDispatch = (Boolean) ReflectionTestUtils.getField(this.filter, "filterErrorDispatch");
assertThat(filterErrorDispatch).isFalse();
}
@Test
public void filterWhenFilterAsyncDispatchDefaultThenFalse() {
Boolean filterAsyncDispatch = (Boolean) ReflectionTestUtils.getField(this.filter, "filterAsyncDispatch");
assertThat(filterAsyncDispatch).isFalse();
}
@Test
public void filterWhenObserveOncePerRequestDefaultThenTrue() {
assertThat(this.filter.isObserveOncePerRequest()).isTrue();
}
private void setIsAppliedTrue() {
this.request.setAttribute(ALREADY_FILTERED_ATTRIBUTE_NAME, Boolean.TRUE);
}
}

Write Preview
Loading…
Cancel
Save