GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Add Option to Filter All Dispatcher Types 

Closes gh-11092
pull/11111/head
Marcus Da Coregio 4 years ago committed by Marcus Hert Da Coregio
parent
6e6d472da4
commit
7fea639a43
4 changed files with 132 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 16
      config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java
  2. 22
      docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc
  3. 28
      web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java
  4. 67
      web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java

16
config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java
Unescape View File

@ -85,6 +85,7 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
AuthorizationManager<HttpServletRequest> authorizationManager = this.registry.createAuthorizationManager(); AuthorizationManager<HttpServletRequest> authorizationManager = this.registry.createAuthorizationManager();
AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager); AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
authorizationFilter.setAuthorizationEventPublisher(this.publisher); authorizationFilter.setAuthorizationEventPublisher(this.publisher);
authorizationFilter.setShouldFilterAllDispatcherTypes(this.registry.shouldFilterAllDispatcherTypes);
http.addFilter(postProcess(authorizationFilter)); http.addFilter(postProcess(authorizationFilter));
} }
@ -117,6 +118,8 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
private int mappingCount; private int mappingCount;
private boolean shouldFilterAllDispatcherTypes = false;
private AuthorizationManagerRequestMatcherRegistry(ApplicationContext context) { private AuthorizationManagerRequestMatcherRegistry(ApplicationContext context) {
setApplicationContext(context); setApplicationContext(context);
} }
@ -170,6 +173,19 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
return this; return this;
} }
/**
* Sets whether all dispatcher types should be filtered.
* @param shouldFilter should filter all dispatcher types. Default is
* {@code false}
* @return the {@link AuthorizationManagerRequestMatcherRegistry} for further
* customizations
* @since 5.7
*/
public AuthorizationManagerRequestMatcherRegistry shouldFilterAllDispatcherTypes(boolean shouldFilter) {
this.shouldFilterAllDispatcherTypes = shouldFilter;
return this;
}
/** /**
* Return the {@link HttpSecurityBuilder} when done using the * Return the {@link HttpSecurityBuilder} when done using the
* {@link AuthorizeHttpRequestsConfigurer}. This is useful for method chaining. * {@link AuthorizeHttpRequestsConfigurer}. This is useful for method chaining.

22
docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc
Unescape View File

@ -169,3 +169,25 @@ SecurityFilterChain web(HttpSecurity http) throws Exception {
} }
---- ----
==== ====
By default, the `AuthorizationFilter` does not apply to `DispatcherType.ERROR` and `DispatcherType.ASYNC`.
We can configure Spring Security to apply the authorization rules to all dispatcher types by using the `shouldFilterAllDispatcherTypes` method:
.Set shouldFilterAllDispatcherTypes to true
====
.Java
[source,java,role="primary"]
----
@Bean
SecurityFilterChain web(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.shouldFilterAllDispatcherTypes(true)
.anyRequest.authenticated()
)
// ...
return http.build();
}
----
====

28
web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java
Unescape View File

@ -50,6 +50,8 @@ public class AuthorizationFilter extends OncePerRequestFilter {
private AuthorizationEventPublisher eventPublisher = AuthorizationFilter::noPublish; private AuthorizationEventPublisher eventPublisher = AuthorizationFilter::noPublish;
private boolean shouldFilterAllDispatcherTypes = false;
/** /**
* Creates an instance. * Creates an instance.
* @param authorizationManager the {@link AuthorizationManager} to use * @param authorizationManager the {@link AuthorizationManager} to use
@ -80,6 +82,22 @@ public class AuthorizationFilter extends OncePerRequestFilter {
return authentication; return authentication;
} }
@Override
protected void doFilterNestedErrorDispatch(HttpServletRequest request, HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
doFilterInternal(request, response, filterChain);
}
@Override
protected boolean shouldNotFilterAsyncDispatch() {
return !this.shouldFilterAllDispatcherTypes;
}
@Override
protected boolean shouldNotFilterErrorDispatch() {
return !this.shouldFilterAllDispatcherTypes;
}
/** /**
* Use this {@link AuthorizationEventPublisher} to publish * Use this {@link AuthorizationEventPublisher} to publish
* {@link AuthorizationDeniedEvent}s and {@link AuthorizationGrantedEvent}s. * {@link AuthorizationDeniedEvent}s and {@link AuthorizationGrantedEvent}s.
@ -99,6 +117,16 @@ public class AuthorizationFilter extends OncePerRequestFilter {
return this.authorizationManager; return this.authorizationManager;
} }
/**
* Sets whether to filter all dispatcher types.
* @param shouldFilterAllDispatcherTypes should filter all dispatcher types. Default
* is {@code false}
* @since 5.7
*/
public void setShouldFilterAllDispatcherTypes(boolean shouldFilterAllDispatcherTypes) {
this.shouldFilterAllDispatcherTypes = shouldFilterAllDispatcherTypes;
}
private static <T> void noPublish(Supplier<Authentication> authentication, T object, private static <T> void noPublish(Supplier<Authentication> authentication, T object,
AuthorizationDecision decision) { AuthorizationDecision decision) {

67
web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java
Unescape View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2021 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -18,6 +18,7 @@ package org.springframework.security.web.access.intercept;
import java.util.function.Supplier; import java.util.function.Supplier;
import javax.servlet.DispatcherType;
import javax.servlet.FilterChain; import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
@ -38,6 +39,7 @@ import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextImpl; import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.web.util.WebUtils;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@ -165,4 +167,67 @@ public class AuthorizationFilterTests {
any(AuthorizationDecision.class)); any(AuthorizationDecision.class));
} }
@Test
public void doFilterWhenErrorThenDoNotFilter() throws Exception {
AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);
AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
mockRequest.setDispatcherType(DispatcherType.ERROR);
mockRequest.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error");
MockHttpServletResponse mockResponse = new MockHttpServletResponse();
FilterChain mockFilterChain = mock(FilterChain.class);
authorizationFilter.doFilter(mockRequest, mockResponse, mockFilterChain);
verifyNoInteractions(authorizationManager);
}
@Test
public void doFilterWhenErrorAndShouldFilterAllDispatcherTypesThenFilter() throws Exception {
AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);
AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
authorizationFilter.setShouldFilterAllDispatcherTypes(true);
MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
mockRequest.setDispatcherType(DispatcherType.ERROR);
mockRequest.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error");
MockHttpServletResponse mockResponse = new MockHttpServletResponse();
FilterChain mockFilterChain = mock(FilterChain.class);
authorizationFilter.doFilter(mockRequest, mockResponse, mockFilterChain);
verify(authorizationManager).check(any(Supplier.class), any(HttpServletRequest.class));
}
@Test
public void doFilterNestedErrorDispatchWhenAuthorizationManagerThenUses() throws Exception {
AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);
AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
authorizationFilter.setShouldFilterAllDispatcherTypes(true);
MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
mockRequest.setDispatcherType(DispatcherType.ERROR);
mockRequest.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error");
MockHttpServletResponse mockResponse = new MockHttpServletResponse();
FilterChain mockFilterChain = mock(FilterChain.class);
authorizationFilter.doFilterNestedErrorDispatch(mockRequest, mockResponse, mockFilterChain);
verify(authorizationManager).check(any(Supplier.class), any(HttpServletRequest.class));
}
@Test
public void doFilterNestedErrorDispatchWhenAuthorizationEventPublisherThenUses() throws Exception {
AuthorizationFilter authorizationFilter = new AuthorizationFilter(
AuthenticatedAuthorizationManager.authenticated());
MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
MockHttpServletResponse mockResponse = new MockHttpServletResponse();
FilterChain mockFilterChain = mock(FilterChain.class);
SecurityContext securityContext = new SecurityContextImpl();
securityContext.setAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"));
SecurityContextHolder.setContext(securityContext);
AuthorizationEventPublisher eventPublisher = mock(AuthorizationEventPublisher.class);
authorizationFilter.setAuthorizationEventPublisher(eventPublisher);
authorizationFilter.doFilterNestedErrorDispatch(mockRequest, mockResponse, mockFilterChain);
verify(eventPublisher).publishAuthorizationEvent(any(Supplier.class), any(HttpServletRequest.class),
any(AuthorizationDecision.class));
}
} }

Write Preview
Loading…
Cancel
Save