GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Prevent using both authorizeRequests and authorizeHttpRequests 

Closes gh-10573
pull/10141/head
Marcus Da Coregio 4 years ago committed by Marcus Hert Da Coregio
parent
62e8799a8d
commit
ed3b0fbaad
2 changed files with 65 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 7
      config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
  2. 58
      config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java

7
config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
Unescape View File

@ -2889,8 +2889,15 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul @@ -2889,8 +2889,15 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
}
}
@SuppressWarnings("unchecked")
@Override
protected DefaultSecurityFilterChain performBuild() {
ExpressionUrlAuthorizationConfigurer<?> expressionConfigurer = getConfigurer(
ExpressionUrlAuthorizationConfigurer.class);
AuthorizeHttpRequestsConfigurer<?> httpConfigurer = getConfigurer(AuthorizeHttpRequestsConfigurer.class);
boolean oneConfigurerPresent = expressionConfigurer == null ^ httpConfigurer == null;
Assert.state((expressionConfigurer == null && httpConfigurer == null) || oneConfigurerPresent,
"authorizeHttpRequests cannot be used in conjunction with authorizeRequests. Please select just one.");
this.filters.sort(OrderComparator.INSTANCE);
List<Filter> sortedFilters = new ArrayList<>(this.filters.size());
for (Filter filter : this.filters) {

58
config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java
Unescape View File

@ -24,6 +24,7 @@ import com.google.common.net.HttpHeaders; @@ -24,6 +24,7 @@ import com.google.common.net.HttpHeaders;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.springframework.beans.factory.BeanCreationException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@ -47,6 +48,7 @@ import org.springframework.web.bind.annotation.GetMapping; @@ -47,6 +48,7 @@ import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.springframework.security.config.Customizer.withDefaults;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
@ -200,6 +202,24 @@ public class HttpSecurityConfigurationTests { @@ -200,6 +202,24 @@ public class HttpSecurityConfigurationTests {
this.mockMvc.perform(get("/login?logout")).andExpect(status().isOk());
}
@Test
public void configureWhenAuthorizeHttpRequestsBeforeAuthorizeRequestThenException() {
assertThatExceptionOfType(BeanCreationException.class)
.isThrownBy(
() -> this.spring.register(AuthorizeHttpRequestsBeforeAuthorizeRequestsConfig.class).autowire())
.withMessageContaining(
"authorizeHttpRequests cannot be used in conjunction with authorizeRequests. Please select just one.");
}
@Test
public void configureWhenAuthorizeHttpRequestsAfterAuthorizeRequestThenException() {
assertThatExceptionOfType(BeanCreationException.class)
.isThrownBy(
() -> this.spring.register(AuthorizeHttpRequestsAfterAuthorizeRequestsConfig.class).autowire())
.withMessageContaining(
"authorizeHttpRequests cannot be used in conjunction with authorizeRequests. Please select just one.");
}
@RestController
static class NameController {
@ -270,6 +290,44 @@ public class HttpSecurityConfigurationTests { @@ -270,6 +290,44 @@ public class HttpSecurityConfigurationTests {
}
@EnableWebSecurity
static class AuthorizeHttpRequestsBeforeAuthorizeRequestsConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
return http
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated()
)
.authorizeRequests((requests) -> requests
.anyRequest().authenticated()
)
.build();
// @formatter:on
}
}
@EnableWebSecurity
static class AuthorizeHttpRequestsAfterAuthorizeRequestsConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
return http
.authorizeRequests((requests) -> requests
.anyRequest().authenticated()
)
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated()
)
.build();
// @formatter:on
}
}
@RestController
static class BaseController {

Write Preview
Loading…
Cancel
Save