mirror of
https://github.com/spring-projects/spring-boot.git
synced 2024-07-05 00:56:58 +08:00
Align default security filter dispatcher types with Spring Security
Fixes gh-33090
This commit is contained in:
parent
d34ccb3880
commit
f4cf722c27
@ -83,8 +83,8 @@ public class SecurityProperties {
|
||||
/**
|
||||
* Security filter chain dispatcher types.
|
||||
*/
|
||||
private Set<DispatcherType> dispatcherTypes = new HashSet<>(
|
||||
Arrays.asList(DispatcherType.ASYNC, DispatcherType.ERROR, DispatcherType.REQUEST));
|
||||
private Set<DispatcherType> dispatcherTypes = new HashSet<>(Arrays.asList(DispatcherType.ASYNC,
|
||||
DispatcherType.ERROR, DispatcherType.REQUEST, DispatcherType.FORWARD, DispatcherType.INCLUDE));
|
||||
|
||||
public int getOrder() {
|
||||
return this.order;
|
||||
|
@ -161,7 +161,8 @@ class SecurityAutoConfigurationTests {
|
||||
DelegatingFilterProxyRegistrationBean.class);
|
||||
assertThat(bean)
|
||||
.extracting("dispatcherTypes", InstanceOfAssertFactories.iterable(DispatcherType.class))
|
||||
.containsOnly(DispatcherType.ASYNC, DispatcherType.ERROR, DispatcherType.REQUEST);
|
||||
.containsOnly(DispatcherType.ASYNC, DispatcherType.ERROR, DispatcherType.REQUEST,
|
||||
DispatcherType.INCLUDE, DispatcherType.FORWARD);
|
||||
});
|
||||
}
|
||||
|
||||
|
@ -16,6 +16,8 @@
|
||||
|
||||
package smoketest.security.method;
|
||||
|
||||
import jakarta.servlet.DispatcherType;
|
||||
|
||||
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
|
||||
import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||
import org.springframework.boot.builder.SpringApplicationBuilder;
|
||||
@ -71,7 +73,10 @@ public class SampleMethodSecurityApplication implements WebMvcConfigurer {
|
||||
@Bean
|
||||
SecurityFilterChain configure(HttpSecurity http) throws Exception {
|
||||
http.csrf().disable();
|
||||
http.authorizeHttpRequests((requests) -> requests.anyRequest().fullyAuthenticated());
|
||||
http.authorizeHttpRequests((requests) -> {
|
||||
requests.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll();
|
||||
requests.anyRequest().fullyAuthenticated();
|
||||
});
|
||||
http.httpBasic();
|
||||
http.formLogin((form) -> form.loginPage("/login").permitAll());
|
||||
http.exceptionHandling((exceptions) -> exceptions.accessDeniedPage("/access"));
|
||||
|
@ -16,6 +16,8 @@
|
||||
|
||||
package smoketest.web.secure.custom;
|
||||
|
||||
import jakarta.servlet.DispatcherType;
|
||||
|
||||
import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||
import org.springframework.boot.builder.SpringApplicationBuilder;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
@ -44,7 +46,10 @@ public class SampleWebSecureCustomApplication implements WebMvcConfigurer {
|
||||
@Bean
|
||||
SecurityFilterChain configure(HttpSecurity http) throws Exception {
|
||||
http.csrf().disable();
|
||||
http.authorizeHttpRequests((requests) -> requests.anyRequest().fullyAuthenticated());
|
||||
http.authorizeHttpRequests((requests) -> {
|
||||
requests.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll();
|
||||
requests.anyRequest().fullyAuthenticated();
|
||||
});
|
||||
http.formLogin((form) -> form.loginPage("/login").permitAll());
|
||||
return http.build();
|
||||
}
|
||||
|
@ -18,6 +18,8 @@ package smoketest.web.secure.jdbc;
|
||||
|
||||
import javax.sql.DataSource;
|
||||
|
||||
import jakarta.servlet.DispatcherType;
|
||||
|
||||
import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||
import org.springframework.boot.builder.SpringApplicationBuilder;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
@ -47,7 +49,10 @@ public class SampleWebSecureJdbcApplication implements WebMvcConfigurer {
|
||||
@Bean
|
||||
SecurityFilterChain configure(HttpSecurity http) throws Exception {
|
||||
http.csrf().disable();
|
||||
http.authorizeHttpRequests((requests) -> requests.anyRequest().fullyAuthenticated());
|
||||
http.authorizeHttpRequests((requests) -> {
|
||||
requests.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll();
|
||||
requests.anyRequest().fullyAuthenticated();
|
||||
});
|
||||
http.formLogin((form) -> form.loginPage("/login").permitAll());
|
||||
return http.build();
|
||||
}
|
||||
|
@ -18,6 +18,7 @@ package smoketest.web.secure;
|
||||
|
||||
import java.util.Collections;
|
||||
|
||||
import jakarta.servlet.DispatcherType;
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
@ -97,6 +98,7 @@ class SampleWebSecureApplicationTests {
|
||||
http.csrf().disable();
|
||||
http.authorizeHttpRequests((requests) -> {
|
||||
requests.requestMatchers("/public/**").permitAll();
|
||||
requests.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll();
|
||||
requests.anyRequest().fullyAuthenticated();
|
||||
});
|
||||
http.httpBasic();
|
||||
|
Loading…
Reference in New Issue
Block a user