Spring/spring-boot
Spring/spring-boot
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-boot.git synced 2024-07-15 01:07:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

Align default security filter dispatcher types with Spring Security

Browse Source 
Fixes gh-33090
This commit is contained in:
Madhura Bhave 2022-11-09 15:26:31 -08:00
parent d34ccb3880
commit f4cf722c27
6 changed files with 24 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java
View File

@ -83,8 +83,8 @@ public class SecurityProperties {
/** /**
* Security filter chain dispatcher types. * Security filter chain dispatcher types.
*/ */
private Set<DispatcherType> dispatcherTypes = new HashSet<>( private Set<DispatcherType> dispatcherTypes = new HashSet<>(Arrays.asList(DispatcherType.ASYNC,
Arrays.asList(DispatcherType.ASYNC, DispatcherType.ERROR, DispatcherType.REQUEST)); DispatcherType.ERROR, DispatcherType.REQUEST, DispatcherType.FORWARD, DispatcherType.INCLUDE));
public int getOrder() { public int getOrder() {
return this.order; return this.order;

3
spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/servlet/SecurityAutoConfigurationTests.java
View File

@ -161,7 +161,8 @@ class SecurityAutoConfigurationTests {
DelegatingFilterProxyRegistrationBean.class); DelegatingFilterProxyRegistrationBean.class);
assertThat(bean) assertThat(bean)
.extracting("dispatcherTypes", InstanceOfAssertFactories.iterable(DispatcherType.class)) .extracting("dispatcherTypes", InstanceOfAssertFactories.iterable(DispatcherType.class))
.containsOnly(DispatcherType.ASYNC, DispatcherType.ERROR, DispatcherType.REQUEST); .containsOnly(DispatcherType.ASYNC, DispatcherType.ERROR, DispatcherType.REQUEST,
DispatcherType.INCLUDE, DispatcherType.FORWARD);
}); });
} }

7
spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-method-security/src/main/java/smoketest/security/method/SampleMethodSecurityApplication.java
View File

@ -16,6 +16,8 @@
package smoketest.security.method; package smoketest.security.method;
import jakarta.servlet.DispatcherType;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest; import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.builder.SpringApplicationBuilder; import org.springframework.boot.builder.SpringApplicationBuilder;
@ -71,7 +73,10 @@ public class SampleMethodSecurityApplication implements WebMvcConfigurer {
@Bean @Bean
SecurityFilterChain configure(HttpSecurity http) throws Exception { SecurityFilterChain configure(HttpSecurity http) throws Exception {
http.csrf().disable(); http.csrf().disable();
http.authorizeHttpRequests((requests) -> requests.anyRequest().fullyAuthenticated()); http.authorizeHttpRequests((requests) -> {
requests.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll();
requests.anyRequest().fullyAuthenticated();
});
http.httpBasic(); http.httpBasic();
http.formLogin((form) -> form.loginPage("/login").permitAll()); http.formLogin((form) -> form.loginPage("/login").permitAll());
http.exceptionHandling((exceptions) -> exceptions.accessDeniedPage("/access")); http.exceptionHandling((exceptions) -> exceptions.accessDeniedPage("/access"));

7
spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-custom/src/main/java/smoketest/web/secure/custom/SampleWebSecureCustomApplication.java
View File

@ -16,6 +16,8 @@
package smoketest.web.secure.custom; package smoketest.web.secure.custom;
import jakarta.servlet.DispatcherType;
import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.builder.SpringApplicationBuilder; import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
@ -44,7 +46,10 @@ public class SampleWebSecureCustomApplication implements WebMvcConfigurer {
@Bean @Bean
SecurityFilterChain configure(HttpSecurity http) throws Exception { SecurityFilterChain configure(HttpSecurity http) throws Exception {
http.csrf().disable(); http.csrf().disable();
http.authorizeHttpRequests((requests) -> requests.anyRequest().fullyAuthenticated()); http.authorizeHttpRequests((requests) -> {
requests.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll();
requests.anyRequest().fullyAuthenticated();
});
http.formLogin((form) -> form.loginPage("/login").permitAll()); http.formLogin((form) -> form.loginPage("/login").permitAll());
return http.build(); return http.build();
} }

7
spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure-jdbc/src/main/java/smoketest/web/secure/jdbc/SampleWebSecureJdbcApplication.java
View File

@ -18,6 +18,8 @@ package smoketest.web.secure.jdbc;
import javax.sql.DataSource; import javax.sql.DataSource;
import jakarta.servlet.DispatcherType;
import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.builder.SpringApplicationBuilder; import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
@ -47,7 +49,10 @@ public class SampleWebSecureJdbcApplication implements WebMvcConfigurer {
@Bean @Bean
SecurityFilterChain configure(HttpSecurity http) throws Exception { SecurityFilterChain configure(HttpSecurity http) throws Exception {
http.csrf().disable(); http.csrf().disable();
http.authorizeHttpRequests((requests) -> requests.anyRequest().fullyAuthenticated()); http.authorizeHttpRequests((requests) -> {
requests.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll();
requests.anyRequest().fullyAuthenticated();
});
http.formLogin((form) -> form.loginPage("/login").permitAll()); http.formLogin((form) -> form.loginPage("/login").permitAll());
return http.build(); return http.build();
} }

2
spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-secure/src/test/java/smoketest/web/secure/SampleWebSecureApplicationTests.java
View File

@ -18,6 +18,7 @@ package smoketest.web.secure;
import java.util.Collections; import java.util.Collections;
import jakarta.servlet.DispatcherType;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
@ -97,6 +98,7 @@ class SampleWebSecureApplicationTests {
http.csrf().disable(); http.csrf().disable();
http.authorizeHttpRequests((requests) -> { http.authorizeHttpRequests((requests) -> {
requests.requestMatchers("/public/**").permitAll(); requests.requestMatchers("/public/**").permitAll();
requests.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll();
requests.anyRequest().fullyAuthenticated(); requests.anyRequest().fullyAuthenticated();
}); });
http.httpBasic(); http.httpBasic();