Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove Deprecation Markers 

Since Spring Security still needs these methods and classes, we
should wait on deprecating them if we can.

Instead, this commit changes the original classes to have a
boolean property that is currently false, but will switch to true
in 6.0.

At that time, BearerTokenAuthenticationFilter can change to use
the handler.

Closes gh-11932
This commit is contained in:
Josh Cummings 2022-10-13 12:07:07 -06:00
parent 200b7fecd3
commit 099aaa33ff
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
9 changed files with 114 additions and 271 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/authentication/BearerTokenAuthenticationFilter.java
View File

@ -27,6 +27,7 @@ import org.springframework.core.log.LogMessage;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationManagerResolver;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContext;
@ -39,7 +40,6 @@ import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthen
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
import org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.AuthenticationEntryPointFailureHandlerAdapter;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.context.NullSecurityContextRepository;
@ -73,12 +73,12 @@ public class BearerTokenAuthenticationFilter extends OncePerRequestFilter {
private AuthenticationEntryPoint authenticationEntryPoint = new BearerTokenAuthenticationEntryPoint();
private AuthenticationFailureHandler authenticationFailureHandler = new AuthenticationEntryPointFailureHandlerAdapter(
(request, response, authException) -> {
// This is a lambda and not a method reference so that the FailureHandler
// reflects entrypoint updates
this.authenticationEntryPoint.commence(request, response, authException);
});
private AuthenticationFailureHandler authenticationFailureHandler = (request, response, exception) -> {
if (exception instanceof AuthenticationServiceException) {
throw exception;
}
this.authenticationEntryPoint.commence(request, response, exception);
};
private BearerTokenResolver bearerTokenResolver = new DefaultBearerTokenResolver();
@ -192,10 +192,7 @@ public class BearerTokenAuthenticationFilter extends OncePerRequestFilter {
* Set the {@link AuthenticationEntryPoint} to use. Defaults to
* {@link BearerTokenAuthenticationEntryPoint}.
* @param authenticationEntryPoint the {@code AuthenticationEntryPoint} to use
* @deprecated use
* {@link BearerTokenAuthenticationFilter#authenticationFailureHandler} instead
*/
@Deprecated
public void setAuthenticationEntryPoint(final AuthenticationEntryPoint authenticationEntryPoint) {
Assert.notNull(authenticationEntryPoint, "authenticationEntryPoint cannot be null");
this.authenticationEntryPoint = authenticationEntryPoint;

25
web/src/main/java/org/springframework/security/web/authentication/AuthenticationEntryPointFailureHandler.java
View File

@ -22,6 +22,7 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.util.Assert;
@ -31,11 +32,11 @@ import org.springframework.util.Assert;
*
* @author Sergey Bespalov
* @since 5.2.0
* @deprecated Use {@link AuthenticationEntryPointFailureHandlerAdapter} instead
*/
@Deprecated
public class AuthenticationEntryPointFailureHandler implements AuthenticationFailureHandler {
private boolean rethrowAuthenticationServiceException = false;
private final AuthenticationEntryPoint authenticationEntryPoint;
public AuthenticationEntryPointFailureHandler(AuthenticationEntryPoint authenticationEntryPoint) {
@ -46,7 +47,25 @@ public class AuthenticationEntryPointFailureHandler implements AuthenticationFai
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception) throws IOException, ServletException {
this.authenticationEntryPoint.commence(request, response, exception);
if (!this.rethrowAuthenticationServiceException) {
this.authenticationEntryPoint.commence(request, response, exception);
return;
}
if (!AuthenticationServiceException.class.isAssignableFrom(exception.getClass())) {
this.authenticationEntryPoint.commence(request, response, exception);
return;
}
throw exception;
}
/**
* Set whether to rethrow {@link AuthenticationServiceException}s (defaults to false)
* @param rethrowAuthenticationServiceException whether to rethrow
* {@link AuthenticationServiceException}s
* @since 5.8
*/
public void setRethrowAuthenticationServiceException(boolean rethrowAuthenticationServiceException) {
this.rethrowAuthenticationServiceException = rethrowAuthenticationServiceException;
}
}

56
web/src/main/java/org/springframework/security/web/authentication/AuthenticationEntryPointFailureHandlerAdapter.java
View File

@ -1,56 +0,0 @@
/*
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.authentication;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.util.Assert;
/**
* Adapts a {@link AuthenticationEntryPoint} into a {@link AuthenticationFailureHandler}.
* When the failure is an {@link AuthenticationServiceException}, it re-throws, to produce
* an HTTP 500 error.
*
* @author Daniel Garnier-Moiroux
* @since 5.8
*/
public final class AuthenticationEntryPointFailureHandlerAdapter implements AuthenticationFailureHandler {
private final AuthenticationEntryPoint authenticationEntryPoint;
public AuthenticationEntryPointFailureHandlerAdapter(AuthenticationEntryPoint authenticationEntryPoint) {
Assert.notNull(authenticationEntryPoint, "authenticationEntryPoint cannot be null");
this.authenticationEntryPoint = authenticationEntryPoint;
}
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
AuthenticationException failure) throws IOException, ServletException {
if (AuthenticationServiceException.class.isAssignableFrom(failure.getClass())) {
throw failure;
}
this.authenticationEntryPoint.commence(request, response, failure);
}
}

23
web/src/main/java/org/springframework/security/web/server/authentication/ServerAuthenticationEntryPointFailureHandler.java
View File

@ -18,6 +18,7 @@ package org.springframework.security.web.server.authentication;
import reactor.core.publisher.Mono;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
import org.springframework.security.web.server.WebFilterExchange;
@ -29,13 +30,13 @@ import org.springframework.util.Assert;
*
* @author Rob Winch
* @since 5.0
* @deprecated use {@link ServerAuthenticationEntryPointFailureHandlerAdapter} instead.
*/
@Deprecated
public class ServerAuthenticationEntryPointFailureHandler implements ServerAuthenticationFailureHandler {
private final ServerAuthenticationEntryPoint authenticationEntryPoint;
private boolean rethrowAuthenticationServiceException = false;
public ServerAuthenticationEntryPointFailureHandler(ServerAuthenticationEntryPoint authenticationEntryPoint) {
Assert.notNull(authenticationEntryPoint, "authenticationEntryPoint cannot be null");
this.authenticationEntryPoint = authenticationEntryPoint;
@ -43,7 +44,23 @@ public class ServerAuthenticationEntryPointFailureHandler implements ServerAuthe
@Override
public Mono<Void> onAuthenticationFailure(WebFilterExchange webFilterExchange, AuthenticationException exception) {
return this.authenticationEntryPoint.commence(webFilterExchange.getExchange(), exception);
if (!this.rethrowAuthenticationServiceException) {
return this.authenticationEntryPoint.commence(webFilterExchange.getExchange(), exception);
}
if (!AuthenticationServiceException.class.isAssignableFrom(exception.getClass())) {
return this.authenticationEntryPoint.commence(webFilterExchange.getExchange(), exception);
}
return Mono.error(exception);
}
/**
* Set whether to rethrow {@link AuthenticationServiceException}s (defaults to false)
* @param rethrowAuthenticationServiceException whether to rethrow
* {@link AuthenticationServiceException}s
* @since 5.8
*/
public void setRethrowAuthenticationServiceException(boolean rethrowAuthenticationServiceException) {
this.rethrowAuthenticationServiceException = rethrowAuthenticationServiceException;
}
}

53
web/src/main/java/org/springframework/security/web/server/authentication/ServerAuthenticationEntryPointFailureHandlerAdapter.java
View File

@ -1,53 +0,0 @@
/*
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.server.authentication;
import reactor.core.publisher.Mono;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
import org.springframework.security.web.server.WebFilterExchange;
import org.springframework.util.Assert;
/**
* Adapts a {@link ServerAuthenticationEntryPoint} into a
* {@link ServerAuthenticationFailureHandler}. When the failure is an
* {@link AuthenticationServiceException}, it re-throws, to produce an HTTP 500 error.
*
* @author Daniel Garnier-Moiroux
* @since 5.8
*/
public class ServerAuthenticationEntryPointFailureHandlerAdapter implements ServerAuthenticationFailureHandler {
private final ServerAuthenticationEntryPoint authenticationEntryPoint;
public ServerAuthenticationEntryPointFailureHandlerAdapter(
ServerAuthenticationEntryPoint authenticationEntryPoint) {
Assert.notNull(authenticationEntryPoint, "authenticationEntryPoint cannot be null");
this.authenticationEntryPoint = authenticationEntryPoint;
}
@Override
public Mono<Void> onAuthenticationFailure(WebFilterExchange webFilterExchange, AuthenticationException exception) {
if (AuthenticationServiceException.class.isAssignableFrom(exception.getClass())) {
return Mono.error(exception);
}
return this.authenticationEntryPoint.commence(webFilterExchange.getExchange(), exception);
}
}

69
web/src/test/java/org/springframework/security/web/authentication/AuthenticationEntryPointFailureHandlerAdapterTest.java
View File

@ -1,69 +0,0 @@
/*
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.authentication;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.junit.jupiter.api.Test;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoInteractions;
/**
* @author Daniel Garnier-Moiroux
* @since 5.8
*/
class AuthenticationEntryPointFailureHandlerAdapterTest {
private final AuthenticationEntryPoint authenticationEntryPoint = mock(AuthenticationEntryPoint.class);
private final HttpServletRequest request = mock(HttpServletRequest.class);
private final HttpServletResponse response = mock(HttpServletResponse.class);
@Test
void onAuthenticationFailureThenCommenceAuthentication() throws ServletException, IOException {
AuthenticationEntryPointFailureHandlerAdapter failureHandler = new AuthenticationEntryPointFailureHandlerAdapter(
this.authenticationEntryPoint);
AuthenticationException failure = new AuthenticationException("failed") {
};
failureHandler.onAuthenticationFailure(this.request, this.response, failure);
verify(this.authenticationEntryPoint).commence(this.request, this.response, failure);
}
@Test
void onAuthenticationFailureWithAuthenticationServiceExceptionThenRethrows() {
AuthenticationEntryPointFailureHandlerAdapter failureHandler = new AuthenticationEntryPointFailureHandlerAdapter(
this.authenticationEntryPoint);
AuthenticationException failure = new AuthenticationServiceException("failed");
assertThatExceptionOfType(AuthenticationServiceException.class)
.isThrownBy(() -> failureHandler.onAuthenticationFailure(this.request, this.response, failure))
.isSameAs(failure);
verifyNoInteractions(this.authenticationEntryPoint);
}
}

48
web/src/test/java/org/springframework/security/web/authentication/AuthenticationEntryPointFailureHandlerTests.java Normal file
View File

@ -0,0 +1,48 @@
/*
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.authentication;
import org.junit.jupiter.api.Test;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.web.AuthenticationEntryPoint;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.mockito.Mockito.mock;
/**
* Tests for {@link AuthenticationEntryPointFailureHandler}
*/
public class AuthenticationEntryPointFailureHandlerTests {
@Test
void onAuthenticationFailureWhenDefaultsThenAuthenticationServiceExceptionSwallowed() throws Exception {
AuthenticationEntryPoint entryPoint = mock(AuthenticationEntryPoint.class);
AuthenticationEntryPointFailureHandler handler = new AuthenticationEntryPointFailureHandler(entryPoint);
handler.onAuthenticationFailure(null, null, new AuthenticationServiceException("fail"));
}
@Test
void handleWhenRethrowingThenAuthenticationServiceExceptionRethrown() {
AuthenticationEntryPoint entryPoint = mock(AuthenticationEntryPoint.class);
AuthenticationEntryPointFailureHandler handler = new AuthenticationEntryPointFailureHandler(entryPoint);
handler.setRethrowAuthenticationServiceException(true);
assertThatExceptionOfType(AuthenticationServiceException.class).isThrownBy(
() -> handler.onAuthenticationFailure(null, null, new AuthenticationServiceException("fail")));
}
}

77
web/src/test/java/org/springframework/security/web/server/authentication/ServerAuthenticationEntryPointFailureHandlerAdapterTest.java
View File

@ -1,77 +0,0 @@
/*
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.server.authentication;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import reactor.core.publisher.Mono;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
import org.springframework.security.web.server.WebFilterExchange;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilterChain;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoInteractions;
/**
* @author Daniel Garnier-Moiroux
* @since 5.8
*/
class ServerAuthenticationEntryPointFailureHandlerAdapterTest {
private final ServerAuthenticationEntryPoint serverAuthenticationEntryPoint = mock(
ServerAuthenticationEntryPoint.class);
private final ServerWebExchange serverWebExchange = mock(ServerWebExchange.class);
private final WebFilterExchange webFilterExchange = new WebFilterExchange(this.serverWebExchange,
mock(WebFilterChain.class));
@BeforeEach
void setUp() {
given(this.serverAuthenticationEntryPoint.commence(any(), any())).willReturn(Mono.empty());
}
@Test
void onAuthenticationFailureThenCommenceAuthentication() {
ServerAuthenticationEntryPointFailureHandlerAdapter failureHandler = new ServerAuthenticationEntryPointFailureHandlerAdapter(
this.serverAuthenticationEntryPoint);
AuthenticationException failure = new AuthenticationException("failed") {
};
failureHandler.onAuthenticationFailure(this.webFilterExchange, failure).block();
verify(this.serverAuthenticationEntryPoint).commence(this.serverWebExchange, failure);
}
@Test
void onAuthenticationFailureWithAuthenticationServiceExceptionThenRethrows() {
ServerAuthenticationEntryPointFailureHandlerAdapter failureHandler = new ServerAuthenticationEntryPointFailureHandlerAdapter(
this.serverAuthenticationEntryPoint);
AuthenticationException failure = new AuthenticationServiceException("failed");
assertThatExceptionOfType(AuthenticationServiceException.class)
.isThrownBy(() -> failureHandler.onAuthenticationFailure(this.webFilterExchange, failure).block())
.isSameAs(failure);
verifyNoInteractions(this.serverWebExchange);
}
}

17
web/src/test/java/org/springframework/security/web/server/authentication/ServerAuthenticationEntryPointFailureHandlerTests.java
View File

@ -23,6 +23,7 @@ import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import reactor.core.publisher.Mono;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
import org.springframework.security.web.server.WebFilterExchange;
@ -30,6 +31,7 @@ import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilterChain;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.mockito.BDDMockito.given;
@ -68,4 +70,19 @@ public class ServerAuthenticationEntryPointFailureHandlerTests {
assertThat(this.handler.onAuthenticationFailure(this.filterExchange, e)).isEqualTo(result);
}
@Test
void onAuthenticationFailureWhenDefaultsThenAuthenticationServiceExceptionSwallowed() {
AuthenticationServiceException e = new AuthenticationServiceException("fail");
given(this.authenticationEntryPoint.commence(this.exchange, e)).willReturn(Mono.empty());
this.handler.onAuthenticationFailure(this.filterExchange, e).block();
}
@Test
void handleWhenRethrowingThenAuthenticationServiceExceptionRethrown() {
AuthenticationServiceException e = new AuthenticationServiceException("fail");
this.handler.setRethrowAuthenticationServiceException(true);
assertThatExceptionOfType(AuthenticationServiceException.class)
.isThrownBy(() -> this.handler.onAuthenticationFailure(this.filterExchange, e).block());
}
}