Print ignore message DefaultSecurityFilterChain

When either `web.ignoring().mvcMatchers(...)` or
`web.ignoring().antMatchers(...)` methods are used, for all their
variations, the DefaultSecurityFilterChain class now indicates
correctly through its ouput what paths are ignored according the
`ignoring()` settings.

Closes gh-9334
This commit is contained in:
Manuel Jordan 2021-03-29 12:07:24 -05:00 committed by Josh Cummings
parent ac990afa5d
commit 0be772ff5b
9 changed files with 7415 additions and 10 deletions

View File

@ -54,7 +54,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
private ApplicationContext context; private ApplicationContext context;
private boolean anyRequestConfigured = false; protected boolean anyRequestConfigured = false;
protected final void setApplicationContext(ApplicationContext context) { protected final void setApplicationContext(ApplicationContext context) {
this.context = context; this.context = context;
@ -165,7 +165,8 @@ public abstract class AbstractRequestMatcherRegistry<C> {
if (!this.context.containsBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME)) { if (!this.context.containsBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME)) {
throw new NoSuchBeanDefinitionException("A Bean named " + HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME throw new NoSuchBeanDefinitionException("A Bean named " + HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME
+ " of type " + HandlerMappingIntrospector.class.getName() + " of type " + HandlerMappingIntrospector.class.getName()
+ " is required to use MvcRequestMatcher. Please ensure Spring Security & Spring MVC are configured in a shared ApplicationContext."); + " is required to use MvcRequestMatcher."
+ " Please ensure Spring Security & Spring MVC are configured in a shared ApplicationContext.");
} }
HandlerMappingIntrospector introspector = this.context.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME, HandlerMappingIntrospector introspector = this.context.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME,
HandlerMappingIntrospector.class); HandlerMappingIntrospector.class);
@ -265,7 +266,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
* @author Rob Winch * @author Rob Winch
* @since 3.2 * @since 3.2
*/ */
private static final class RequestMatchers { public static final class RequestMatchers {
private RequestMatchers() { private RequestMatchers() {
} }
@ -278,7 +279,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
* from * from
* @return a {@link List} of {@link AntPathRequestMatcher} instances * @return a {@link List} of {@link AntPathRequestMatcher} instances
*/ */
static List<RequestMatcher> antMatchers(HttpMethod httpMethod, String... antPatterns) { public static List<RequestMatcher> antMatchers(HttpMethod httpMethod, String... antPatterns) {
String method = (httpMethod != null) ? httpMethod.toString() : null; String method = (httpMethod != null) ? httpMethod.toString() : null;
List<RequestMatcher> matchers = new ArrayList<>(); List<RequestMatcher> matchers = new ArrayList<>();
for (String pattern : antPatterns) { for (String pattern : antPatterns) {
@ -294,7 +295,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
* from * from
* @return a {@link List} of {@link AntPathRequestMatcher} instances * @return a {@link List} of {@link AntPathRequestMatcher} instances
*/ */
static List<RequestMatcher> antMatchers(String... antPatterns) { public static List<RequestMatcher> antMatchers(String... antPatterns) {
return antMatchers(null, antPatterns); return antMatchers(null, antPatterns);
} }

View File

@ -17,6 +17,7 @@
package org.springframework.security.config.annotation.web.builders; package org.springframework.security.config.annotation.web.builders;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Arrays;
import java.util.List; import java.util.List;
import javax.servlet.Filter; import javax.servlet.Filter;
@ -30,6 +31,7 @@ import org.springframework.beans.BeansException;
import org.springframework.beans.factory.NoSuchBeanDefinitionException; import org.springframework.beans.factory.NoSuchBeanDefinitionException;
import org.springframework.context.ApplicationContext; import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware; import org.springframework.context.ApplicationContextAware;
import org.springframework.core.log.LogMessage;
import org.springframework.http.HttpMethod; import org.springframework.http.HttpMethod;
import org.springframework.security.access.PermissionEvaluator; import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.access.expression.SecurityExpressionHandler; import org.springframework.security.access.expression.SecurityExpressionHandler;
@ -60,6 +62,7 @@ import org.springframework.security.web.debug.DebugFilter;
import org.springframework.security.web.firewall.HttpFirewall; import org.springframework.security.web.firewall.HttpFirewall;
import org.springframework.security.web.firewall.RequestRejectedHandler; import org.springframework.security.web.firewall.RequestRejectedHandler;
import org.springframework.security.web.firewall.StrictHttpFirewall; import org.springframework.security.web.firewall.StrictHttpFirewall;
import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher; import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcherEntry; import org.springframework.security.web.util.matcher.RequestMatcherEntry;
@ -108,7 +111,7 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
private WebInvocationPrivilegeEvaluator privilegeEvaluator; private WebInvocationPrivilegeEvaluator privilegeEvaluator;
private DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler(); private final DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
private SecurityExpressionHandler<FilterInvocation> expressionHandler = this.defaultWebSecurityExpressionHandler; private SecurityExpressionHandler<FilterInvocation> expressionHandler = this.defaultWebSecurityExpressionHandler;
@ -420,6 +423,8 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
@Override @Override
public MvcMatchersIgnoredRequestConfigurer mvcMatchers(HttpMethod method, String... mvcPatterns) { public MvcMatchersIgnoredRequestConfigurer mvcMatchers(HttpMethod method, String... mvcPatterns) {
List<MvcRequestMatcher> mvcMatchers = createMvcMatchers(method, mvcPatterns); List<MvcRequestMatcher> mvcMatchers = createMvcMatchers(method, mvcPatterns);
Arrays.asList(mvcPatterns).stream().forEach((t) -> printWarnSecurityMessage(method, t));
mvcMatchers.stream().forEach((t) -> t.ignore());
WebSecurity.this.ignoredRequests.addAll(mvcMatchers); WebSecurity.this.ignoredRequests.addAll(mvcMatchers);
return new MvcMatchersIgnoredRequestConfigurer(getApplicationContext(), mvcMatchers); return new MvcMatchersIgnoredRequestConfigurer(getApplicationContext(), mvcMatchers);
} }
@ -429,6 +434,38 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
return mvcMatchers(null, mvcPatterns); return mvcMatchers(null, mvcPatterns);
} }
/**
* @since 5.5
*/
@Override
public IgnoredRequestConfigurer antMatchers(HttpMethod method) {
return antMatchers(method, "/**");
}
/**
* @since 5.5
*/
@Override
public IgnoredRequestConfigurer antMatchers(HttpMethod method, String... antPatterns) {
Assert.state(!this.anyRequestConfigured, "Can't configure antMatchers after anyRequest");
List<RequestMatcher> antMatchers = RequestMatchers.antMatchers(method, antPatterns);
Arrays.asList(antPatterns).stream().forEach((t) -> printWarnSecurityMessage(method, t));
antMatchers.stream().forEach((t) -> ((IgnoreRequestMatcher) t).ignore());
return chainRequestMatchers(antMatchers);
}
/**
* @since 5.5
*/
@Override
public IgnoredRequestConfigurer antMatchers(String... antPatterns) {
Assert.state(!this.anyRequestConfigured, "Can't configure antMatchers after anyRequest");
List<RequestMatcher> antMatchers = RequestMatchers.antMatchers(antPatterns);
Arrays.asList(antPatterns).stream().forEach((t) -> printWarnSecurityMessage(null, t));
antMatchers.stream().forEach((t) -> ((IgnoreRequestMatcher) t).ignore());
return chainRequestMatchers(RequestMatchers.antMatchers(antPatterns));
}
@Override @Override
protected IgnoredRequestConfigurer chainRequestMatchers(List<RequestMatcher> requestMatchers) { protected IgnoredRequestConfigurer chainRequestMatchers(List<RequestMatcher> requestMatchers) {
WebSecurity.this.ignoredRequests.addAll(requestMatchers); WebSecurity.this.ignoredRequests.addAll(requestMatchers);
@ -442,6 +479,33 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
return WebSecurity.this; return WebSecurity.this;
} }
/**
* @param method the HttpMethod, it could be null too.
* @param pathPattern the path pattern to be ignored
* @since 5.5
*/
private void printWarnSecurityMessage(HttpMethod method, String pathPattern) {
if (pathPattern.equals("/**")) {
WebSecurity.this.logger
.warn("**********************************************************************************");
if (method != null) {
WebSecurity.this.logger.warn(LogMessage.format(
"Applying explicit instruction to ignore the '/**' path for the HttpMethod: %s", method));
WebSecurity.this.logger.warn("You're disabling practically all the paths for that HttpMethod");
WebSecurity.this.logger
.warn("Therefore any path for that HttpMethod is completely ignored by Spring Security");
}
else {
WebSecurity.this.logger.warn("Applying explicit instruction to ignore the '/**' path");
WebSecurity.this.logger.warn("You're disabling practically all the paths");
WebSecurity.this.logger.warn("Therefore any path is completely ignored by Spring Security");
}
WebSecurity.this.logger.warn("It is not recomended for production");
WebSecurity.this.logger
.warn("**********************************************************************************");
}
}
} }
} }

View File

@ -0,0 +1,50 @@
/*
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* Test package for path patterns that must be ignored by Spring Security and must be
* indicated/notified through the output, it thanks to the
* <code>DefaultSecurityFilterChain</code>'s constructor.
*
* <p>
* <b>NOTE:</b> be advised that to test if a path(s) was really ignored or not, by
* simplicity, is checking the output shown in the test report, it based with the pattern
* <code>"Will not secure /ABC"</code>, where <code>ABC</code> was defined through the
* <code>web.ignoring()</code> approach. Is very important edit the
* <code>logback-test.xml</code> file (of this module) to change
* <code>level="${sec.log.level:-WARN}"</code> to
* <code>level="${sec.log.level:-INFO}"</code>
*
* <p>
* In the handler methods do not return the view name (i.e:
* <code>return "something"</code>) based on the path value (i.e:
* <code>@GetMapping(path = "/something")</code>), otherwise the tests fail with:
*
* <pre class="code">
* javax.servlet.ServletException:
* Circular view path [something]:
* would dispatch back to the current handler URL [/something] again.
* Check your ViewResolver setup!
* (Hint: This may be the result of an unspecified view, due to default view name generation.)
* </pre>
*
* That's why the all handler methods are based with the
* <code>return "something/something"</code> pattern.
*
* @author Manuel Jordan
* @since 5.5
*/
package org.springframework.security.config.annotation.web.configuration.ignore;

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2016 the original author or authors. * Copyright 2002-2021 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -27,6 +27,7 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.springframework.core.log.LogMessage; import org.springframework.core.log.LogMessage;
import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher;
/** /**
@ -48,7 +49,18 @@ public final class DefaultSecurityFilterChain implements SecurityFilterChain {
} }
public DefaultSecurityFilterChain(RequestMatcher requestMatcher, List<Filter> filters) { public DefaultSecurityFilterChain(RequestMatcher requestMatcher, List<Filter> filters) {
if (requestMatcher instanceof IgnoreRequestMatcher) {
IgnoreRequestMatcher ignoreRequestMatcher = (IgnoreRequestMatcher) requestMatcher;
if (ignoreRequestMatcher.isIgnore()) {
logger.info(LogMessage.format("Will not secure %s with %s", requestMatcher, filters));
}
else {
logger.info(LogMessage.format("Will secure %s with %s", requestMatcher, filters)); logger.info(LogMessage.format("Will secure %s with %s", requestMatcher, filters));
}
}
else {
logger.info(LogMessage.format("Will secure %s with %s", requestMatcher, filters));
}
this.requestMatcher = requestMatcher; this.requestMatcher = requestMatcher;
this.filters = new ArrayList<>(filters); this.filters = new ArrayList<>(filters);
} }

View File

@ -0,0 +1,37 @@
/*
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.server.restriction;
/**
* Indicates if the path should be ignored or not by Spring Security.
*
* @author Manuel Jordan
* @since 5.5
*/
public interface IgnoreRequestMatcher {
/**
* Establishes the path must be ignored.
*/
void ignore();
/**
* If the path should be ignored or not.
*/
boolean isIgnore();
}

View File

@ -21,6 +21,7 @@ import java.util.Map;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import org.springframework.http.HttpMethod; import org.springframework.http.HttpMethod;
import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.security.web.util.matcher.RequestVariablesExtractor; import org.springframework.security.web.util.matcher.RequestVariablesExtractor;
import org.springframework.util.AntPathMatcher; import org.springframework.util.AntPathMatcher;
@ -44,9 +45,10 @@ import org.springframework.web.util.UrlPathHelper;
* @author Rob Winch * @author Rob Winch
* @author Eddú Meléndez * @author Eddú Meléndez
* @author Evgeniy Cheban * @author Evgeniy Cheban
* @author Manuel Jordan
* @since 4.1.1 * @since 4.1.1
*/ */
public class MvcRequestMatcher implements RequestMatcher, RequestVariablesExtractor { public class MvcRequestMatcher implements RequestMatcher, RequestVariablesExtractor, IgnoreRequestMatcher {
private final DefaultMatcher defaultMatcher = new DefaultMatcher(); private final DefaultMatcher defaultMatcher = new DefaultMatcher();
@ -58,9 +60,12 @@ public class MvcRequestMatcher implements RequestMatcher, RequestVariablesExtrac
private String servletPath; private String servletPath;
private boolean ignore;
public MvcRequestMatcher(HandlerMappingIntrospector introspector, String pattern) { public MvcRequestMatcher(HandlerMappingIntrospector introspector, String pattern) {
this.introspector = introspector; this.introspector = introspector;
this.pattern = pattern; this.pattern = pattern;
this.ignore = false;
} }
@Override @Override
@ -129,6 +134,16 @@ public class MvcRequestMatcher implements RequestMatcher, RequestVariablesExtrac
return this.servletPath; return this.servletPath;
} }
@Override
public void ignore() {
this.ignore = true;
}
@Override
public boolean isIgnore() {
return this.ignore;
}
@Override @Override
public String toString() { public String toString() {
StringBuilder sb = new StringBuilder(); StringBuilder sb = new StringBuilder();

View File

@ -22,6 +22,7 @@ import java.util.Map;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import org.springframework.http.HttpMethod; import org.springframework.http.HttpMethod;
import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
import org.springframework.util.AntPathMatcher; import org.springframework.util.AntPathMatcher;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.util.StringUtils; import org.springframework.util.StringUtils;
@ -49,10 +50,11 @@ import org.springframework.web.util.UrlPathHelper;
* @author Rob Winch * @author Rob Winch
* @author Eddú Meléndez * @author Eddú Meléndez
* @author Evgeniy Cheban * @author Evgeniy Cheban
* @author Manuel Jordan
* @since 3.1 * @since 3.1
* @see org.springframework.util.AntPathMatcher * @see org.springframework.util.AntPathMatcher
*/ */
public final class AntPathRequestMatcher implements RequestMatcher, RequestVariablesExtractor { public final class AntPathRequestMatcher implements RequestMatcher, RequestVariablesExtractor, IgnoreRequestMatcher {
private static final String MATCH_ALL = "/**"; private static final String MATCH_ALL = "/**";
@ -66,6 +68,8 @@ public final class AntPathRequestMatcher implements RequestMatcher, RequestVaria
private final UrlPathHelper urlPathHelper; private final UrlPathHelper urlPathHelper;
private boolean ignore;
/** /**
* Creates a matcher with the specific pattern which will match all HTTP methods in a * Creates a matcher with the specific pattern which will match all HTTP methods in a
* case sensitive manner. * case sensitive manner.
@ -131,6 +135,7 @@ public final class AntPathRequestMatcher implements RequestMatcher, RequestVaria
this.pattern = pattern; this.pattern = pattern;
this.httpMethod = StringUtils.hasText(httpMethod) ? HttpMethod.valueOf(httpMethod) : null; this.httpMethod = StringUtils.hasText(httpMethod) ? HttpMethod.valueOf(httpMethod) : null;
this.urlPathHelper = urlPathHelper; this.urlPathHelper = urlPathHelper;
this.ignore = false;
} }
/** /**
@ -170,6 +175,16 @@ public final class AntPathRequestMatcher implements RequestMatcher, RequestVaria
return MatchResult.match(this.matcher.extractUriTemplateVariables(url)); return MatchResult.match(this.matcher.extractUriTemplateVariables(url));
} }
@Override
public void ignore() {
this.ignore = true;
}
@Override
public boolean isIgnore() {
return this.ignore;
}
private String getRequestPath(HttpServletRequest request) { private String getRequestPath(HttpServletRequest request) {
if (this.urlPathHelper != null) { if (this.urlPathHelper != null) {
return this.urlPathHelper.getPathWithinApplication(request); return this.urlPathHelper.getPathWithinApplication(request);