Print ignore message DefaultSecurityFilterChain
When either `web.ignoring().mvcMatchers(...)` or `web.ignoring().antMatchers(...)` methods are used, for all their variations, the DefaultSecurityFilterChain class now indicates correctly through its ouput what paths are ignored according the `ignoring()` settings. Closes gh-9334
This commit is contained in:
parent
ac990afa5d
commit
0be772ff5b
|
@ -54,7 +54,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
|
|||
|
||||
private ApplicationContext context;
|
||||
|
||||
private boolean anyRequestConfigured = false;
|
||||
protected boolean anyRequestConfigured = false;
|
||||
|
||||
protected final void setApplicationContext(ApplicationContext context) {
|
||||
this.context = context;
|
||||
|
@ -165,7 +165,8 @@ public abstract class AbstractRequestMatcherRegistry<C> {
|
|||
if (!this.context.containsBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME)) {
|
||||
throw new NoSuchBeanDefinitionException("A Bean named " + HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME
|
||||
+ " of type " + HandlerMappingIntrospector.class.getName()
|
||||
+ " is required to use MvcRequestMatcher. Please ensure Spring Security & Spring MVC are configured in a shared ApplicationContext.");
|
||||
+ " is required to use MvcRequestMatcher."
|
||||
+ " Please ensure Spring Security & Spring MVC are configured in a shared ApplicationContext.");
|
||||
}
|
||||
HandlerMappingIntrospector introspector = this.context.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME,
|
||||
HandlerMappingIntrospector.class);
|
||||
|
@ -265,7 +266,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
|
|||
* @author Rob Winch
|
||||
* @since 3.2
|
||||
*/
|
||||
private static final class RequestMatchers {
|
||||
public static final class RequestMatchers {
|
||||
|
||||
private RequestMatchers() {
|
||||
}
|
||||
|
@ -278,7 +279,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
|
|||
* from
|
||||
* @return a {@link List} of {@link AntPathRequestMatcher} instances
|
||||
*/
|
||||
static List<RequestMatcher> antMatchers(HttpMethod httpMethod, String... antPatterns) {
|
||||
public static List<RequestMatcher> antMatchers(HttpMethod httpMethod, String... antPatterns) {
|
||||
String method = (httpMethod != null) ? httpMethod.toString() : null;
|
||||
List<RequestMatcher> matchers = new ArrayList<>();
|
||||
for (String pattern : antPatterns) {
|
||||
|
@ -294,7 +295,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
|
|||
* from
|
||||
* @return a {@link List} of {@link AntPathRequestMatcher} instances
|
||||
*/
|
||||
static List<RequestMatcher> antMatchers(String... antPatterns) {
|
||||
public static List<RequestMatcher> antMatchers(String... antPatterns) {
|
||||
return antMatchers(null, antPatterns);
|
||||
}
|
||||
|
||||
|
|
|
@ -17,6 +17,7 @@
|
|||
package org.springframework.security.config.annotation.web.builders;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
|
||||
import javax.servlet.Filter;
|
||||
|
@ -30,6 +31,7 @@ import org.springframework.beans.BeansException;
|
|||
import org.springframework.beans.factory.NoSuchBeanDefinitionException;
|
||||
import org.springframework.context.ApplicationContext;
|
||||
import org.springframework.context.ApplicationContextAware;
|
||||
import org.springframework.core.log.LogMessage;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.security.access.PermissionEvaluator;
|
||||
import org.springframework.security.access.expression.SecurityExpressionHandler;
|
||||
|
@ -60,6 +62,7 @@ import org.springframework.security.web.debug.DebugFilter;
|
|||
import org.springframework.security.web.firewall.HttpFirewall;
|
||||
import org.springframework.security.web.firewall.RequestRejectedHandler;
|
||||
import org.springframework.security.web.firewall.StrictHttpFirewall;
|
||||
import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcherEntry;
|
||||
|
@ -108,7 +111,7 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
|
|||
|
||||
private WebInvocationPrivilegeEvaluator privilegeEvaluator;
|
||||
|
||||
private DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
|
||||
private final DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
|
||||
|
||||
private SecurityExpressionHandler<FilterInvocation> expressionHandler = this.defaultWebSecurityExpressionHandler;
|
||||
|
||||
|
@ -420,6 +423,8 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
|
|||
@Override
|
||||
public MvcMatchersIgnoredRequestConfigurer mvcMatchers(HttpMethod method, String... mvcPatterns) {
|
||||
List<MvcRequestMatcher> mvcMatchers = createMvcMatchers(method, mvcPatterns);
|
||||
Arrays.asList(mvcPatterns).stream().forEach((t) -> printWarnSecurityMessage(method, t));
|
||||
mvcMatchers.stream().forEach((t) -> t.ignore());
|
||||
WebSecurity.this.ignoredRequests.addAll(mvcMatchers);
|
||||
return new MvcMatchersIgnoredRequestConfigurer(getApplicationContext(), mvcMatchers);
|
||||
}
|
||||
|
@ -429,6 +434,38 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
|
|||
return mvcMatchers(null, mvcPatterns);
|
||||
}
|
||||
|
||||
/**
|
||||
* @since 5.5
|
||||
*/
|
||||
@Override
|
||||
public IgnoredRequestConfigurer antMatchers(HttpMethod method) {
|
||||
return antMatchers(method, "/**");
|
||||
}
|
||||
|
||||
/**
|
||||
* @since 5.5
|
||||
*/
|
||||
@Override
|
||||
public IgnoredRequestConfigurer antMatchers(HttpMethod method, String... antPatterns) {
|
||||
Assert.state(!this.anyRequestConfigured, "Can't configure antMatchers after anyRequest");
|
||||
List<RequestMatcher> antMatchers = RequestMatchers.antMatchers(method, antPatterns);
|
||||
Arrays.asList(antPatterns).stream().forEach((t) -> printWarnSecurityMessage(method, t));
|
||||
antMatchers.stream().forEach((t) -> ((IgnoreRequestMatcher) t).ignore());
|
||||
return chainRequestMatchers(antMatchers);
|
||||
}
|
||||
|
||||
/**
|
||||
* @since 5.5
|
||||
*/
|
||||
@Override
|
||||
public IgnoredRequestConfigurer antMatchers(String... antPatterns) {
|
||||
Assert.state(!this.anyRequestConfigured, "Can't configure antMatchers after anyRequest");
|
||||
List<RequestMatcher> antMatchers = RequestMatchers.antMatchers(antPatterns);
|
||||
Arrays.asList(antPatterns).stream().forEach((t) -> printWarnSecurityMessage(null, t));
|
||||
antMatchers.stream().forEach((t) -> ((IgnoreRequestMatcher) t).ignore());
|
||||
return chainRequestMatchers(RequestMatchers.antMatchers(antPatterns));
|
||||
}
|
||||
|
||||
@Override
|
||||
protected IgnoredRequestConfigurer chainRequestMatchers(List<RequestMatcher> requestMatchers) {
|
||||
WebSecurity.this.ignoredRequests.addAll(requestMatchers);
|
||||
|
@ -442,6 +479,33 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
|
|||
return WebSecurity.this;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param method the HttpMethod, it could be null too.
|
||||
* @param pathPattern the path pattern to be ignored
|
||||
* @since 5.5
|
||||
*/
|
||||
private void printWarnSecurityMessage(HttpMethod method, String pathPattern) {
|
||||
if (pathPattern.equals("/**")) {
|
||||
WebSecurity.this.logger
|
||||
.warn("**********************************************************************************");
|
||||
if (method != null) {
|
||||
WebSecurity.this.logger.warn(LogMessage.format(
|
||||
"Applying explicit instruction to ignore the '/**' path for the HttpMethod: %s", method));
|
||||
WebSecurity.this.logger.warn("You're disabling practically all the paths for that HttpMethod");
|
||||
WebSecurity.this.logger
|
||||
.warn("Therefore any path for that HttpMethod is completely ignored by Spring Security");
|
||||
}
|
||||
else {
|
||||
WebSecurity.this.logger.warn("Applying explicit instruction to ignore the '/**' path");
|
||||
WebSecurity.this.logger.warn("You're disabling practically all the paths");
|
||||
WebSecurity.this.logger.warn("Therefore any path is completely ignored by Spring Security");
|
||||
}
|
||||
WebSecurity.this.logger.warn("It is not recomended for production");
|
||||
WebSecurity.this.logger
|
||||
.warn("**********************************************************************************");
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,50 @@
|
|||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
/**
|
||||
* Test package for path patterns that must be ignored by Spring Security and must be
|
||||
* indicated/notified through the output, it thanks to the
|
||||
* <code>DefaultSecurityFilterChain</code>'s constructor.
|
||||
*
|
||||
* <p>
|
||||
* <b>NOTE:</b> be advised that to test if a path(s) was really ignored or not, by
|
||||
* simplicity, is checking the output shown in the test report, it based with the pattern
|
||||
* <code>"Will not secure /ABC"</code>, where <code>ABC</code> was defined through the
|
||||
* <code>web.ignoring()</code> approach. Is very important edit the
|
||||
* <code>logback-test.xml</code> file (of this module) to change
|
||||
* <code>level="${sec.log.level:-WARN}"</code> to
|
||||
* <code>level="${sec.log.level:-INFO}"</code>
|
||||
*
|
||||
* <p>
|
||||
* In the handler methods do not return the view name (i.e:
|
||||
* <code>return "something"</code>) based on the path value (i.e:
|
||||
* <code>@GetMapping(path = "/something")</code>), otherwise the tests fail with:
|
||||
*
|
||||
* <pre class="code">
|
||||
* javax.servlet.ServletException:
|
||||
* Circular view path [something]:
|
||||
* would dispatch back to the current handler URL [/something] again.
|
||||
* Check your ViewResolver setup!
|
||||
* (Hint: This may be the result of an unspecified view, due to default view name generation.)
|
||||
* </pre>
|
||||
*
|
||||
* That's why the all handler methods are based with the
|
||||
* <code>return "something/something"</code> pattern.
|
||||
*
|
||||
* @author Manuel Jordan
|
||||
* @since 5.5
|
||||
*/
|
||||
package org.springframework.security.config.annotation.web.configuration.ignore;
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2002-2016 the original author or authors.
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
@ -27,6 +27,7 @@ import org.apache.commons.logging.Log;
|
|||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import org.springframework.core.log.LogMessage;
|
||||
import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
|
||||
/**
|
||||
|
@ -48,7 +49,18 @@ public final class DefaultSecurityFilterChain implements SecurityFilterChain {
|
|||
}
|
||||
|
||||
public DefaultSecurityFilterChain(RequestMatcher requestMatcher, List<Filter> filters) {
|
||||
if (requestMatcher instanceof IgnoreRequestMatcher) {
|
||||
IgnoreRequestMatcher ignoreRequestMatcher = (IgnoreRequestMatcher) requestMatcher;
|
||||
if (ignoreRequestMatcher.isIgnore()) {
|
||||
logger.info(LogMessage.format("Will not secure %s with %s", requestMatcher, filters));
|
||||
}
|
||||
else {
|
||||
logger.info(LogMessage.format("Will secure %s with %s", requestMatcher, filters));
|
||||
}
|
||||
}
|
||||
else {
|
||||
logger.info(LogMessage.format("Will secure %s with %s", requestMatcher, filters));
|
||||
}
|
||||
this.requestMatcher = requestMatcher;
|
||||
this.filters = new ArrayList<>(filters);
|
||||
}
|
||||
|
|
|
@ -0,0 +1,37 @@
|
|||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.server.restriction;
|
||||
|
||||
/**
|
||||
* Indicates if the path should be ignored or not by Spring Security.
|
||||
*
|
||||
* @author Manuel Jordan
|
||||
* @since 5.5
|
||||
*/
|
||||
public interface IgnoreRequestMatcher {
|
||||
|
||||
/**
|
||||
* Establishes the path must be ignored.
|
||||
*/
|
||||
void ignore();
|
||||
|
||||
/**
|
||||
* If the path should be ignored or not.
|
||||
*/
|
||||
boolean isIgnore();
|
||||
|
||||
}
|
|
@ -21,6 +21,7 @@ import java.util.Map;
|
|||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestVariablesExtractor;
|
||||
import org.springframework.util.AntPathMatcher;
|
||||
|
@ -44,9 +45,10 @@ import org.springframework.web.util.UrlPathHelper;
|
|||
* @author Rob Winch
|
||||
* @author Eddú Meléndez
|
||||
* @author Evgeniy Cheban
|
||||
* @author Manuel Jordan
|
||||
* @since 4.1.1
|
||||
*/
|
||||
public class MvcRequestMatcher implements RequestMatcher, RequestVariablesExtractor {
|
||||
public class MvcRequestMatcher implements RequestMatcher, RequestVariablesExtractor, IgnoreRequestMatcher {
|
||||
|
||||
private final DefaultMatcher defaultMatcher = new DefaultMatcher();
|
||||
|
||||
|
@ -58,9 +60,12 @@ public class MvcRequestMatcher implements RequestMatcher, RequestVariablesExtrac
|
|||
|
||||
private String servletPath;
|
||||
|
||||
private boolean ignore;
|
||||
|
||||
public MvcRequestMatcher(HandlerMappingIntrospector introspector, String pattern) {
|
||||
this.introspector = introspector;
|
||||
this.pattern = pattern;
|
||||
this.ignore = false;
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -129,6 +134,16 @@ public class MvcRequestMatcher implements RequestMatcher, RequestVariablesExtrac
|
|||
return this.servletPath;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void ignore() {
|
||||
this.ignore = true;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isIgnore() {
|
||||
return this.ignore;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
StringBuilder sb = new StringBuilder();
|
||||
|
|
|
@ -22,6 +22,7 @@ import java.util.Map;
|
|||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
|
||||
import org.springframework.util.AntPathMatcher;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.util.StringUtils;
|
||||
|
@ -49,10 +50,11 @@ import org.springframework.web.util.UrlPathHelper;
|
|||
* @author Rob Winch
|
||||
* @author Eddú Meléndez
|
||||
* @author Evgeniy Cheban
|
||||
* @author Manuel Jordan
|
||||
* @since 3.1
|
||||
* @see org.springframework.util.AntPathMatcher
|
||||
*/
|
||||
public final class AntPathRequestMatcher implements RequestMatcher, RequestVariablesExtractor {
|
||||
public final class AntPathRequestMatcher implements RequestMatcher, RequestVariablesExtractor, IgnoreRequestMatcher {
|
||||
|
||||
private static final String MATCH_ALL = "/**";
|
||||
|
||||
|
@ -66,6 +68,8 @@ public final class AntPathRequestMatcher implements RequestMatcher, RequestVaria
|
|||
|
||||
private final UrlPathHelper urlPathHelper;
|
||||
|
||||
private boolean ignore;
|
||||
|
||||
/**
|
||||
* Creates a matcher with the specific pattern which will match all HTTP methods in a
|
||||
* case sensitive manner.
|
||||
|
@ -131,6 +135,7 @@ public final class AntPathRequestMatcher implements RequestMatcher, RequestVaria
|
|||
this.pattern = pattern;
|
||||
this.httpMethod = StringUtils.hasText(httpMethod) ? HttpMethod.valueOf(httpMethod) : null;
|
||||
this.urlPathHelper = urlPathHelper;
|
||||
this.ignore = false;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -170,6 +175,16 @@ public final class AntPathRequestMatcher implements RequestMatcher, RequestVaria
|
|||
return MatchResult.match(this.matcher.extractUriTemplateVariables(url));
|
||||
}
|
||||
|
||||
@Override
|
||||
public void ignore() {
|
||||
this.ignore = true;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isIgnore() {
|
||||
return this.ignore;
|
||||
}
|
||||
|
||||
private String getRequestPath(HttpServletRequest request) {
|
||||
if (this.urlPathHelper != null) {
|
||||
return this.urlPathHelper.getPathWithinApplication(request);
|
||||
|
|
Loading…
Reference in New Issue