SEC-2215: ServletApiConfigurer populates properties on SecurityContextHolderAwareRequestFilter

Previously ServletApiConfigurer left the following properties null:
authenticationManager, logoutHandlers, and authenticationEntryPoint
This commit is contained in:
Rob Winch 2013-07-16 22:43:53 -05:00
parent 59e8551279
commit 0f281f9575
4 changed files with 93 additions and 6 deletions

View File

@ -132,7 +132,7 @@ public final class ExceptionHandlingConfigurer<H extends HttpSecurityBuilder<H>>
* @param http the {@link HttpSecurity} used to look up shared {@link AuthenticationEntryPoint}
* @return the {@link AuthenticationEntryPoint} to use
*/
private AuthenticationEntryPoint getEntryPoint(H http) {
AuthenticationEntryPoint getEntryPoint(H http) {
AuthenticationEntryPoint entryPoint = this.authenticationEntryPoint;
if(entryPoint == null) {
AuthenticationEntryPoint sharedEntryPoint = http.getSharedObject(AuthenticationEntryPoint.class);

View File

@ -16,6 +16,7 @@
package org.springframework.security.config.annotation.web.configurers;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.servlet.http.HttpSession;
@ -224,6 +225,14 @@ public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>> extends Ab
return logoutSuccessUrl;
}
/**
* Gets the {@link LogoutHandler} instances that will be used.
* @return the {@link LogoutHandler} instances. Cannot be null.
*/
List<LogoutHandler> getLogoutHandlers() {
return logoutHandlers;
}
/**
* Creates the {@link LogoutFilter} using the {@link LogoutHandler}
* instances, the {@link #logoutSuccessHandler(LogoutSuccessHandler)} and

View File

@ -15,12 +15,16 @@
*/
package org.springframework.security.config.annotation.web.configurers;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
/**
@ -67,9 +71,16 @@ public final class ServletApiConfigurer<H extends HttpSecurityBuilder<H>> extend
}
@Override
public void configure(H builder)
throws Exception {
@SuppressWarnings("unchecked")
public void configure(H http) throws Exception {
securityContextRequestFilter.setAuthenticationManager(http.getAuthenticationManager());
ExceptionHandlingConfigurer<H> exceptionConf = http.getConfigurer(ExceptionHandlingConfigurer.class);
AuthenticationEntryPoint authenticationEntryPoint = exceptionConf == null ? null : exceptionConf.getEntryPoint(http);
securityContextRequestFilter.setAuthenticationEntryPoint(authenticationEntryPoint);
LogoutConfigurer<H> logoutConf = http.getConfigurer(LogoutConfigurer.class);
List<LogoutHandler> logoutHandlers = logoutConf == null ? null : logoutConf.getLogoutHandlers();
securityContextRequestFilter.setLogoutHandlers(logoutHandlers);
securityContextRequestFilter = postProcess(securityContextRequestFilter);
builder.addFilter(securityContextRequestFilter);
http.addFilter(securityContextRequestFilter);
}
}

View File

@ -15,10 +15,17 @@
*/
package org.springframework.security.config.annotation.web.configurers
import groovy.transform.CompileStatic
import org.springframework.context.annotation.Configuration
import org.springframework.security.config.annotation.AnyObjectPostProcessor
import org.springframework.security.config.annotation.BaseSpringSpec
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
import org.springframework.security.web.AuthenticationEntryPoint
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
/**
@ -40,4 +47,64 @@ class ServletApiConfigurerTests extends BaseSpringSpec {
then: "SecurityContextHolderAwareRequestFilter is registered with LifecycleManager"
1 * opp.postProcess(_ as SecurityContextHolderAwareRequestFilter) >> {SecurityContextHolderAwareRequestFilter o -> o}
}
def "SecurityContextHolderAwareRequestFilter properties set"() {
when:
loadConfig(ServletApiConfig)
SecurityContextHolderAwareRequestFilter filter = findFilter(SecurityContextHolderAwareRequestFilter)
then: "SEC-2215: authenticationManager != null"
filter.authenticationManager != null
and: "authenticationEntryPoint != null"
filter.authenticationEntryPoint != null
and: "requestFactory != null"
filter.requestFactory != null
and: "logoutHandlers populated"
filter.logoutHandlers.collect { it.class } == [SecurityContextLogoutHandler]
}
@CompileStatic
@EnableWebSecurity
@Configuration
static class ServletApiConfig extends WebSecurityConfigurerAdapter {
@Override
protected void registerAuthentication(AuthenticationManagerBuilder auth)
throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER")
}
}
def "SecurityContextHolderAwareRequestFilter.authenticationEntryPoint = customEntryPoint"() {
setup:
CustomEntryPointConfig.ENTRYPOINT = Mock(AuthenticationEntryPoint)
when: "load config with customEntryPoint"
loadConfig(CustomEntryPointConfig)
then: "SecurityContextHolderAwareRequestFilter.authenticationEntryPoint == customEntryPoint"
findFilter(SecurityContextHolderAwareRequestFilter).authenticationEntryPoint == CustomEntryPointConfig.ENTRYPOINT
}
@EnableWebSecurity
@Configuration
static class CustomEntryPointConfig extends WebSecurityConfigurerAdapter {
static AuthenticationEntryPoint ENTRYPOINT
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling()
.authenticationEntryPoint(ENTRYPOINT)
.and()
.formLogin()
}
@Override
protected void registerAuthentication(AuthenticationManagerBuilder auth)
throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER")
}
}
}