Consider Order on SecurityFilterChain bean definitions
Closes gh-9154
This commit is contained in:
parent
f5fe64cd5b
commit
0f3df3e714
|
@ -176,13 +176,11 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa
|
||||||
|
|
||||||
@Autowired(required = false)
|
@Autowired(required = false)
|
||||||
void setFilterChains(List<SecurityFilterChain> securityFilterChains) {
|
void setFilterChains(List<SecurityFilterChain> securityFilterChains) {
|
||||||
securityFilterChains.sort(AnnotationAwareOrderComparator.INSTANCE);
|
|
||||||
this.securityFilterChains = securityFilterChains;
|
this.securityFilterChains = securityFilterChains;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Autowired(required = false)
|
@Autowired(required = false)
|
||||||
void setWebSecurityCustomizers(List<WebSecurityCustomizer> webSecurityCustomizers) {
|
void setWebSecurityCustomizers(List<WebSecurityCustomizer> webSecurityCustomizers) {
|
||||||
webSecurityCustomizers.sort(AnnotationAwareOrderComparator.INSTANCE);
|
|
||||||
this.webSecurityCustomizers = webSecurityCustomizers;
|
this.webSecurityCustomizers = webSecurityCustomizers;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -19,8 +19,12 @@ package org.springframework.security.config.annotation.web.configuration;
|
||||||
import java.io.Serializable;
|
import java.io.Serializable;
|
||||||
import java.lang.reflect.Method;
|
import java.lang.reflect.Method;
|
||||||
import java.lang.reflect.Modifier;
|
import java.lang.reflect.Modifier;
|
||||||
|
import java.util.ArrayList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
|
import javax.servlet.Filter;
|
||||||
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
|
||||||
import org.junit.Rule;
|
import org.junit.Rule;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
|
|
||||||
|
@ -131,6 +135,19 @@ public class WebSecurityConfigurationTests {
|
||||||
assertThat(filterChains.get(3).matches(request)).isTrue();
|
assertThat(filterChains.get(3).matches(request)).isTrue();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void loadConfigWhenSecurityFilterChainsHaveOrderOnBeanDefinitionsThenFilterChainsOrdered() {
|
||||||
|
this.spring.register(OrderOnBeanDefinitionsSecurityFilterChainConfig.class).autowire();
|
||||||
|
FilterChainProxy filterChainProxy = this.spring.getContext().getBean(FilterChainProxy.class);
|
||||||
|
List<SecurityFilterChain> filterChains = filterChainProxy.getFilterChains();
|
||||||
|
assertThat(filterChains).hasSize(2);
|
||||||
|
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
|
||||||
|
request.setServletPath("/role1/**");
|
||||||
|
assertThat(filterChains.get(0).matches(request)).isTrue();
|
||||||
|
request.setServletPath("/role2/**");
|
||||||
|
assertThat(filterChains.get(1).matches(request)).isTrue();
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void loadConfigWhenWebSecurityConfigurersHaveSameOrderThenThrowBeanCreationException() {
|
public void loadConfigWhenWebSecurityConfigurersHaveSameOrderThenThrowBeanCreationException() {
|
||||||
assertThatExceptionOfType(BeanCreationException.class)
|
assertThatExceptionOfType(BeanCreationException.class)
|
||||||
|
@ -487,6 +504,45 @@ public class WebSecurityConfigurationTests {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@EnableWebSecurity
|
||||||
|
@Import(AuthenticationTestConfiguration.class)
|
||||||
|
static class OrderOnBeanDefinitionsSecurityFilterChainConfig {
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
@Order(1)
|
||||||
|
SecurityFilterChain securityFilterChain1(HttpSecurity http) throws Exception {
|
||||||
|
// @formatter:off
|
||||||
|
return http
|
||||||
|
.antMatcher("/role1/**")
|
||||||
|
.authorizeRequests((authorize) -> authorize
|
||||||
|
.anyRequest().hasRole("1")
|
||||||
|
)
|
||||||
|
.build();
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
TestSecurityFilterChain securityFilterChain2(HttpSecurity http) throws Exception {
|
||||||
|
return new TestSecurityFilterChain();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Order(2)
|
||||||
|
static class TestSecurityFilterChain implements SecurityFilterChain {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean matches(HttpServletRequest request) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public List<Filter> getFilters() {
|
||||||
|
return new ArrayList<>();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
@Import(AuthenticationTestConfiguration.class)
|
@Import(AuthenticationTestConfiguration.class)
|
||||||
static class DuplicateOrderConfig {
|
static class DuplicateOrderConfig {
|
||||||
|
|
Loading…
Reference in New Issue