Consider Order on SecurityFilterChain bean definitions

Closes gh-9154
This commit is contained in:
Eleftheria Stein 2021-03-24 11:02:29 +02:00
parent f5fe64cd5b
commit 0f3df3e714
2 changed files with 56 additions and 2 deletions

View File

@ -176,13 +176,11 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa
@Autowired(required = false)
void setFilterChains(List<SecurityFilterChain> securityFilterChains) {
securityFilterChains.sort(AnnotationAwareOrderComparator.INSTANCE);
this.securityFilterChains = securityFilterChains;
}
@Autowired(required = false)
void setWebSecurityCustomizers(List<WebSecurityCustomizer> webSecurityCustomizers) {
webSecurityCustomizers.sort(AnnotationAwareOrderComparator.INSTANCE);
this.webSecurityCustomizers = webSecurityCustomizers;
}

View File

@ -19,8 +19,12 @@ package org.springframework.security.config.annotation.web.configuration;
import java.io.Serializable;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.http.HttpServletRequest;
import org.junit.Rule;
import org.junit.Test;
@ -131,6 +135,19 @@ public class WebSecurityConfigurationTests {
assertThat(filterChains.get(3).matches(request)).isTrue();
}
@Test
public void loadConfigWhenSecurityFilterChainsHaveOrderOnBeanDefinitionsThenFilterChainsOrdered() {
this.spring.register(OrderOnBeanDefinitionsSecurityFilterChainConfig.class).autowire();
FilterChainProxy filterChainProxy = this.spring.getContext().getBean(FilterChainProxy.class);
List<SecurityFilterChain> filterChains = filterChainProxy.getFilterChains();
assertThat(filterChains).hasSize(2);
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
request.setServletPath("/role1/**");
assertThat(filterChains.get(0).matches(request)).isTrue();
request.setServletPath("/role2/**");
assertThat(filterChains.get(1).matches(request)).isTrue();
}
@Test
public void loadConfigWhenWebSecurityConfigurersHaveSameOrderThenThrowBeanCreationException() {
assertThatExceptionOfType(BeanCreationException.class)
@ -487,6 +504,45 @@ public class WebSecurityConfigurationTests {
}
@EnableWebSecurity
@Import(AuthenticationTestConfiguration.class)
static class OrderOnBeanDefinitionsSecurityFilterChainConfig {
@Bean
@Order(1)
SecurityFilterChain securityFilterChain1(HttpSecurity http) throws Exception {
// @formatter:off
return http
.antMatcher("/role1/**")
.authorizeRequests((authorize) -> authorize
.anyRequest().hasRole("1")
)
.build();
// @formatter:on
}
@Bean
TestSecurityFilterChain securityFilterChain2(HttpSecurity http) throws Exception {
return new TestSecurityFilterChain();
}
@Order(2)
static class TestSecurityFilterChain implements SecurityFilterChain {
@Override
public boolean matches(HttpServletRequest request) {
return true;
}
@Override
public List<Filter> getFilters() {
return new ArrayList<>();
}
}
}
@EnableWebSecurity
@Import(AuthenticationTestConfiguration.class)
static class DuplicateOrderConfig {