From 664dfd9b45c3d7b189fa0d209323a043d58a94d4 Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Wed, 24 Apr 2024 16:34:08 -0600 Subject: [PATCH] Defer Anonymous Filter Construction By delaying when the AnonymousAuthenticationFilter is constructed, it's now possible to call the principal and filter methods inside of a custom DSL implementation. This does not extend to setting the key or the authentication provider though, as these must be set during the init phase. Closes gh-14941 --- .../web/configurers/AnonymousConfigurer.java | 25 ++++++++----- .../configurers/AnonymousConfigurerTests.java | 35 ++++++++++++++++++- 2 files changed, 50 insertions(+), 10 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurer.java index 129b20e7d1..a6af1e782e 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurer.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -53,6 +53,8 @@ public final class AnonymousConfigurer> private List authorities = AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"); + private String computedKey; + /** * Creates a new instance * @see HttpSecurity#anonymous() @@ -144,26 +146,31 @@ public final class AnonymousConfigurer> if (this.authenticationProvider == null) { this.authenticationProvider = new AnonymousAuthenticationProvider(getKey()); } - if (this.authenticationFilter == null) { - this.authenticationFilter = new AnonymousAuthenticationFilter(getKey(), this.principal, this.authorities); - this.authenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy()); - } - this.authenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy()); this.authenticationProvider = postProcess(this.authenticationProvider); http.authenticationProvider(this.authenticationProvider); } @Override public void configure(H http) { + if (this.authenticationFilter == null) { + this.authenticationFilter = new AnonymousAuthenticationFilter(getKey(), this.principal, this.authorities); + } + this.authenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy()); this.authenticationFilter.afterPropertiesSet(); http.addFilter(this.authenticationFilter); } private String getKey() { - if (this.key == null) { - this.key = UUID.randomUUID().toString(); + if (this.computedKey != null) { + return this.computedKey; } - return this.key; + if (this.key == null) { + this.computedKey = UUID.randomUUID().toString(); + } + else { + this.computedKey = this.key; + } + return this.computedKey; } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurerTests.java index b1aaf0ad68..599434e2f4 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -94,6 +94,13 @@ public class AnonymousConfigurerTests { this.mockMvc.perform(get("/")).andExpect(status().isOk()); } + // gh-14941 + @Test + public void shouldReturnMyCustomAnonymousConfig() throws Exception { + this.spring.register(AnonymousInCustomConfigurer.class, PrincipalController.class).autowire(); + this.mockMvc.perform(get("/")).andExpect(status().isOk()).andExpect(content().string("myAnonymousUser")); + } + @Configuration @EnableWebSecurity @EnableWebMvc @@ -181,6 +188,32 @@ public class AnonymousConfigurerTests { } + @Configuration + @EnableWebMvc + @EnableWebSecurity + static class AnonymousInCustomConfigurer { + + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + // @formatter:off + http + .authorizeHttpRequests((authorize) -> authorize.anyRequest().permitAll()) + .with(new CustomDsl(), withDefaults()); + // @formatter:on + return http.build(); + } + + static class CustomDsl extends AbstractHttpConfigurer { + + @Override + public void init(HttpSecurity http) throws Exception { + http.anonymous((anonymous) -> anonymous.principal("myAnonymousUser")); + } + + } + + } + @RestController static class PrincipalController {