Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch '6.0.x' 

Closes gh-12593
This commit is contained in:
Josh Cummings 2023-01-26 14:09:19 -07:00
parent fa9c7fb50d c3563df25a
commit 1243d1327e
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
2 changed files with 45 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
View File

@ -56,7 +56,9 @@ import org.springframework.security.web.access.expression.DefaultWebSecurityExpr
import org.springframework.security.web.access.intercept.AuthorizationFilter; import org.springframework.security.web.access.intercept.AuthorizationFilter;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor; import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.debug.DebugFilter; import org.springframework.security.web.debug.DebugFilter;
import org.springframework.security.web.firewall.CompositeRequestRejectedHandler;
import org.springframework.security.web.firewall.HttpFirewall; import org.springframework.security.web.firewall.HttpFirewall;
import org.springframework.security.web.firewall.HttpStatusRequestRejectedHandler;
import org.springframework.security.web.firewall.ObservationMarkingRequestRejectedHandler; import org.springframework.security.web.firewall.ObservationMarkingRequestRejectedHandler;
import org.springframework.security.web.firewall.RequestRejectedHandler; import org.springframework.security.web.firewall.RequestRejectedHandler;
import org.springframework.security.web.firewall.StrictHttpFirewall; import org.springframework.security.web.firewall.StrictHttpFirewall;
@ -309,8 +311,10 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
filterChainProxy.setRequestRejectedHandler(this.requestRejectedHandler); filterChainProxy.setRequestRejectedHandler(this.requestRejectedHandler);
} }
else if (!this.observationRegistry.isNoop()) { else if (!this.observationRegistry.isNoop()) {
filterChainProxy CompositeRequestRejectedHandler requestRejectedHandler = new CompositeRequestRejectedHandler(
.setRequestRejectedHandler(new ObservationMarkingRequestRejectedHandler(this.observationRegistry)); new ObservationMarkingRequestRejectedHandler(this.observationRegistry),
new HttpStatusRequestRejectedHandler());
filterChainProxy.setRequestRejectedHandler(requestRejectedHandler);
} }
filterChainProxy.setFilterChainDecorator(getFilterChainDecorator()); filterChainProxy.setFilterChainDecorator(getFilterChainDecorator());
filterChainProxy.afterPropertiesSet(); filterChainProxy.afterPropertiesSet();

39
config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java
View File

@ -18,6 +18,8 @@ package org.springframework.security.config.annotation.web.builders;
import java.io.IOException; import java.io.IOException;
import io.micrometer.observation.ObservationRegistry;
import io.micrometer.observation.ObservationTextPublisher;
import jakarta.servlet.ServletException; import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletResponse; import jakarta.servlet.http.HttpServletResponse;
import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.AfterEach;
@ -104,6 +106,15 @@ public class WebSecurityTests {
@Test @Test
public void requestRejectedHandlerInvoked() throws ServletException, IOException { public void requestRejectedHandlerInvoked() throws ServletException, IOException {
loadConfig(DefaultConfig.class);
this.request.setServletPath("/spring");
this.request.setRequestURI("/spring/\u0019path");
this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_BAD_REQUEST);
}
@Test
public void customRequestRejectedHandlerInvoked() throws ServletException, IOException {
loadConfig(RequestRejectedHandlerConfig.class); loadConfig(RequestRejectedHandlerConfig.class);
this.request.setServletPath("/spring"); this.request.setServletPath("/spring");
this.request.setRequestURI("/spring/\u0019path"); this.request.setRequestURI("/spring/\u0019path");
@ -111,6 +122,16 @@ public class WebSecurityTests {
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_BAD_REQUEST); assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_BAD_REQUEST);
} }
// gh-12548
@Test
public void requestRejectedHandlerInvokedWhenOperationalObservationRegistry() throws ServletException, IOException {
loadConfig(ObservationRegistryConfig.class);
this.request.setServletPath("/spring");
this.request.setRequestURI("/spring/\u0019path");
this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_BAD_REQUEST);
}
@Test @Test
public void ignoringMvcMatcherServletPath() throws Exception { public void ignoringMvcMatcherServletPath() throws Exception {
loadConfig(MvcMatcherServletPathConfig.class, LegacyMvcMatchingConfig.class); loadConfig(MvcMatcherServletPathConfig.class, LegacyMvcMatchingConfig.class);
@ -143,6 +164,11 @@ public class WebSecurityTests {
this.context.getAutowireCapableBeanFactory().autowireBean(this); this.context.getAutowireCapableBeanFactory().autowireBean(this);
} }
@EnableWebSecurity
static class DefaultConfig {
}
@EnableWebSecurity @EnableWebSecurity
@Configuration @Configuration
@EnableWebMvc @EnableWebMvc
@ -243,4 +269,17 @@ public class WebSecurityTests {
} }
@Configuration
@EnableWebSecurity
static class ObservationRegistryConfig {
@Bean
ObservationRegistry observationRegistry() {
ObservationRegistry observationRegistry = ObservationRegistry.create();
observationRegistry.observationConfig().observationHandler(new ObservationTextPublisher());
return observationRegistry;
}
}
} }