use-authorization-manager defaults to true
Closes gh-11929
This commit is contained in:
parent
1aa3f1414e
commit
12b9f2e196
|
@ -716,12 +716,15 @@ class HttpConfigurationBuilder {
|
|||
}
|
||||
|
||||
private void createFilterSecurity(BeanReference authManager) {
|
||||
boolean useAuthorizationManager = Boolean.parseBoolean(this.httpElt.getAttribute(ATT_USE_AUTHORIZATION_MGR));
|
||||
if (useAuthorizationManager) {
|
||||
if (StringUtils.hasText(this.httpElt.getAttribute(ATT_AUTHORIZATION_MGR))) {
|
||||
createAuthorizationFilter();
|
||||
return;
|
||||
}
|
||||
if (StringUtils.hasText(this.httpElt.getAttribute(ATT_AUTHORIZATION_MGR))) {
|
||||
boolean useAuthorizationManager = true;
|
||||
if (StringUtils.hasText(this.httpElt.getAttribute(ATT_USE_AUTHORIZATION_MGR))) {
|
||||
useAuthorizationManager = Boolean.parseBoolean(this.httpElt.getAttribute(ATT_USE_AUTHORIZATION_MGR));
|
||||
}
|
||||
if (useAuthorizationManager) {
|
||||
createAuthorizationFilter();
|
||||
return;
|
||||
}
|
||||
|
|
|
@ -93,10 +93,13 @@ public class InterceptMethodsBeanDefinitionDecorator implements BeanDefinitionDe
|
|||
|
||||
boolean supports(Node node) {
|
||||
Element interceptMethodsElt = (Element) node;
|
||||
if (Boolean.parseBoolean(interceptMethodsElt.getAttribute(ATT_USE_AUTHORIZATION_MGR))) {
|
||||
if (StringUtils.hasText(interceptMethodsElt.getAttribute(ATT_AUTHORIZATION_MGR))) {
|
||||
return true;
|
||||
}
|
||||
return StringUtils.hasText(interceptMethodsElt.getAttribute(ATT_AUTHORIZATION_MGR));
|
||||
if (StringUtils.hasText(interceptMethodsElt.getAttribute(ATT_USE_AUTHORIZATION_MGR))) {
|
||||
return Boolean.parseBoolean(interceptMethodsElt.getAttribute(ATT_USE_AUTHORIZATION_MGR));
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
private Pointcut pointcut(Element interceptorElt, Element protectElt) {
|
||||
|
|
|
@ -159,7 +159,10 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
|
|||
}
|
||||
|
||||
private String parseAuthorization(Element element, ParserContext parserContext) {
|
||||
boolean useAuthorizationManager = Boolean.parseBoolean(element.getAttribute(USE_AUTHORIZATION_MANAGER_ATTR));
|
||||
boolean useAuthorizationManager = true;
|
||||
if (StringUtils.hasText(element.getAttribute(USE_AUTHORIZATION_MANAGER_ATTR))) {
|
||||
useAuthorizationManager = Boolean.parseBoolean(element.getAttribute(USE_AUTHORIZATION_MANAGER_ATTR));
|
||||
}
|
||||
if (useAuthorizationManager) {
|
||||
return parseAuthorizationManager(element, parserContext);
|
||||
}
|
||||
|
|
|
@ -178,7 +178,7 @@ intercept-methods.attlist &=
|
|||
## Optional AccessDecisionManager bean ID to be used by the created method security interceptor.
|
||||
attribute access-decision-manager-ref {xsd:token}?
|
||||
intercept-methods.attlist &=
|
||||
## Use the AuthorizationManager API instead of AccessDecisionManager (defaults to false)
|
||||
## Use the AuthorizationManager API instead of AccessDecisionManager (defaults to true)
|
||||
attribute use-authorization-manager {xsd:boolean}?
|
||||
intercept-methods.attlist &=
|
||||
## Use this AuthorizationManager instead of the default (supercedes use-authorization-manager)
|
||||
|
@ -306,7 +306,7 @@ websocket-message-broker.attrlist &=
|
|||
## Use this AuthorizationManager instead of deriving one from <intercept-message> elements
|
||||
attribute authorization-manager-ref {xsd:string}?
|
||||
websocket-message-broker.attrlist &=
|
||||
## Use AuthorizationManager API instead of SecurityMetadatasource
|
||||
## Use AuthorizationManager API instead of SecurityMetadatasource (defaults to true)
|
||||
attribute use-authorization-manager {xsd:boolean}?
|
||||
websocket-message-broker.attrlist &=
|
||||
## Use this SecurityContextHolderStrategy (note only supported in conjunction with the AuthorizationManager API)
|
||||
|
@ -368,7 +368,7 @@ http.attlist &=
|
|||
## If available, runs the request as the Subject acquired from the JaasAuthenticationToken. Defaults to "false".
|
||||
attribute jaas-api-provision {xsd:boolean}?
|
||||
http.attlist &=
|
||||
## Use AuthorizationManager API instead of SecurityMetadataSource
|
||||
## Use AuthorizationManager API instead of SecurityMetadataSource (defaults to true)
|
||||
attribute use-authorization-manager {xsd:boolean}?
|
||||
http.attlist &=
|
||||
## Use this AuthorizationManager instead of deriving one from <intercept-url> elements
|
||||
|
|
|
@ -542,7 +542,7 @@
|
|||
</xs:attribute>
|
||||
<xs:attribute name="use-authorization-manager" type="xs:boolean">
|
||||
<xs:annotation>
|
||||
<xs:documentation>Use the AuthorizationManager API instead of AccessDecisionManager (defaults to false)
|
||||
<xs:documentation>Use the AuthorizationManager API instead of AccessDecisionManager (defaults to true)
|
||||
</xs:documentation>
|
||||
</xs:annotation>
|
||||
</xs:attribute>
|
||||
|
@ -967,7 +967,7 @@
|
|||
</xs:attribute>
|
||||
<xs:attribute name="use-authorization-manager" type="xs:boolean">
|
||||
<xs:annotation>
|
||||
<xs:documentation>Use AuthorizationManager API instead of SecurityMetadatasource
|
||||
<xs:documentation>Use AuthorizationManager API instead of SecurityMetadatasource (defaults to true)
|
||||
</xs:documentation>
|
||||
</xs:annotation>
|
||||
</xs:attribute>
|
||||
|
@ -1325,7 +1325,7 @@
|
|||
</xs:attribute>
|
||||
<xs:attribute name="use-authorization-manager" type="xs:boolean">
|
||||
<xs:annotation>
|
||||
<xs:documentation>Use AuthorizationManager API instead of SecurityMetadataSource
|
||||
<xs:documentation>Use AuthorizationManager API instead of SecurityMetadataSource (defaults to true)
|
||||
</xs:documentation>
|
||||
</xs:annotation>
|
||||
</xs:attribute>
|
||||
|
|
|
@ -108,7 +108,7 @@ public class FilterSecurityMetadataSourceBeanDefinitionParserTests {
|
|||
public void parsingWithinFilterSecurityInterceptorIsSuccessful() {
|
||||
// @formatter:off
|
||||
setContext("<b:bean class=\"org.springframework.web.servlet.handler.HandlerMappingIntrospector\" name=\"mvcHandlerMappingIntrospector\"/>" +
|
||||
"<http auto-config='true' use-expressions='false'/>"
|
||||
"<http auto-config='true' use-expressions='false' use-authorization-manager='false'/>"
|
||||
+ "<b:bean id='fsi' class='org.springframework.security.web.access.intercept.FilterSecurityInterceptor' autowire='byType'>"
|
||||
+ " <b:property name='securityMetadataSource'>"
|
||||
+ " <filter-security-metadata-source use-expressions='false'>"
|
||||
|
|
|
@ -84,6 +84,7 @@ import org.springframework.security.web.AuthenticationEntryPoint;
|
|||
import org.springframework.security.web.FilterChainProxy;
|
||||
import org.springframework.security.web.access.ExceptionTranslationFilter;
|
||||
import org.springframework.security.web.access.channel.ChannelProcessingFilter;
|
||||
import org.springframework.security.web.access.intercept.AuthorizationFilter;
|
||||
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
|
||||
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
|
||||
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
|
||||
|
@ -849,8 +850,7 @@ public class MiscHttpConfigTests {
|
|||
assertThat(filters.next()).isInstanceOf(SecurityContextHolderAwareRequestFilter.class);
|
||||
assertThat(filters.next()).isInstanceOf(AnonymousAuthenticationFilter.class);
|
||||
assertThat(filters.next()).isInstanceOf(ExceptionTranslationFilter.class);
|
||||
assertThat(filters.next()).isInstanceOf(FilterSecurityInterceptor.class)
|
||||
.hasFieldOrPropertyWithValue("observeOncePerRequest", false);
|
||||
assertThat(filters.next()).isInstanceOf(AuthorizationFilter.class);
|
||||
}
|
||||
|
||||
private <T extends Filter> T getFilter(Class<T> filterClass) {
|
||||
|
|
|
@ -99,7 +99,7 @@ public class NamespaceHttpBasicTests {
|
|||
@Test
|
||||
public void httpBasicCustomSecurityContextHolderStrategy() throws Exception {
|
||||
// @formatter:off
|
||||
loadContext("<http auto-config=\"true\" use-expressions=\"false\" security-context-holder-strategy-ref=\"ref\"/>\n"
|
||||
loadContext("<http auto-config=\"true\" use-expressions=\"false\" security-context-holder-strategy-ref=\"ref\" use-authorization-manager=\"false\"/>\n"
|
||||
+ "<authentication-manager id=\"authenticationManager\">\n"
|
||||
+ " <authentication-provider>\n"
|
||||
+ " <user-service>\n"
|
||||
|
|
|
@ -23,7 +23,9 @@
|
|||
http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http-firewall ref="firewall"/>
|
||||
<http auto-config="true"/>
|
||||
<http auto-config="true">
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:import resource="CsrfConfigTests-shared-userservice.xml"/>
|
||||
|
||||
|
|
|
@ -23,6 +23,7 @@
|
|||
|
||||
<http auto-config="true">
|
||||
<csrf disabled="true"/>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:import resource="CsrfConfigTests-shared-userservice.xml"/>
|
||||
|
|
|
@ -25,6 +25,7 @@
|
|||
<http-firewall ref="firewall"/>
|
||||
<http auto-config="true">
|
||||
<intercept-url pattern="/authenticated/**" access="authenticated"/>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
<csrf/>
|
||||
</http>
|
||||
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
xsi:schemaLocation="http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd
|
||||
http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-expressions="false">
|
||||
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
|
||||
<csrf request-matcher-ref="requestMatcher"/>
|
||||
</http>
|
||||
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
xsi:schemaLocation="http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd
|
||||
http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-expressions="false">
|
||||
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
|
||||
<session-management invalid-session-url="/error/sessionError"/>
|
||||
<csrf/>
|
||||
</http>
|
||||
|
|
|
@ -24,6 +24,7 @@
|
|||
|
||||
<http auto-config="true">
|
||||
<csrf request-handler-ref="requestHandler"/>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean id="requestHandler" class="org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler"
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-expressions="false">
|
||||
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
|
||||
<form-login login-page="/login"/>
|
||||
</http>
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-expressions="false">
|
||||
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
|
||||
<form-login login-page="/login"/>
|
||||
</http>
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-expressions="false">
|
||||
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
|
||||
<form-login default-target-url="noLeadingSlash"/>
|
||||
</http>
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-expressions="false">
|
||||
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
|
||||
<form-login login-page="noLeadingSlash"/>
|
||||
</http>
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-expressions="false">
|
||||
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
|
||||
<intercept-url pattern="/**" access="ROLE_USER"/>
|
||||
<form-login
|
||||
default-target-url="#{T(org.springframework.security.config.http.WebConfigUtilsTests).URL}/default"
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-expressions="false" request-matcher="ant">
|
||||
<http auto-config="true" use-expressions="false" request-matcher="ant" use-authorization-manager="false">
|
||||
<intercept-url pattern="/**" access="ROLE_USER"/>
|
||||
<form-login/>
|
||||
</http>
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-expressions="false">
|
||||
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
|
||||
<csrf disabled="true"/>
|
||||
</http>
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-expressions="false">
|
||||
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
|
||||
<csrf disabled="false"/>
|
||||
</http>
|
||||
|
||||
|
|
|
@ -24,7 +24,8 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-expressions="false" security-context-holder-strategy-ref="ref">
|
||||
<http auto-config="true" security-context-holder-strategy-ref="ref">
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean id="ref" class="org.mockito.Mockito" factory-method="spy">
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-expressions="false">
|
||||
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
|
||||
<intercept-url pattern="/**" access="ROLE_USER"/>
|
||||
<form-login always-use-default-target="true" default-target-url="/default"/>
|
||||
</http>
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-expressions="false" request-matcher="ant">
|
||||
<http auto-config="true" use-expressions="false" request-matcher="ant" use-authorization-manager="false">
|
||||
<intercept-url pattern="/**" access="ROLE_USER"/>
|
||||
<form-login authentication-success-handler-ref="fsh" authentication-failure-handler-ref="fsh"/>
|
||||
</http>
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-expressions="false">
|
||||
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
|
||||
<form-login username-parameter="xname" password-parameter="xpass"/>
|
||||
</http>
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-expressions="false">
|
||||
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
|
||||
<intercept-url pattern="/**" access="ROLE_USER"/>
|
||||
</http>
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-authorization-manager="true">
|
||||
<http auto-config="true">
|
||||
<intercept-url pattern="/**" access="hasRole('USER')"/>
|
||||
</http>
|
||||
|
||||
|
|
|
@ -25,7 +25,7 @@
|
|||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
|
||||
<http auto-config="true" use-expressions="false">
|
||||
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
|
||||
<cors/>
|
||||
</http>
|
||||
</b:beans>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers>
|
||||
<cache-control disabled="true"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-expressions="false">
|
||||
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
|
||||
<headers>
|
||||
<content-security-policy policy-directives=""/>
|
||||
</headers>
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-expressions="false">
|
||||
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
|
||||
<headers>
|
||||
<content-security-policy policy-directives="default-src 'self'"/>
|
||||
</headers>
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-expressions="false">
|
||||
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
|
||||
<headers>
|
||||
<content-security-policy
|
||||
policy-directives="default-src https:; report-uri https://example.org/"
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers>
|
||||
<content-type-options disabled="true"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -24,7 +24,9 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true"/>
|
||||
<http auto-config="true">
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<cache-control/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<content-security-policy policy-directives="default-src 'self'"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<content-type-options/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<cross-origin-embedder-policy policy="require-corp"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<cross-origin-opener-policy policy="same-origin-allow-popups"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -30,6 +30,7 @@
|
|||
<cross-origin-embedder-policy policy="require-corp"/>
|
||||
<cross-origin-resource-policy policy="same-origin"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<cross-origin-resource-policy policy="same-origin"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -29,6 +29,7 @@
|
|||
<header name="a" value="b"/>
|
||||
<header name="c" value="d"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<header ref="static"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="static" class="org.springframework.security.web.header.writers.StaticHeadersWriter">
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<hsts include-subdomains="false" max-age-seconds="1" request-matcher-ref="any"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="any" class="org.springframework.security.web.util.matcher.AnyRequestMatcher"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<frame-options/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<frame-options policy="ALLOW-FROM" strategy="static" value="https://example.org"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<frame-options policy="ALLOW-FROM" strategy="whitelist" value="https://example.org"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<frame-options policy="DENY"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<frame-options policy="SAMEORIGIN"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -32,6 +32,7 @@
|
|||
</pins>
|
||||
</hpkp>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -32,6 +32,7 @@
|
|||
</pins>
|
||||
</hpkp>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -32,6 +32,7 @@
|
|||
</pins>
|
||||
</hpkp>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -32,6 +32,7 @@
|
|||
</pins>
|
||||
</hpkp>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -32,6 +32,7 @@
|
|||
</pins>
|
||||
</hpkp>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -32,6 +32,7 @@
|
|||
</pins>
|
||||
</hpkp>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<hsts/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -26,6 +26,7 @@
|
|||
|
||||
<http auto-config="true">
|
||||
<headers defaults-disabled="true"/>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<permissions-policy policy="geolocation=(self)"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -26,6 +26,7 @@
|
|||
|
||||
<http auto-config="true">
|
||||
<headers defaults-disabled="${security.headers.defaults.disabled}"/>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="propertyPlaceholderConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<referrer-policy/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<referrer-policy policy="same-origin"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<xss-protection/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<xss-protection enabled="false"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<xss-protection enabled="false" block="true"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<xss-protection enabled="false" header-value="1"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<xss-protection enabled="true"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<xss-protection header-value="1"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<xss-protection header-value="1; mode=block"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers defaults-disabled="true">
|
||||
<xss-protection header-value="0"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -26,6 +26,7 @@
|
|||
|
||||
<http auto-config="true">
|
||||
<headers disabled="${security.headers.disabled}" />
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="propertyPlaceholderConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers>
|
||||
<frame-options disabled="true"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers>
|
||||
<frame-options disabled="true" policy="DENY"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-expressions="false">
|
||||
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
|
||||
<headers disabled="true"/>
|
||||
</http>
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-expressions="false">
|
||||
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
|
||||
<headers disabled="true">
|
||||
<content-type-options/>
|
||||
</headers>
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-expressions="false">
|
||||
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
|
||||
<headers disabled="true">
|
||||
<content-security-policy policy-directives="default-src 'self'"/>
|
||||
</headers>
|
||||
|
|
|
@ -26,6 +26,7 @@
|
|||
|
||||
<http auto-config="true">
|
||||
<headers/>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -32,6 +32,7 @@
|
|||
</pins>
|
||||
</hpkp>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers>
|
||||
<hsts disabled="true"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers>
|
||||
<hsts disabled="true" include-subdomains="true"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers>
|
||||
<hsts disabled="true" max-age-seconds="1"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers>
|
||||
<hsts disabled="true" request-matcher-ref="dave"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers>
|
||||
<frame-options policy="SAMEORIGIN"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers>
|
||||
<xss-protection disabled="true"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers>
|
||||
<xss-protection disabled="true" enabled="true"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers>
|
||||
<xss-protection disabled="true" block="true"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
<headers>
|
||||
<xss-protection disabled="true" header-value="1"/>
|
||||
</headers>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
|
||||
|
|
|
@ -9,6 +9,7 @@
|
|||
<http>
|
||||
<http-basic/>
|
||||
<intercept-url request-matcher-ref="matcherRef" access="denyAll"/>
|
||||
<intercept-url pattern="/**" access="permitAll"/>
|
||||
</http>
|
||||
|
||||
<user-service>
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http request-matcher="ant">
|
||||
<http request-matcher="ant" use-authorization-manager="false">
|
||||
<intercept-url pattern="/path" access="denyAll" servlet-path="/spring"/>
|
||||
<http-basic/>
|
||||
</http>
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http request-matcher="ant" use-authorization-manager="true">
|
||||
<http request-matcher="ant">
|
||||
<intercept-url pattern="/path" access="denyAll" servlet-path="/spring"/>
|
||||
<http-basic/>
|
||||
</http>
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true">
|
||||
<http auto-config="true" use-authorization-manager="false">
|
||||
<intercept-url pattern="/path/{userName}/**" access="#userName == authentication.name"/>
|
||||
<intercept-url pattern="/**" access="denyAll"/>
|
||||
<http-basic/>
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-authorization-manager="true">
|
||||
<http auto-config="true">
|
||||
<intercept-url pattern="/path/{userName}/**" access="#userName == authentication.name"/>
|
||||
<intercept-url pattern="/**" access="denyAll"/>
|
||||
<http-basic/>
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http request-matcher="ciRegex">
|
||||
<http request-matcher="ciRegex" use-authorization-manager="false">
|
||||
<intercept-url pattern="/path" access="denyAll" servlet-path="/spring"/>
|
||||
<http-basic/>
|
||||
</http>
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http request-matcher="ciRegex" use-authorization-manager="true">
|
||||
<http request-matcher="ciRegex">
|
||||
<intercept-url pattern="/path" access="denyAll" servlet-path="/spring"/>
|
||||
<http-basic/>
|
||||
</http>
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http>
|
||||
<http use-authorization-manager="false">
|
||||
<intercept-url pattern="/path" access="denyAll" servlet-path="/spring"/>
|
||||
<http-basic/>
|
||||
</http>
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http use-authorization-manager="true">
|
||||
<http>
|
||||
<intercept-url pattern="/path" access="denyAll" servlet-path="/spring"/>
|
||||
<http-basic/>
|
||||
</http>
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true">
|
||||
<http auto-config="true" use-authorization-manager="false">
|
||||
<intercept-url pattern="/**" access="hasAnyRole('ROLE_DEVELOPER', 'ROLE_USER')"/>
|
||||
<http-basic/>
|
||||
</http>
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
http://www.springframework.org/schema/beans
|
||||
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<http auto-config="true" use-authorization-manager="true">
|
||||
<http auto-config="true">
|
||||
<intercept-url pattern="/**" access="hasAnyRole('ROLE_DEVELOPER', 'ROLE_USER')"/>
|
||||
<http-basic/>
|
||||
</http>
|
||||
|
|
|
@ -27,7 +27,7 @@
|
|||
http://www.springframework.org/schema/mvc
|
||||
https://www.springframework.org/schema/mvc/spring-mvc.xsd">
|
||||
|
||||
<http auto-config="true" request-matcher="mvc">
|
||||
<http auto-config="true" request-matcher="mvc" use-authorization-manager="false">
|
||||
<intercept-url pattern="/path" access="denyAll"/>
|
||||
<http-basic/>
|
||||
</http>
|
||||
|
|
|
@ -27,7 +27,7 @@
|
|||
http://www.springframework.org/schema/mvc
|
||||
https://www.springframework.org/schema/mvc/spring-mvc.xsd">
|
||||
|
||||
<http auto-config="true" request-matcher="mvc" use-authorization-manager="true">
|
||||
<http auto-config="true" request-matcher="mvc">
|
||||
<intercept-url pattern="/path" access="denyAll"/>
|
||||
<http-basic/>
|
||||
</http>
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue