use-authorization-manager defaults to true

Closes gh-11929
This commit is contained in:
Josh Cummings 2022-10-05 19:49:53 -06:00
parent 1aa3f1414e
commit 12b9f2e196
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
162 changed files with 191 additions and 105 deletions

View File

@ -716,12 +716,15 @@ class HttpConfigurationBuilder {
}
private void createFilterSecurity(BeanReference authManager) {
boolean useAuthorizationManager = Boolean.parseBoolean(this.httpElt.getAttribute(ATT_USE_AUTHORIZATION_MGR));
if (useAuthorizationManager) {
if (StringUtils.hasText(this.httpElt.getAttribute(ATT_AUTHORIZATION_MGR))) {
createAuthorizationFilter();
return;
}
if (StringUtils.hasText(this.httpElt.getAttribute(ATT_AUTHORIZATION_MGR))) {
boolean useAuthorizationManager = true;
if (StringUtils.hasText(this.httpElt.getAttribute(ATT_USE_AUTHORIZATION_MGR))) {
useAuthorizationManager = Boolean.parseBoolean(this.httpElt.getAttribute(ATT_USE_AUTHORIZATION_MGR));
}
if (useAuthorizationManager) {
createAuthorizationFilter();
return;
}

View File

@ -93,10 +93,13 @@ public class InterceptMethodsBeanDefinitionDecorator implements BeanDefinitionDe
boolean supports(Node node) {
Element interceptMethodsElt = (Element) node;
if (Boolean.parseBoolean(interceptMethodsElt.getAttribute(ATT_USE_AUTHORIZATION_MGR))) {
if (StringUtils.hasText(interceptMethodsElt.getAttribute(ATT_AUTHORIZATION_MGR))) {
return true;
}
return StringUtils.hasText(interceptMethodsElt.getAttribute(ATT_AUTHORIZATION_MGR));
if (StringUtils.hasText(interceptMethodsElt.getAttribute(ATT_USE_AUTHORIZATION_MGR))) {
return Boolean.parseBoolean(interceptMethodsElt.getAttribute(ATT_USE_AUTHORIZATION_MGR));
}
return true;
}
private Pointcut pointcut(Element interceptorElt, Element protectElt) {

View File

@ -159,7 +159,10 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
}
private String parseAuthorization(Element element, ParserContext parserContext) {
boolean useAuthorizationManager = Boolean.parseBoolean(element.getAttribute(USE_AUTHORIZATION_MANAGER_ATTR));
boolean useAuthorizationManager = true;
if (StringUtils.hasText(element.getAttribute(USE_AUTHORIZATION_MANAGER_ATTR))) {
useAuthorizationManager = Boolean.parseBoolean(element.getAttribute(USE_AUTHORIZATION_MANAGER_ATTR));
}
if (useAuthorizationManager) {
return parseAuthorizationManager(element, parserContext);
}

View File

@ -178,7 +178,7 @@ intercept-methods.attlist &=
## Optional AccessDecisionManager bean ID to be used by the created method security interceptor.
attribute access-decision-manager-ref {xsd:token}?
intercept-methods.attlist &=
## Use the AuthorizationManager API instead of AccessDecisionManager (defaults to false)
## Use the AuthorizationManager API instead of AccessDecisionManager (defaults to true)
attribute use-authorization-manager {xsd:boolean}?
intercept-methods.attlist &=
## Use this AuthorizationManager instead of the default (supercedes use-authorization-manager)
@ -306,7 +306,7 @@ websocket-message-broker.attrlist &=
## Use this AuthorizationManager instead of deriving one from <intercept-message> elements
attribute authorization-manager-ref {xsd:string}?
websocket-message-broker.attrlist &=
## Use AuthorizationManager API instead of SecurityMetadatasource
## Use AuthorizationManager API instead of SecurityMetadatasource (defaults to true)
attribute use-authorization-manager {xsd:boolean}?
websocket-message-broker.attrlist &=
## Use this SecurityContextHolderStrategy (note only supported in conjunction with the AuthorizationManager API)
@ -368,7 +368,7 @@ http.attlist &=
## If available, runs the request as the Subject acquired from the JaasAuthenticationToken. Defaults to "false".
attribute jaas-api-provision {xsd:boolean}?
http.attlist &=
## Use AuthorizationManager API instead of SecurityMetadataSource
## Use AuthorizationManager API instead of SecurityMetadataSource (defaults to true)
attribute use-authorization-manager {xsd:boolean}?
http.attlist &=
## Use this AuthorizationManager instead of deriving one from <intercept-url> elements

View File

@ -542,7 +542,7 @@
</xs:attribute>
<xs:attribute name="use-authorization-manager" type="xs:boolean">
<xs:annotation>
<xs:documentation>Use the AuthorizationManager API instead of AccessDecisionManager (defaults to false)
<xs:documentation>Use the AuthorizationManager API instead of AccessDecisionManager (defaults to true)
</xs:documentation>
</xs:annotation>
</xs:attribute>
@ -967,7 +967,7 @@
</xs:attribute>
<xs:attribute name="use-authorization-manager" type="xs:boolean">
<xs:annotation>
<xs:documentation>Use AuthorizationManager API instead of SecurityMetadatasource
<xs:documentation>Use AuthorizationManager API instead of SecurityMetadatasource (defaults to true)
</xs:documentation>
</xs:annotation>
</xs:attribute>
@ -1325,7 +1325,7 @@
</xs:attribute>
<xs:attribute name="use-authorization-manager" type="xs:boolean">
<xs:annotation>
<xs:documentation>Use AuthorizationManager API instead of SecurityMetadataSource
<xs:documentation>Use AuthorizationManager API instead of SecurityMetadataSource (defaults to true)
</xs:documentation>
</xs:annotation>
</xs:attribute>

View File

@ -108,7 +108,7 @@ public class FilterSecurityMetadataSourceBeanDefinitionParserTests {
public void parsingWithinFilterSecurityInterceptorIsSuccessful() {
// @formatter:off
setContext("<b:bean class=\"org.springframework.web.servlet.handler.HandlerMappingIntrospector\" name=\"mvcHandlerMappingIntrospector\"/>" +
"<http auto-config='true' use-expressions='false'/>"
"<http auto-config='true' use-expressions='false' use-authorization-manager='false'/>"
+ "<b:bean id='fsi' class='org.springframework.security.web.access.intercept.FilterSecurityInterceptor' autowire='byType'>"
+ " <b:property name='securityMetadataSource'>"
+ " <filter-security-metadata-source use-expressions='false'>"

View File

@ -84,6 +84,7 @@ import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.access.ExceptionTranslationFilter;
import org.springframework.security.web.access.channel.ChannelProcessingFilter;
import org.springframework.security.web.access.intercept.AuthorizationFilter;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@ -849,8 +850,7 @@ public class MiscHttpConfigTests {
assertThat(filters.next()).isInstanceOf(SecurityContextHolderAwareRequestFilter.class);
assertThat(filters.next()).isInstanceOf(AnonymousAuthenticationFilter.class);
assertThat(filters.next()).isInstanceOf(ExceptionTranslationFilter.class);
assertThat(filters.next()).isInstanceOf(FilterSecurityInterceptor.class)
.hasFieldOrPropertyWithValue("observeOncePerRequest", false);
assertThat(filters.next()).isInstanceOf(AuthorizationFilter.class);
}
private <T extends Filter> T getFilter(Class<T> filterClass) {

View File

@ -99,7 +99,7 @@ public class NamespaceHttpBasicTests {
@Test
public void httpBasicCustomSecurityContextHolderStrategy() throws Exception {
// @formatter:off
loadContext("<http auto-config=\"true\" use-expressions=\"false\" security-context-holder-strategy-ref=\"ref\"/>\n"
loadContext("<http auto-config=\"true\" use-expressions=\"false\" security-context-holder-strategy-ref=\"ref\" use-authorization-manager=\"false\"/>\n"
+ "<authentication-manager id=\"authenticationManager\">\n"
+ " <authentication-provider>\n"
+ " <user-service>\n"

View File

@ -23,7 +23,9 @@
http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
<http-firewall ref="firewall"/>
<http auto-config="true"/>
<http auto-config="true">
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:import resource="CsrfConfigTests-shared-userservice.xml"/>

View File

@ -23,6 +23,7 @@
<http auto-config="true">
<csrf disabled="true"/>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:import resource="CsrfConfigTests-shared-userservice.xml"/>

View File

@ -25,6 +25,7 @@
<http-firewall ref="firewall"/>
<http auto-config="true">
<intercept-url pattern="/authenticated/**" access="authenticated"/>
<intercept-url pattern="/**" access="permitAll"/>
<csrf/>
</http>

View File

@ -21,7 +21,7 @@
xsi:schemaLocation="http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false">
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
<csrf request-matcher-ref="requestMatcher"/>
</http>

View File

@ -21,7 +21,7 @@
xsi:schemaLocation="http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false">
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
<session-management invalid-session-url="/error/sessionError"/>
<csrf/>
</http>

View File

@ -24,6 +24,7 @@
<http auto-config="true">
<csrf request-handler-ref="requestHandler"/>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean id="requestHandler" class="org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler"

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false">
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
<form-login login-page="/login"/>
</http>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false">
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
<form-login login-page="/login"/>
</http>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false">
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
<form-login default-target-url="noLeadingSlash"/>
</http>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false">
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
<form-login login-page="noLeadingSlash"/>
</http>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false">
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
<intercept-url pattern="/**" access="ROLE_USER"/>
<form-login
default-target-url="#{T(org.springframework.security.config.http.WebConfigUtilsTests).URL}/default"

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false" request-matcher="ant">
<http auto-config="true" use-expressions="false" request-matcher="ant" use-authorization-manager="false">
<intercept-url pattern="/**" access="ROLE_USER"/>
<form-login/>
</http>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false">
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
<csrf disabled="true"/>
</http>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false">
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
<csrf disabled="false"/>
</http>

View File

@ -24,7 +24,8 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false" security-context-holder-strategy-ref="ref">
<http auto-config="true" security-context-holder-strategy-ref="ref">
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean id="ref" class="org.mockito.Mockito" factory-method="spy">

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false">
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
<intercept-url pattern="/**" access="ROLE_USER"/>
<form-login always-use-default-target="true" default-target-url="/default"/>
</http>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false" request-matcher="ant">
<http auto-config="true" use-expressions="false" request-matcher="ant" use-authorization-manager="false">
<intercept-url pattern="/**" access="ROLE_USER"/>
<form-login authentication-success-handler-ref="fsh" authentication-failure-handler-ref="fsh"/>
</http>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false">
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
<form-login username-parameter="xname" password-parameter="xpass"/>
</http>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false">
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
<intercept-url pattern="/**" access="ROLE_USER"/>
</http>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-authorization-manager="true">
<http auto-config="true">
<intercept-url pattern="/**" access="hasRole('USER')"/>
</http>

View File

@ -25,7 +25,7 @@
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false">
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
<cors/>
</http>
</b:beans>

View File

@ -28,6 +28,7 @@
<headers>
<cache-control disabled="true"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false">
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
<headers>
<content-security-policy policy-directives=""/>
</headers>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false">
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
<headers>
<content-security-policy policy-directives="default-src 'self'"/>
</headers>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false">
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
<headers>
<content-security-policy
policy-directives="default-src https:; report-uri https://example.org/"

View File

@ -28,6 +28,7 @@
<headers>
<content-type-options disabled="true"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -24,7 +24,9 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true"/>
<http auto-config="true">
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<cache-control/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<content-security-policy policy-directives="default-src 'self'"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<content-type-options/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<cross-origin-embedder-policy policy="require-corp"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<cross-origin-opener-policy policy="same-origin-allow-popups"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -30,6 +30,7 @@
<cross-origin-embedder-policy policy="require-corp"/>
<cross-origin-resource-policy policy="same-origin"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<cross-origin-resource-policy policy="same-origin"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -29,6 +29,7 @@
<header name="a" value="b"/>
<header name="c" value="d"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<header ref="static"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="static" class="org.springframework.security.web.header.writers.StaticHeadersWriter">

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<hsts include-subdomains="false" max-age-seconds="1" request-matcher-ref="any"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="any" class="org.springframework.security.web.util.matcher.AnyRequestMatcher"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<frame-options/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<frame-options policy="ALLOW-FROM" strategy="static" value="https://example.org"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<frame-options policy="ALLOW-FROM" strategy="whitelist" value="https://example.org"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<frame-options policy="DENY"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<frame-options policy="SAMEORIGIN"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -32,6 +32,7 @@
</pins>
</hpkp>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -32,6 +32,7 @@
</pins>
</hpkp>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -32,6 +32,7 @@
</pins>
</hpkp>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -32,6 +32,7 @@
</pins>
</hpkp>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -32,6 +32,7 @@
</pins>
</hpkp>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -32,6 +32,7 @@
</pins>
</hpkp>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<hsts/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -26,6 +26,7 @@
<http auto-config="true">
<headers defaults-disabled="true"/>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<permissions-policy policy="geolocation=(self)"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -26,6 +26,7 @@
<http auto-config="true">
<headers defaults-disabled="${security.headers.defaults.disabled}"/>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="propertyPlaceholderConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<referrer-policy/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<referrer-policy policy="same-origin"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<xss-protection/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<xss-protection enabled="false"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<xss-protection enabled="false" block="true"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<xss-protection enabled="false" header-value="1"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<xss-protection enabled="true"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<xss-protection header-value="1"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<xss-protection header-value="1; mode=block"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers defaults-disabled="true">
<xss-protection header-value="0"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -26,6 +26,7 @@
<http auto-config="true">
<headers disabled="${security.headers.disabled}" />
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="propertyPlaceholderConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>

View File

@ -28,6 +28,7 @@
<headers>
<frame-options disabled="true"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers>
<frame-options disabled="true" policy="DENY"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false">
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
<headers disabled="true"/>
</http>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false">
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
<headers disabled="true">
<content-type-options/>
</headers>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-expressions="false">
<http auto-config="true" use-expressions="false" use-authorization-manager="false">
<headers disabled="true">
<content-security-policy policy-directives="default-src 'self'"/>
</headers>

View File

@ -26,6 +26,7 @@
<http auto-config="true">
<headers/>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -32,6 +32,7 @@
</pins>
</hpkp>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers>
<hsts disabled="true"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers>
<hsts disabled="true" include-subdomains="true"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers>
<hsts disabled="true" max-age-seconds="1"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers>
<hsts disabled="true" request-matcher-ref="dave"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers>
<frame-options policy="SAMEORIGIN"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers>
<xss-protection disabled="true"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers>
<xss-protection disabled="true" enabled="true"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers>
<xss-protection disabled="true" block="true"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -28,6 +28,7 @@
<headers>
<xss-protection disabled="true" header-value="1"/>
</headers>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>

View File

@ -9,6 +9,7 @@
<http>
<http-basic/>
<intercept-url request-matcher-ref="matcherRef" access="denyAll"/>
<intercept-url pattern="/**" access="permitAll"/>
</http>
<user-service>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http request-matcher="ant">
<http request-matcher="ant" use-authorization-manager="false">
<intercept-url pattern="/path" access="denyAll" servlet-path="/spring"/>
<http-basic/>
</http>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http request-matcher="ant" use-authorization-manager="true">
<http request-matcher="ant">
<intercept-url pattern="/path" access="denyAll" servlet-path="/spring"/>
<http-basic/>
</http>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true">
<http auto-config="true" use-authorization-manager="false">
<intercept-url pattern="/path/{userName}/**" access="#userName == authentication.name"/>
<intercept-url pattern="/**" access="denyAll"/>
<http-basic/>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-authorization-manager="true">
<http auto-config="true">
<intercept-url pattern="/path/{userName}/**" access="#userName == authentication.name"/>
<intercept-url pattern="/**" access="denyAll"/>
<http-basic/>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http request-matcher="ciRegex">
<http request-matcher="ciRegex" use-authorization-manager="false">
<intercept-url pattern="/path" access="denyAll" servlet-path="/spring"/>
<http-basic/>
</http>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http request-matcher="ciRegex" use-authorization-manager="true">
<http request-matcher="ciRegex">
<intercept-url pattern="/path" access="denyAll" servlet-path="/spring"/>
<http-basic/>
</http>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http>
<http use-authorization-manager="false">
<intercept-url pattern="/path" access="denyAll" servlet-path="/spring"/>
<http-basic/>
</http>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http use-authorization-manager="true">
<http>
<intercept-url pattern="/path" access="denyAll" servlet-path="/spring"/>
<http-basic/>
</http>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true">
<http auto-config="true" use-authorization-manager="false">
<intercept-url pattern="/**" access="hasAnyRole('ROLE_DEVELOPER', 'ROLE_USER')"/>
<http-basic/>
</http>

View File

@ -24,7 +24,7 @@
http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
<http auto-config="true" use-authorization-manager="true">
<http auto-config="true">
<intercept-url pattern="/**" access="hasAnyRole('ROLE_DEVELOPER', 'ROLE_USER')"/>
<http-basic/>
</http>

View File

@ -27,7 +27,7 @@
http://www.springframework.org/schema/mvc
https://www.springframework.org/schema/mvc/spring-mvc.xsd">
<http auto-config="true" request-matcher="mvc">
<http auto-config="true" request-matcher="mvc" use-authorization-manager="false">
<intercept-url pattern="/path" access="denyAll"/>
<http-basic/>
</http>

View File

@ -27,7 +27,7 @@
http://www.springframework.org/schema/mvc
https://www.springframework.org/schema/mvc/spring-mvc.xsd">
<http auto-config="true" request-matcher="mvc" use-authorization-manager="true">
<http auto-config="true" request-matcher="mvc">
<intercept-url pattern="/path" access="denyAll"/>
<http-basic/>
</http>

Some files were not shown because too many files have changed in this diff Show More