Merge branch '5.8.x'

Closes gh-11971

config/src/main/java/org/springframework/security/config/http/AuthorizationFilterParser.java

@@ -59,6 +59,8 @@ class AuthorizationFilterParser implements BeanDefinitionParser {
 
 	private static final String ATT_SERVLET_PATH = "servlet-path";
 
+	private static final String ATT_FILTER_ALL_DISPATCHER_TYPES = "filter-all-dispatcher-types";
+
 	private String authorizationManagerRef;
 
 	private final BeanMetadataElement securityContextHolderStrategy;
@@ -82,7 +84,11 @@ class AuthorizationFilterParser implements BeanDefinitionParser {
 		this.authorizationManagerRef = createAuthorizationManager(element, parserContext);
 		BeanDefinitionBuilder filterBuilder = BeanDefinitionBuilder.rootBeanDefinition(AuthorizationFilter.class);
 		filterBuilder.getRawBeanDefinition().setSource(parserContext.extractSource(element));
-		BeanDefinition filter = filterBuilder.addConstructorArgReference(this.authorizationManagerRef)
+		filterBuilder.addConstructorArgReference(this.authorizationManagerRef);
+		if ("true".equals(element.getAttribute(ATT_FILTER_ALL_DISPATCHER_TYPES))) {
+			filterBuilder.addPropertyValue("shouldFilterAllDispatcherTypes", Boolean.TRUE);
+		}
+		BeanDefinition filter = filterBuilder
 				.addPropertyValue("securityContextHolderStrategy", this.securityContextHolderStrategy)
 				.getBeanDefinition();
 		String id = element.getAttribute(AbstractBeanDefinitionParser.ID_ATTRIBUTE);

config/src/main/resources/org/springframework/security/config/spring-security-5.8.rnc

@@ -385,6 +385,9 @@ http.attlist &=
 http.attlist &=
 	## Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults to "true"
 	attribute once-per-request {xsd:boolean}?
+http.attlist &=
+	## Corresponds to the shouldFilterAllDispatcherTypes property of AuthorizationFilter. Only works when use-authorization-manager=true. Defauls to "false".
+	attribute filter-all-dispatcher-types {xsd:boolean}?
 http.attlist &=
 	## Prevents the jsessionid parameter from being added to rendered URLs. Defaults to "true" (rewriting is disabled).
 	attribute disable-url-rewriting {xsd:boolean}?

config/src/main/resources/org/springframework/security/config/spring-security-5.8.xsd

@@ -1385,6 +1385,13 @@
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>
+      <xs:attribute name="filter-all-dispatcher-types" type="xs:boolean">
+         <xs:annotation>
+            <xs:documentation>Corresponds to the shouldFilterAllDispatcherTypes property of AuthorizationFilter. Only
+                works when use-authorization-manager=true. Defauls to "false".
+                </xs:documentation>
+         </xs:annotation>
+      </xs:attribute>
       <xs:attribute name="disable-url-rewriting" type="xs:boolean">
          <xs:annotation>
             <xs:documentation>Prevents the jsessionid parameter from being added to rendered URLs. Defaults to "true"

config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc

@@ -385,6 +385,9 @@ http.attlist &=
 http.attlist &=
 	## Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults to "false"
 	attribute once-per-request {xsd:boolean}?
+http.attlist &=
+	## Corresponds to the shouldFilterAllDispatcherTypes property of AuthorizationFilter. Do not work when use-authorization-manager=false. Defaults to "false".
+	attribute filter-all-dispatcher-types {xsd:boolean}?
 http.attlist &=
 	## Prevents the jsessionid parameter from being added to rendered URLs. Defaults to "true" (rewriting is disabled).
 	attribute disable-url-rewriting {xsd:boolean}?

config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd

@@ -1363,6 +1363,13 @@
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>
+      <xs:attribute name="filter-all-dispatcher-types" type="xs:boolean">
+         <xs:annotation>
+            <xs:documentation>Corresponds to the shouldFilterAllDispatcherTypes property of AuthorizationFilter. Do not
+                work when use-authorization-manager=false. Defaults to "false".
+                </xs:documentation>
+         </xs:annotation>
+      </xs:attribute>
       <xs:attribute name="disable-url-rewriting" type="xs:boolean">
          <xs:annotation>
             <xs:documentation>Prevents the jsessionid parameter from being added to rendered URLs. Defaults to "true"

config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java

@@ -19,6 +19,7 @@ package org.springframework.security.config.http;
 import java.util.Collections;
 import java.util.Map;
 
+import jakarta.servlet.DispatcherType;
 import jakarta.servlet.ServletRegistration;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
@@ -33,10 +34,12 @@ import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.RequestPostProcessor;
+import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.context.ConfigurableWebApplicationContext;
+import org.springframework.web.util.WebUtils;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@@ -380,6 +383,29 @@ public class InterceptUrlConfigTests {
 				.configLocations(this.xml("DefaultMatcherServletPathAuthorizationManager")).autowire());
 	}
 
+	@Test
+	public void requestWhenUsingFilterAllDispatcherTypesAndAuthorizationManagerThenAuthorizesRequestsAccordingly()
+			throws Exception {
+		this.spring.configLocations(this.xml("AuthorizationManagerFilterAllDispatcherTypes")).autowire();
+		// @formatter:off
+		this.mvc.perform(get("/path").with(userCredentials()))
+				.andExpect(status().isOk());
+		this.mvc.perform(get("/path").with(adminCredentials()))
+				.andExpect(status().isForbidden());
+		this.mvc.perform(get("/error").with((request) -> {
+			request.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error");
+			request.setDispatcherType(DispatcherType.ERROR);
+			return request;
+		})).andExpect(status().isOk());
+		this.mvc.perform(get("/path").with((request) -> {
+			request.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/path");
+			request.setDispatcherType(DispatcherType.ERROR);
+			return request;
+		})).andExpect(status().isUnauthorized());
+		// @formatter:on
+		assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull();
+	}
+
 	private static RequestPostProcessor adminCredentials() {
 		return httpBasic("admin", "password");
 	}
@@ -417,6 +443,16 @@ public class InterceptUrlConfigTests {
 
 	}
 
+	@RestController
+	static class ErrorController {
+
+		@GetMapping("/error")
+		String error() {
+			return "error";
+		}
+
+	}
+
 	public static class Id {
 
 		public boolean isOne(int i) {

config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-AuthorizationManagerFilterAllDispatcherTypes.xml

@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2022 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       https://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			https://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true" use-authorization-manager="true" filter-all-dispatcher-types="true">
+		<intercept-url request-matcher-ref="pathErrorRequestMatcher" access="permitAll()" />
+		<intercept-url request-matcher-ref="errorRequestMatcher" access="authenticated" />
+		<intercept-url pattern="/**" access="hasRole('USER')"/>
+		<http-basic/>
+	</http>
+
+	<b:bean name="path" class="org.springframework.security.config.http.InterceptUrlConfigTests.PathController"/>
+	<b:bean name="error" class="org.springframework.security.config.http.InterceptUrlConfigTests.ErrorController"/>
+	
+	<b:bean name="errorRequestMatcher" class="org.springframework.security.web.util.matcher.DispatcherTypeRequestMatcher">
+		<b:constructor-arg value="ERROR"/>
+	</b:bean>
+	
+	<b:bean name="errorPathRequestMatcher" class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+		<b:constructor-arg value="/error"/>
+	</b:bean>
+	
+	<b:bean name="pathErrorRequestMatcher" class="org.springframework.security.web.util.matcher.AndRequestMatcher">
+		<b:constructor-arg>
+			<b:list>
+				<b:ref bean="errorRequestMatcher"/>
+				<b:ref bean="errorPathRequestMatcher"/>
+			</b:list>
+		</b:constructor-arg>
+	</b:bean>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc

@@ -97,6 +97,12 @@ Corresponds to the `observeOncePerRequest` property of `FilterSecurityIntercepto
 Defaults to `false`.
 
 
+[[nsa-http-filter-all-dispatcher-types]]
+* **filter-all-dispatcher-types**
+Corresponds to the `shouldFilterAllDispatcherTypes` property of the `AuthorizationFilter`. Only works when `use-authorization-manager=true`.
+Defaults to `false`.
+
+
 [[nsa-http-pattern]]
 * **pattern**
 Defining a pattern for the <<nsa-http,http>> element controls the requests which will be filtered through the list of filters which it defines.