Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-28 14:52:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

Allow configuration of exception handling through nested builder

Browse Source 
Issue: gh-5557
This commit is contained in:
Eleftheria Stein 2019-06-19 14:24:20 -04:00
parent 92314b0956
commit 1a31376dda
3 changed files with 139 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
View File

@ -681,6 +681,45 @@ public final class HttpSecurity extends
return getOrApply(new ExceptionHandlingConfigurer<>()); return getOrApply(new ExceptionHandlingConfigurer<>());
} }
/**
* Allows configuring exception handling. This is automatically applied when using
* {@link WebSecurityConfigurerAdapter}.
*
* <h2>Example Custom Configuration</h2>
*
* The following customization will ensure that users who are denied access are forwarded
* to the page "/errors/access-denied".
*
* <pre>
* &#064;Configuration
* &#064;EnableWebSecurity
* public class ExceptionHandlingSecurityConfig extends WebSecurityConfigurerAdapter {
*
* &#064;Override
* protected void configure(HttpSecurity http) throws Exception {
* http
* .authorizeRequests()
* .antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
* .and()
* // sample exception handling customization
* .exceptionHandling(exceptionHandling ->
* exceptionHandling
* .accessDeniedPage(&quot;/errors/access-denied&quot;)
* );
* }
* }
* </pre>
*
* @param exceptionHandlingCustomizer the {@link Customizer} to provide more options for
* the {@link ExceptionHandlingConfigurer}
* @return the {@link HttpSecurity} for further customizations
* @throws Exception
*/
public HttpSecurity exceptionHandling(Customizer<ExceptionHandlingConfigurer<HttpSecurity>> exceptionHandlingCustomizer) throws Exception {
exceptionHandlingCustomizer.customize(getOrApply(new ExceptionHandlingConfigurer<>()));
return HttpSecurity.this;
}
/** /**
* Sets up management of the {@link SecurityContext} on the * Sets up management of the {@link SecurityContext} on the
* {@link SecurityContextHolder} between {@link HttpServletRequest}'s. This is * {@link SecurityContextHolder} between {@link HttpServletRequest}'s. This is

43
config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerAccessDeniedHandlerTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2018 the original author or authors. * Copyright 2002-2019 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -86,6 +86,47 @@ public class ExceptionHandlingConfigurerAccessDeniedHandlerTests {
} }
} }
@Test
@WithMockUser(roles = "ANYTHING")
public void getWhenAccessDeniedOverriddenInLambdaThenCustomizesResponseByRequest()
throws Exception {
this.spring.register(RequestMatcherBasedAccessDeniedHandlerInLambdaConfig.class).autowire();
this.mvc.perform(get("/hello"))
.andExpect(status().isIAmATeapot());
this.mvc.perform(get("/goodbye"))
.andExpect(status().isForbidden());
}
@EnableWebSecurity
static class RequestMatcherBasedAccessDeniedHandlerInLambdaConfig extends WebSecurityConfigurerAdapter {
AccessDeniedHandler teapotDeniedHandler =
(request, response, exception) ->
response.setStatus(HttpStatus.I_AM_A_TEAPOT.value());
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests()
.anyRequest().denyAll()
.and()
.exceptionHandling(exceptionHandling ->
exceptionHandling
.defaultAccessDeniedHandlerFor(
this.teapotDeniedHandler,
new AntPathRequestMatcher("/hello/**")
)
.defaultAccessDeniedHandlerFor(
new AccessDeniedHandlerImpl(),
AnyRequestMatcher.INSTANCE
)
);
// @formatter:on
}
}
@Test @Test
@WithMockUser(roles = "ANYTHING") @WithMockUser(roles = "ANYTHING")
public void getWhenAccessDeniedOverriddenByOnlyOneHandlerThenAllRequestsUseThatHandler() public void getWhenAccessDeniedOverriddenByOnlyOneHandlerThenAllRequestsUseThatHandler()

58
config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java
View File

@ -83,6 +83,31 @@ public class NamespaceHttpServerAccessDeniedHandlerTests {
return new UsernamePasswordAuthenticationToken("user", null, AuthorityUtils.NO_AUTHORITIES); return new UsernamePasswordAuthenticationToken("user", null, AuthorityUtils.NO_AUTHORITIES);
} }
@Test
public void requestWhenCustomAccessDeniedPageInLambdaThenForwardedToCustomPage() throws Exception {
this.spring.register(AccessDeniedPageInLambdaConfig.class).autowire();
this.mvc.perform(get("/")
.with(authentication(user())))
.andExpect(status().isForbidden())
.andExpect(forwardedUrl("/AccessDeniedPageConfig"));
}
@EnableWebSecurity
static class AccessDeniedPageInLambdaConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests()
.anyRequest().denyAll()
.and()
.exceptionHandling(exceptionHandling ->
exceptionHandling.accessDeniedPage("/AccessDeniedPageConfig")
);
// @formatter:on
}
}
@Test @Test
public void requestWhenCustomAccessDeniedHandlerThenBehaviorMatchesNamespace() throws Exception { public void requestWhenCustomAccessDeniedHandlerThenBehaviorMatchesNamespace() throws Exception {
this.spring.register(AccessDeniedHandlerRefConfig.class).autowire(); this.spring.register(AccessDeniedHandlerRefConfig.class).autowire();
@ -109,6 +134,39 @@ public class NamespaceHttpServerAccessDeniedHandlerTests {
} }
} }
@Test
public void requestWhenCustomAccessDeniedHandlerInLambdaThenBehaviorMatchesNamespace() throws Exception {
this.spring.register(AccessDeniedHandlerRefInLambdaConfig.class).autowire();
this.mvc.perform(get("/")
.with(authentication(user())));
verify(AccessDeniedHandlerRefInLambdaConfig.accessDeniedHandler)
.handle(any(HttpServletRequest.class), any(HttpServletResponse.class), any(AccessDeniedException.class));
}
@EnableWebSecurity
static class AccessDeniedHandlerRefInLambdaConfig extends WebSecurityConfigurerAdapter {
static AccessDeniedHandler accessDeniedHandler = mock(AccessDeniedHandler.class);
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests()
.anyRequest().denyAll()
.and()
.exceptionHandling(exceptionHandling ->
exceptionHandling.accessDeniedHandler(accessDeniedHandler())
);
// @formatter:on
}
@Bean
AccessDeniedHandler accessDeniedHandler() {
return accessDeniedHandler;
}
}
private <T> T verifyBean(Class<T> beanClass) { private <T> T verifyBean(Class<T> beanClass) {
return verify(this.spring.getContext().getBean(beanClass)); return verify(this.spring.getContext().getBean(beanClass));
} }