Add ServerRequestCache

Fixes: gh-4789
This commit is contained in:
Rob Winch 2017-11-08 16:47:49 -06:00
parent 1ea66378f5
commit 1b70efce2b
11 changed files with 585 additions and 17 deletions

View File

@ -46,6 +46,10 @@ public enum SecurityWebFiltersOrder {
* {@link org.springframework.security.web.server.context.SecurityContextServerWebExchangeWebFilter}
*/
SECURITY_CONTEXT_SERVER_WEB_EXCHANGE,
/**
* {@link org.springframework.security.web.server.savedrequest.ServerRequestCacheWebFilter}
*/
SERVER_REQUEST_CACHE,
LOGOUT,
EXCEPTION_TRANSLATION,
AUTHORIZATION,

View File

@ -39,7 +39,6 @@ import org.springframework.security.web.server.authentication.ServerAuthenticati
import org.springframework.security.web.server.authentication.ServerAuthenticationFailureHandler;
import org.springframework.security.web.server.authentication.ServerAuthenticationSuccessHandler;
import org.springframework.security.web.server.authentication.logout.LogoutWebFilter;
import org.springframework.security.web.server.authentication.logout.SecurityContextServerLogoutHandler;
import org.springframework.security.web.server.authentication.logout.ServerLogoutHandler;
import org.springframework.security.web.server.authentication.logout.ServerLogoutSuccessHandler;
import org.springframework.security.web.server.authorization.AuthorizationContext;
@ -47,10 +46,10 @@ import org.springframework.security.web.server.authorization.AuthorizationWebFil
import org.springframework.security.web.server.authorization.DelegatingReactiveAuthorizationManager;
import org.springframework.security.web.server.authorization.ExceptionTranslationWebFilter;
import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler;
import org.springframework.security.web.server.context.SecurityContextServerWebExchangeWebFilter;
import org.springframework.security.web.server.context.ReactorContextWebFilter;
import org.springframework.security.web.server.context.ServerSecurityContextRepository;
import org.springframework.security.web.server.context.NoOpServerSecurityContextRepository;
import org.springframework.security.web.server.context.ReactorContextWebFilter;
import org.springframework.security.web.server.context.SecurityContextServerWebExchangeWebFilter;
import org.springframework.security.web.server.context.ServerSecurityContextRepository;
import org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository;
import org.springframework.security.web.server.csrf.CsrfWebFilter;
import org.springframework.security.web.server.csrf.ServerCsrfTokenRepository;
@ -62,6 +61,10 @@ import org.springframework.security.web.server.header.ServerHttpHeadersWriter;
import org.springframework.security.web.server.header.StrictTransportSecurityServerHttpHeadersWriter;
import org.springframework.security.web.server.header.XFrameOptionsServerHttpHeadersWriter;
import org.springframework.security.web.server.header.XXssProtectionServerHttpHeadersWriter;
import org.springframework.security.web.server.savedrequest.NoOpServerRequestCache;
import org.springframework.security.web.server.savedrequest.ServerRequestCache;
import org.springframework.security.web.server.savedrequest.ServerRequestCacheWebFilter;
import org.springframework.security.web.server.savedrequest.WebSessionServerRequestCache;
import org.springframework.security.web.server.ui.LoginPageGeneratingWebFilter;
import org.springframework.security.web.server.ui.LogoutPageGeneratingWebFilter;
import org.springframework.security.web.server.util.matcher.MediaTypeServerWebExchangeMatcher;
@ -102,6 +105,8 @@ public class ServerHttpSecurity {
private HttpBasicBuilder httpBasic;
private final RequestCacheBuilder requestCache = new RequestCacheBuilder();
private FormLoginBuilder formLogin;
private LogoutBuilder logout = new LogoutBuilder();
@ -198,6 +203,10 @@ public class ServerHttpSecurity {
return this.logout;
}
public RequestCacheBuilder requestCache() {
return this.requestCache;
}
public ServerHttpSecurity authenticationManager(ReactiveAuthenticationManager manager) {
this.authenticationManager = manager;
return this;
@ -239,6 +248,7 @@ public class ServerHttpSecurity {
if(this.logout != null) {
this.logout.configure(this);
}
this.requestCache.configure(this);
this.addFilterAt(new SecurityContextServerWebExchangeWebFilter(), SecurityWebFiltersOrder.SECURITY_CONTEXT_SERVER_WEB_EXCHANGE);
if(this.authorizeExchangeBuilder != null) {
ServerAuthenticationEntryPoint serverAuthenticationEntryPoint = getServerAuthenticationEntryPoint();
@ -433,6 +443,35 @@ public class ServerHttpSecurity {
private ExceptionHandlingBuilder() {}
}
/**
* @author Rob Winch
* @since 5.0
*/
public class RequestCacheBuilder {
private ServerRequestCache requestCache = new WebSessionServerRequestCache();
public RequestCacheBuilder requestCache(ServerRequestCache requestCache) {
Assert.notNull(requestCache, "requestCache cannot be null");
this.requestCache = requestCache;
return this;
}
protected void configure(ServerHttpSecurity http) {
http.addFilterAt(new ServerRequestCacheWebFilter(), SecurityWebFiltersOrder.SERVER_REQUEST_CACHE);
}
public ServerHttpSecurity and() {
return ServerHttpSecurity.this;
}
public ServerHttpSecurity disable() {
this.requestCache = NoOpServerRequestCache.getInstance();
return and();
}
private RequestCacheBuilder() {}
}
/**
* @author Rob Winch
* @since 5.0
@ -489,6 +528,10 @@ public class ServerHttpSecurity {
* @since 5.0
*/
public class FormLoginBuilder {
private final RedirectServerAuthenticationSuccessHandler defaultSuccessHandler = new RedirectServerAuthenticationSuccessHandler("/");
private RedirectServerAuthenticationEntryPoint defaultEntryPoint;
private ReactiveAuthenticationManager authenticationManager;
private ServerSecurityContextRepository serverSecurityContextRepository = new WebSessionServerSecurityContextRepository();
@ -499,7 +542,7 @@ public class ServerHttpSecurity {
private ServerAuthenticationFailureHandler serverAuthenticationFailureHandler;
private ServerAuthenticationSuccessHandler serverAuthenticationSuccessHandler = new RedirectServerAuthenticationSuccessHandler("/");
private ServerAuthenticationSuccessHandler serverAuthenticationSuccessHandler = this.defaultSuccessHandler;
public FormLoginBuilder authenticationManager(ReactiveAuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
@ -514,7 +557,8 @@ public class ServerHttpSecurity {
}
public FormLoginBuilder loginPage(String loginPage) {
this.serverAuthenticationEntryPoint = new RedirectServerAuthenticationEntryPoint(loginPage);
this.defaultEntryPoint = new RedirectServerAuthenticationEntryPoint(loginPage);
this.serverAuthenticationEntryPoint = this.defaultEntryPoint;
this.requiresAuthenticationMatcher = ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, loginPage);
this.serverAuthenticationFailureHandler = new RedirectServerAuthenticationFailureHandler(loginPage + "?error");
return this;
@ -553,6 +597,13 @@ public class ServerHttpSecurity {
if(this.serverAuthenticationEntryPoint == null) {
loginPage("/login");
}
if(http.requestCache != null) {
ServerRequestCache requestCache = http.requestCache.requestCache;
this.defaultSuccessHandler.setRequestCache(requestCache);
if(this.defaultEntryPoint != null) {
this.defaultEntryPoint.setRequestCache(requestCache);
}
}
MediaTypeServerWebExchangeMatcher htmlMatcher = new MediaTypeServerWebExchangeMatcher(
MediaType.TEXT_HTML);
htmlMatcher.setIgnoredMediaTypes(Collections.singleton(MediaType.ALL));

View File

@ -21,15 +21,9 @@ import org.openqa.selenium.WebDriver;
import org.openqa.selenium.WebElement;
import org.openqa.selenium.support.FindBy;
import org.openqa.selenium.support.PageFactory;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.authentication.UserDetailsRepositoryReactiveAuthenticationManager;
import org.springframework.security.config.annotation.web.reactive.ServerHttpSecurityConfigurationBuilder;
import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.htmlunit.server.WebTestClientHtmlUnitDriverBuilder;
import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
import org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapperTests;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.WebFilterChainProxy;
import org.springframework.security.web.server.authentication.RedirectServerAuthenticationSuccessHandler;
@ -39,7 +33,6 @@ import org.springframework.test.web.reactive.server.WebTestClient;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import static org.assertj.core.api.Assertions.assertThat;
@ -143,7 +136,7 @@ public class FormLoginTests {
.webTestClientSetup(webTestClient)
.build();
DefaultLoginPage loginPage = HomePage.to(driver, DefaultLoginPage.class)
DefaultLoginPage loginPage = DefaultLoginPage.to(driver)
.assertAt();
HomePage homePage = loginPage.loginForm()
@ -238,6 +231,11 @@ public class FormLoginTests {
return this.loginForm;
}
static DefaultLoginPage to(WebDriver driver) {
driver.get("http://localhost/login");
return PageFactory.initElements(driver, DefaultLoginPage.class);
}
public static class LoginForm {
private WebDriver driver;
private WebElement username;
@ -347,6 +345,5 @@ public class FormLoginTests {
+ " </body>\n"
+ "</html>";
}
}
}

View File

@ -0,0 +1,147 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.web.server;
import org.junit.Test;
import org.openqa.selenium.WebDriver;
import org.openqa.selenium.WebElement;
import org.openqa.selenium.support.FindBy;
import org.openqa.selenium.support.PageFactory;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.web.server.MockServerWebExchange;
import org.springframework.security.config.annotation.web.reactive.ServerHttpSecurityConfigurationBuilder;
import org.springframework.security.config.web.server.FormLoginTests.DefaultLoginPage;
import org.springframework.security.config.web.server.FormLoginTests.HomePage;
import org.springframework.security.htmlunit.server.WebTestClientHtmlUnitDriverBuilder;
import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.WebFilterChainProxy;
import org.springframework.security.web.server.authentication.RedirectServerAuthenticationSuccessHandler;
import org.springframework.security.web.server.csrf.CsrfToken;
import org.springframework.security.web.server.savedrequest.NoOpServerRequestCache;
import org.springframework.stereotype.Controller;
import org.springframework.test.web.reactive.server.WebTestClient;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.server.ServerWebExchange;
import static org.assertj.core.api.Assertions.assertThat;
/**
* @author Rob Winch
* @since 5.0
*/
public class RequestCacheTests {
private ServerHttpSecurity http = ServerHttpSecurityConfigurationBuilder.httpWithDefaultAuthentication();
@Test
public void defaultFormLoginRequestCache() {
SecurityWebFilterChain securityWebFilter = this.http
.authorizeExchange()
.anyExchange().authenticated()
.and()
.formLogin().and()
.build();
WebTestClient webTestClient = WebTestClient
.bindToController(new SecuredPageController(), new WebTestClientBuilder.Http200RestController())
.webFilter(new WebFilterChainProxy(securityWebFilter))
.build();
WebDriver driver = WebTestClientHtmlUnitDriverBuilder
.webTestClientSetup(webTestClient)
.build();
DefaultLoginPage loginPage = SecuredPage.to(driver, DefaultLoginPage.class)
.assertAt();
SecuredPage securedPage = loginPage.loginForm()
.username("user")
.password("password")
.submit(SecuredPage.class);
securedPage.assertAt();
}
@Test
public void requestCacheNoOp() {
SecurityWebFilterChain securityWebFilter = this.http
.authorizeExchange()
.anyExchange().authenticated()
.and()
.formLogin().and()
.requestCache()
.requestCache(NoOpServerRequestCache.getInstance())
.and()
.build();
WebTestClient webTestClient = WebTestClient
.bindToController(new SecuredPageController(), new WebTestClientBuilder.Http200RestController())
.webFilter(new WebFilterChainProxy(securityWebFilter))
.build();
WebDriver driver = WebTestClientHtmlUnitDriverBuilder
.webTestClientSetup(webTestClient)
.build();
DefaultLoginPage loginPage = SecuredPage.to(driver, DefaultLoginPage.class)
.assertAt();
HomePage securedPage = loginPage.loginForm()
.username("user")
.password("password")
.submit(HomePage.class);
securedPage.assertAt();
}
public static class SecuredPage {
private WebDriver driver;
public SecuredPage(WebDriver driver) {
this.driver = driver;
}
public void assertAt() {
assertThat(this.driver.getTitle()).isEqualTo("Secured");
}
static <T> T to(WebDriver driver, Class<T> page) {
driver.get("http://localhost/secured");
return PageFactory.initElements(driver, page);
}
}
@Controller
public static class SecuredPageController {
@ResponseBody
@GetMapping("/secured")
public String login(ServerWebExchange exchange) {
CsrfToken token = exchange.getAttribute(CsrfToken.class.getName());
return
"<!DOCTYPE html>\n"
+ "<html lang=\"en\">\n"
+ " <head>\n"
+ " <title>Secured</title>\n"
+ " </head>\n"
+ " <body>\n"
+ " <h1>Secured</h1>\n"
+ " </body>\n"
+ "</html>";
}
}
}

View File

@ -20,6 +20,8 @@ import java.net.URI;
import org.springframework.security.web.server.DefaultServerRedirectStrategy;
import org.springframework.security.web.server.ServerRedirectStrategy;
import org.springframework.security.web.server.savedrequest.ServerRequestCache;
import org.springframework.security.web.server.savedrequest.WebSessionServerRequestCache;
import reactor.core.publisher.Mono;
import org.springframework.security.core.AuthenticationException;
@ -39,14 +41,22 @@ public class RedirectServerAuthenticationEntryPoint
private ServerRedirectStrategy serverRedirectStrategy = new DefaultServerRedirectStrategy();
private ServerRequestCache requestCache = new WebSessionServerRequestCache();
public RedirectServerAuthenticationEntryPoint(String location) {
Assert.notNull(location, "location cannot be null");
this.location = URI.create(location);
}
public void setRequestCache(ServerRequestCache requestCache) {
Assert.notNull(requestCache, "requestCache cannot be null");
this.requestCache = requestCache;
}
@Override
public Mono<Void> commence(ServerWebExchange exchange, AuthenticationException e) {
return this.serverRedirectStrategy.sendRedirect(exchange, this.location);
return this.requestCache.saveRequest(exchange)
.then(this.serverRedirectStrategy.sendRedirect(exchange, this.location));
}
/**

View File

@ -20,6 +20,8 @@ import org.springframework.security.core.Authentication;
import org.springframework.security.web.server.DefaultServerRedirectStrategy;
import org.springframework.security.web.server.ServerRedirectStrategy;
import org.springframework.security.web.server.WebFilterExchange;
import org.springframework.security.web.server.savedrequest.ServerRequestCache;
import org.springframework.security.web.server.savedrequest.WebSessionServerRequestCache;
import org.springframework.util.Assert;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
@ -36,17 +38,28 @@ public class RedirectServerAuthenticationSuccessHandler
private ServerRedirectStrategy serverRedirectStrategy = new DefaultServerRedirectStrategy();
private ServerRequestCache requestCache = new WebSessionServerRequestCache();
public RedirectServerAuthenticationSuccessHandler() {}
public RedirectServerAuthenticationSuccessHandler(String location) {
this.location = URI.create(location);
}
public void setRequestCache(ServerRequestCache requestCache) {
Assert.notNull(requestCache, "requestCache cannot be null");
this.requestCache = requestCache;
}
@Override
public Mono<Void> onAuthenticationSuccess(WebFilterExchange webFilterExchange,
Authentication authentication) {
ServerWebExchange exchange = webFilterExchange.getExchange();
return this.serverRedirectStrategy.sendRedirect(exchange, this.location);
return this.requestCache.getRequest(exchange)
.map(r -> r.getPath().pathWithinApplication().value())
.map(URI::create)
.defaultIfEmpty(this.location)
.flatMap(location -> this.serverRedirectStrategy.sendRedirect(exchange, location));
}
/**

View File

@ -0,0 +1,54 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.server.savedrequest;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
/**
* @author Rob Winch
* @since 5.0
*/
public class NoOpServerRequestCache implements ServerRequestCache {
@Override
public Mono<Void> saveRequest(ServerWebExchange exchange) {
return Mono.empty();
}
@Override
public Mono<ServerHttpRequest> getRequest(ServerWebExchange exchange) {
return Mono.empty();
}
@Override
public Mono<ServerHttpRequest> getMatchingRequest(
ServerWebExchange exchange) {
return Mono.empty();
}
@Override
public Mono<ServerHttpRequest> removeRequest(ServerWebExchange exchange) {
return Mono.empty();
}
public static NoOpServerRequestCache getInstance() {
return new NoOpServerRequestCache();
}
private NoOpServerRequestCache() {}
}

View File

@ -0,0 +1,64 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.server.savedrequest;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
/**
* Saves a {@link ServerHttpRequest} so it can be "replayed" later. This is useful for
* when a page was requested and authentication is necessary.
*
* @author Rob Winch
* @since 5.0
*/
public interface ServerRequestCache {
/**
* Save the {@link ServerHttpRequest}
* @param exchange the exchange to save
* @return Return a {@code Mono<Void>} which only replays complete and error signals
* from this {@link Mono}.
*/
Mono<Void> saveRequest(ServerWebExchange exchange);
/**
* Get the saved {@link ServerHttpRequest}
* @param exchange the exchange to obtain the saved {@link ServerHttpRequest} from
* @return the {@link ServerHttpRequest}
*/
Mono<ServerHttpRequest> getRequest(ServerWebExchange exchange);
/**
* If the provided {@link ServerWebExchange} matches the saved {@link ServerHttpRequest}
* gets the saved {@link ServerHttpRequest}
* @param exchange the exchange to obtain the request from
* @return the {@link ServerHttpRequest}
*/
Mono<ServerHttpRequest> getMatchingRequest(ServerWebExchange exchange);
/**
* If the {@link ServerWebExchange} contains a saved {@link ServerHttpRequest} remove
* and return it.
*
* @param exchange the {@link ServerWebExchange} to obtain and remove the
* {@link ServerHttpRequest}
* @return the {@link ServerHttpRequest}
*/
Mono<ServerHttpRequest> removeRequest(ServerWebExchange exchange);
}

View File

@ -0,0 +1,47 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.server.savedrequest;
import org.springframework.util.Assert;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
/**
* A {@link WebFilter} that replays any matching request in {@link ServerRequestCache}
*
* @author Rob Winch
* @since 5.0
*/
public class ServerRequestCacheWebFilter implements WebFilter {
private ServerRequestCache requestCache = new WebSessionServerRequestCache();
@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
return this.requestCache.getMatchingRequest(exchange)
.flatMap(r -> this.requestCache.removeRequest(exchange))
.map(r -> exchange.mutate().request(r).build())
.defaultIfEmpty(exchange)
.flatMap(e -> chain.filter(e));
}
public void setRequestCache(ServerRequestCache requestCache) {
Assert.notNull(requestCache, "requestCache cannot be null");
this.requestCache = requestCache;
}
}

View File

@ -0,0 +1,99 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.server.savedrequest;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.http.HttpMethod;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
import org.springframework.util.Assert;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebSession;
import reactor.core.publisher.Mono;
import java.net.URI;
/**
* An implementation of {@link ServerRequestCache} that saves the
* {@link ServerHttpRequest} in the {@link WebSession}.
*
* The current implementation only saves the URL that was requested.
*
* @author Rob Winch
* @since 5.0
*/
public class WebSessionServerRequestCache implements ServerRequestCache {
private static final String DEFAULT_SAVED_REQUEST_ATTR = "SPRING_SECURITY_SAVED_REQUEST";
protected final Log logger = LogFactory.getLog(this.getClass());
private String sessionAttrName = DEFAULT_SAVED_REQUEST_ATTR;
private ServerWebExchangeMatcher saveRequestMatcher = ServerWebExchangeMatchers.pathMatchers(
HttpMethod.GET, "/**");
/**
* Sets the matcher to determine if the request should be saved. The default is to match
* on any GET request.
*
* @param saveRequestMatcher
*/
public void setSaveRequestMatcher(ServerWebExchangeMatcher saveRequestMatcher) {
Assert.notNull(saveRequestMatcher, "saveRequestMatcher cannot be null");
this.saveRequestMatcher = saveRequestMatcher;
}
@Override
public Mono<Void> saveRequest(ServerWebExchange exchange) {
return this.saveRequestMatcher.matches(exchange)
.filter(m -> m.isMatch())
.flatMap(m -> exchange.getSession())
.map(WebSession::getAttributes)
.doOnNext(attrs -> attrs.put(this.sessionAttrName, pathInApplication(exchange.getRequest())))
.then();
}
@Override
public Mono<ServerHttpRequest> getRequest(ServerWebExchange exchange) {
return exchange.getSession()
.flatMap(session -> Mono.justOrEmpty(session.<String>getAttribute(this.sessionAttrName)))
.map(path -> exchange.getRequest().mutate().path(path).build());
}
@Override
public Mono<ServerHttpRequest> getMatchingRequest(
ServerWebExchange exchange) {
return getRequest(exchange)
.filter( request -> pathInApplication(request).equals(
pathInApplication(exchange.getRequest())));
}
@Override
public Mono<ServerHttpRequest> removeRequest(ServerWebExchange exchange) {
return exchange.getSession()
.map(WebSession::getAttributes)
.flatMap(attrs -> Mono.justOrEmpty(attrs.remove(this.sessionAttrName)))
.cast(String.class)
.map(path -> exchange.getRequest().mutate().path(path).build());
}
private static String pathInApplication(ServerHttpRequest request) {
return request.getPath().pathWithinApplication().value();
}
}

View File

@ -0,0 +1,82 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.server.savedrequest;
import org.junit.Test;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.web.server.MockServerWebExchange;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import static org.assertj.core.api.Assertions.*;
/**
* @author Rob Winch
* @since 5.0
*/
public class WebSessionServerRequestCacheTests {
private WebSessionServerRequestCache cache = new WebSessionServerRequestCache();
@Test
public void saveRequestGetRequestWhenGetThenFound() {
MockServerWebExchange exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/secured/"));
this.cache.saveRequest(exchange).block();
ServerHttpRequest saved = this.cache.getRequest(exchange).block();
assertThat(saved.getURI()).isEqualTo(exchange.getRequest().getURI());
}
@Test
public void saveRequestGetRequestWhenPostThenNotFound() {
MockServerWebExchange exchange = MockServerWebExchange.from(MockServerHttpRequest.post("/secured/"));
this.cache.saveRequest(exchange).block();
assertThat(this.cache.getRequest(exchange).block()).isNull();
}
@Test
public void saveRequestGetRequestWhenPostAndCustomMatcherThenFound() {
this.cache.setSaveRequestMatcher(e -> ServerWebExchangeMatcher.MatchResult.match());
MockServerWebExchange exchange = MockServerWebExchange.from(MockServerHttpRequest.post("/secured/"));
this.cache.saveRequest(exchange).block();
ServerHttpRequest saved = this.cache.getRequest(exchange).block();
assertThat(saved.getURI()).isEqualTo(exchange.getRequest().getURI());
}
@Test
public void saveRequestRemoveRequestWhenThenFound() {
MockServerWebExchange exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/secured/"));
this.cache.saveRequest(exchange).block();
ServerHttpRequest saved = this.cache.removeRequest(exchange).block();
assertThat(saved.getURI()).isEqualTo(exchange.getRequest().getURI());
}
@Test
public void removeRequestGetRequestWhenDefaultThenNotFound() {
MockServerWebExchange exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/secured/"));
this.cache.saveRequest(exchange).block();
this.cache.removeRequest(exchange).block();
assertThat(this.cache.getRequest(exchange).block()).isNull();
}
}