Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-10 04:13:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use authorizeHttpRequests

Browse Source 
Issue gh-15174
This commit is contained in:
Josh Cummings 2025-07-07 17:54:53 -06:00
parent dadf10899c
commit 2c87270dbc
No known key found for this signature in database
GPG Key ID: 869B37A20E876129
94 changed files with 611 additions and 839 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
View File

@ -331,8 +331,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
* &#064;Bean
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
* http
* .authorizeRequests((authorizeRequests) -&gt;
* authorizeRequests
* .authorizeHttpRequests((authorizeHttpRequests) -&gt;
* authorizeHttpRequests
* .anyRequest().hasRole(&quot;USER&quot;)
* )
* .formLogin((formLogin) -&gt;
@ -465,8 +465,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
* &#064;Bean
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
* http
* .authorizeRequests((authorizeRequests) -&gt;
* authorizeRequests
* .authorizeHttpRequests((authorizeHttpRequests) -&gt;
* authorizeHttpRequests
* .requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
* )
* .jee((jee) -&gt;
@ -545,8 +545,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
* &#064;Bean
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
* http
* .authorizeRequests((authorizeRequests) -&gt;
* authorizeRequests
* .authorizeHttpRequests((authorizeHttpRequests) -&gt;
* authorizeHttpRequests
* .requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
* )
* .x509(withDefaults());
@ -582,8 +582,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
* &#064;Bean
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
* http
* .authorizeRequests((authorizeRequests) -&gt;
* authorizeRequests
* .authorizeHttpRequests((authorizeHttpRequests) -&gt;
* authorizeHttpRequests
* .requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
* )
* .formLogin(withDefaults())
@ -865,8 +865,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
* &#064;Bean
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
* http
* .authorizeRequests((authorizeRequests) -&gt;
* authorizeRequests
* .authorizeHttpRequests((authorizeHttpRequests) -&gt;
* authorizeHttpRequests
* .requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
* )
* .requestCache((requestCache) -&gt;
@ -904,8 +904,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
* &#064;Bean
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
* http
* .authorizeRequests((authorizeRequests) -&gt;
* authorizeRequests
* .authorizeHttpRequests((authorizeHttpRequests) -&gt;
* authorizeHttpRequests
* .requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
* )
* // sample exception handling customization
@ -1042,8 +1042,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
* &#064;Bean
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
* http
* .authorizeRequests((authorizeRequests) -&gt;
* authorizeRequests
* .authorizeHttpRequests((authorizeHttpRequests) -&gt;
* authorizeHttpRequests
* .requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
* )
* .formLogin(withDefaults())
@ -1098,8 +1098,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
* &#064;Bean
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
* http
* .authorizeRequests((authorizeRequests) -&gt;
* authorizeRequests
* .authorizeHttpRequests((authorizeHttpRequests) -&gt;
* authorizeHttpRequests
* .requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
* )
* .formLogin(withDefaults())
@ -1135,8 +1135,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
* &#064;Bean
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
* http
* .authorizeRequests((authorizeRequests) -&gt;
* authorizeRequests
* .authorizeHttpRequests((authorizeHttpRequests) -&gt;
* authorizeHttpRequests
* .requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
* )
* .formLogin(withDefaults())
@ -1188,8 +1188,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
* &#064;Bean
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
* http
* .authorizeRequests((authorizeRequests) -&gt;
* authorizeRequests
* .authorizeHttpRequests((authorizeHttpRequests) -&gt;
* authorizeHttpRequests
* .requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
* )
* .formLogin(withDefaults());
@ -1218,8 +1218,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
* &#064;Bean
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
* http
* .authorizeRequests((authorizeRequests) -&gt;
* authorizeRequests
* .authorizeHttpRequests((authorizeHttpRequests) -&gt;
* authorizeHttpRequests
* .requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
* )
* .formLogin((formLogin) -&gt;
@ -1298,8 +1298,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
* &#064;Bean
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
* http
* .authorizeRequests((authorizeRequests) -&gt;
* authorizeRequests
* .authorizeHttpRequests((authorizeHttpRequests) -&gt;
* authorizeHttpRequests
* .anyRequest().authenticated()
* )
* .saml2Login(withDefaults());
@ -1387,7 +1387,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
* &#064;Bean
* public SecurityFilterChain web(HttpSecurity http) throws Exception {
* http
* .authorizeRequests((authorize) -&gt; authorize
* .authorizeHttpRequests((authorize) -&gt; authorize
* .anyRequest().authenticated()
* )
* .saml2Login(withDefaults())
@ -1516,8 +1516,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
* &#064;Bean
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
* http
* .authorizeRequests((authorizeRequests) -&gt;
* authorizeRequests
* .authorizeHttpRequests((authorizeHttpRequests) -&gt;
* authorizeHttpRequests
* .anyRequest().authenticated()
* )
* .oauth2Login(withDefaults());
@ -1596,8 +1596,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
* &#064;Bean
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
* http
* .authorizeRequests((authorizeRequests) -&gt;
* authorizeRequests
* .authorizeHttpRequests((authorizeHttpRequests) -&gt;
* authorizeHttpRequests
* .anyRequest().authenticated()
* )
* .oauth2Client(withDefaults());
@ -1635,8 +1635,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
* &#064;Bean
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
* http
* .authorizeRequests((authorizeRequests) -&gt;
* authorizeRequests
* .authorizeHttpRequests((authorizeHttpRequests) -&gt;
* authorizeHttpRequests
* .anyRequest().authenticated()
* )
* .oauth2ResourceServer((oauth2ResourceServer) -&gt;
@ -1731,8 +1731,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
* &#064;Bean
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
* http
* .authorizeRequests((authorizeRequests) -&gt;
* authorizeRequests
* .authorizeHttpRequests((authorizeHttpRequests) -&gt;
* authorizeHttpRequests
* .requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
* )
* .formLogin(withDefaults())
@ -1833,8 +1833,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
* &#064;Bean
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
* http
* .authorizeRequests((authorizeRequests) -&gt;
* authorizeRequests
* .authorizeHttpRequests((authorizeHttpRequests) -&gt;
* authorizeHttpRequests
* .requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
* )
* .httpBasic(withDefaults());
@ -1878,8 +1878,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
* &#064;Bean
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
* http
* .authorizeRequests(authorizeRequests -&gt;
* authorizeRequests
* .authorizeHttpRequests(authorizeHttpRequests -&gt;
* authorizeHttpRequests
* .requestMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
* )
* .passwordManagement(passwordManagement -&gt;

4
config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurityFilterChainValidator.java
View File

@ -99,11 +99,11 @@ final class WebSecurityFilterChainValidator implements FilterChainProxy.FilterCh
}
if (authorizationFilter != null && filterSecurityInterceptor != null) {
this.logger.warn(
"It is not recommended to use authorizeRequests in the configuration. Please only use authorizeHttpRequests");
"It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. Please only use authorizeHttpRequests");
}
if (filterSecurityInterceptor != null) {
this.logger.warn(
"Usage of authorizeRequests is deprecated. Please use authorizeHttpRequests in the configuration");
"Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. Please use authorizeHttpRequests in the configuration");
}
authorizationFilter = null;
filterSecurityInterceptor = null;

4
config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java
View File

@ -126,11 +126,11 @@ public class DefaultFilterChainValidator implements FilterChainProxy.FilterChain
}
if (authorizationFilter != null && filterSecurityInterceptor != null) {
this.logger.warn(
"It is not recommended to use authorizeRequests in the configuration. Please only use authorizeHttpRequests");
"It is not recommended to use authorizeRequests or FilterSecurityInterceptor in the configuration. Please only use authorizeHttpRequests");
}
if (filterSecurityInterceptor != null) {
this.logger.warn(
"Usage of authorizeRequests is deprecated. Please use authorizeHttpRequests in the configuration");
"Usage of authorizeRequests and FilterSecurityInterceptor are deprecated. Please use authorizeHttpRequests in the configuration");
}
authorizationFilter = null;
filterSecurityInterceptor = null;

2
config/src/main/kotlin/org/springframework/security/config/annotation/web/HttpSecurityDsl.kt
View File

@ -40,7 +40,7 @@ import org.springframework.security.web.util.matcher.RequestMatcher
* @Bean
* fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
* http {
* authorizeRequests {
* authorizeHttpRequests {
* authorize("/public", permitAll)
* authorize(anyRequest, authenticated)
* }

2
config/src/test/java/org/springframework/security/config/annotation/issue50/SecurityConfig.java
View File

@ -52,7 +52,7 @@ public class SecurityConfig {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers(pathPattern("/*")).permitAll())
.authenticationProvider(authenticationProvider());
// @formatter:on

23
config/src/test/java/org/springframework/security/config/annotation/sec2758/Sec2758Tests.java
View File

@ -38,7 +38,9 @@ import org.springframework.security.config.test.SpringTestContextExtension;
import org.springframework.security.test.context.annotation.SecurityTestExecutionListeners;
import org.springframework.security.test.context.support.WithMockUser;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.expression.DefaultHttpSecurityExpressionHandler;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager;
import org.springframework.test.context.junit.jupiter.SpringExtension;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.web.bind.annotation.GetMapping;
@ -84,11 +86,13 @@ public class Sec2758Tests {
static class SecurityConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
SecurityFilterChain filterChain(HttpSecurity http, WebExpressionAuthorizationManager.Builder authz)
throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.anyRequest().access("hasAnyRole('CUSTOM')"));
.authorizeHttpRequests((requests) -> requests
.anyRequest().access(authz.expression("hasAnyRole('CUSTOM')"))
);
return http.build();
// @formatter:on
}
@ -103,6 +107,16 @@ public class Sec2758Tests {
return new DefaultRolesPrefixPostProcessor();
}
@Bean
static WebExpressionAuthorizationManager.Builder authz(DefaultHttpSecurityExpressionHandler expressionHandler) {
return WebExpressionAuthorizationManager.withExpressionHandler(expressionHandler);
}
@Bean
static DefaultHttpSecurityExpressionHandler expressionHandler() {
return new DefaultHttpSecurityExpressionHandler();
}
@RestController
static class RootController {
@ -140,6 +154,9 @@ public class Sec2758Tests {
if (bean instanceof DefaultWebSecurityExpressionHandler) {
((DefaultWebSecurityExpressionHandler) bean).setDefaultRolePrefix(null);
}
if (bean instanceof DefaultHttpSecurityExpressionHandler http) {
http.setDefaultRolePrefix("");
}
return bean;
}

10
config/src/test/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistryAnyMatcherTests.java
View File

@ -85,7 +85,7 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated()
.requestMatchers(pathPattern("/demo/**")).permitAll());
return http.build();
@ -102,7 +102,7 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
SecurityFilterChain filterChain(HttpSecurity http, PathPatternRequestMatcher.Builder builder) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated()
.requestMatchers(builder.matcher("/demo/**")).permitAll());
return http.build();
@ -119,7 +119,7 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated()
.requestMatchers(new RegexRequestMatcher(".*", null)).permitAll());
return http.build();
@ -136,7 +136,7 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated()
.anyRequest().permitAll());
return http.build();
@ -153,7 +153,7 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated()
.requestMatchers(pathPattern("/**")).permitAll());
return http.build();

2
config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpConfigurationTests.java
View File

@ -152,7 +152,7 @@ public class HttpConfigurationTests {
.securityMatchers((security) -> security
.requestMatchers(pathPattern("/api/**"))
.requestMatchers(pathPattern("/oauth/**")))
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.httpBasic(withDefaults());
return http.build();

4
config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpSecurityAuthenticationManagerTests.java
View File

@ -84,7 +84,7 @@ public class HttpSecurityAuthenticationManagerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authz) -> authz
.authorizeHttpRequests((authz) -> authz
.anyRequest().authenticated()
)
.httpBasic(withDefaults())
@ -106,7 +106,7 @@ public class HttpSecurityAuthenticationManagerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authz) -> authz
.authorizeHttpRequests((authz) -> authz
.anyRequest().authenticated()
)
.httpBasic(withDefaults())

185
config/src/test/java/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.java
View File

@ -16,6 +16,10 @@
package org.springframework.security.config.annotation.web.builders;
import java.util.Collection;
import java.util.LinkedHashMap;
import java.util.function.Supplier;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
@ -25,17 +29,20 @@ import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.DependsOn;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.access.SecurityMetadataSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.jaas.JaasAuthenticationToken;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.annotation.web.configurers.UrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.config.test.SpringTestContext;
import org.springframework.security.config.test.SpringTestContextExtension;
@ -47,15 +54,15 @@ import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
import org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource;
import org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.context.NullSecurityContextRepository;
import org.springframework.security.web.jaasapi.JaasApiIntegrationFilter;
import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestWrapper;
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
import org.springframework.security.web.util.matcher.RegexRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.stereotype.Controller;
@ -99,14 +106,12 @@ public class NamespaceHttpTests {
@Test // http@access-decision-manager-ref
public void configureWhenAccessDecisionManagerSetThenVerifyUse() throws Exception {
AccessDecisionManagerRefConfig.ACCESS_DECISION_MANAGER = mock(AccessDecisionManager.class);
given(AccessDecisionManagerRefConfig.ACCESS_DECISION_MANAGER.supports(FilterInvocation.class)).willReturn(true);
given(AccessDecisionManagerRefConfig.ACCESS_DECISION_MANAGER.supports(any(ConfigAttribute.class)))
.willReturn(true);
this.spring.register(AccessDecisionManagerRefConfig.class).autowire();
AccessDecisionManager accessDecisionManager = this.spring.getContext().getBean(AccessDecisionManager.class);
given(accessDecisionManager.supports(FilterInvocation.class)).willReturn(true);
given(accessDecisionManager.supports(any(ConfigAttribute.class))).willReturn(true);
this.mockMvc.perform(get("/"));
verify(AccessDecisionManagerRefConfig.ACCESS_DECISION_MANAGER, times(1)).decide(any(Authentication.class),
any(), anyCollection());
verify(accessDecisionManager, times(1)).decide(any(Authentication.class), any(), anyCollection());
}
@Test // http@access-denied-page
@ -267,39 +272,61 @@ public class NamespaceHttpTests {
.isAssignableFrom(MainController.HTTP_SERVLET_REQUEST_TYPE);
}
@Test // http@use-expressions=true
public void configureWhenUseExpressionsEnabledThenExpressionBasedSecurityMetadataSource() {
this.spring.register(UseExpressionsConfig.class).autowire();
UseExpressionsConfig config = this.spring.getContext().getBean(UseExpressionsConfig.class);
assertThat(ExpressionBasedFilterInvocationSecurityMetadataSource.class)
.isAssignableFrom(config.filterInvocationSecurityMetadataSourceType);
}
@Test // http@use-expressions=false
public void configureWhenUseExpressionsDisabledThenDefaultSecurityMetadataSource() {
this.spring.register(DisableUseExpressionsConfig.class).autowire();
DisableUseExpressionsConfig config = this.spring.getContext().getBean(DisableUseExpressionsConfig.class);
assertThat(DefaultFilterInvocationSecurityMetadataSource.class)
.isAssignableFrom(config.filterInvocationSecurityMetadataSourceType);
}
@Configuration
@EnableWebSecurity
static class AccessDecisionManagerRefConfig {
static AccessDecisionManager ACCESS_DECISION_MANAGER;
AccessDecisionManager accessDecisionManager = mock(AccessDecisionManager.class);
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.anyRequest().permitAll()
.accessDecisionManager(ACCESS_DECISION_MANAGER));
.authorizeHttpRequests((requests) -> requests
.anyRequest().access(new AccessAuthorizationManagerAdapter(this.accessDecisionManager, "permitAll"))
);
return http.build();
// @formatter:on
}
@Bean
AccessDecisionManager accessDecisionManager() {
return this.accessDecisionManager;
}
private static final class AccessAuthorizationManagerAdapter
implements AuthorizationManager<RequestAuthorizationContext> {
private final AccessDecisionManager delegate;
private final SecurityMetadataSource metadataSource;
private AccessAuthorizationManagerAdapter(AccessDecisionManager delegate, String expression) {
this.delegate = delegate;
LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> mappings = new LinkedHashMap<>();
mappings.put(AnyRequestMatcher.INSTANCE, SecurityConfig.createList(expression));
DefaultWebSecurityExpressionHandler handler = new DefaultWebSecurityExpressionHandler();
this.metadataSource = new ExpressionBasedFilterInvocationSecurityMetadataSource(mappings, handler);
}
@Override
public AuthorizationResult authorize(Supplier<Authentication> authentication,
RequestAuthorizationContext object) {
HttpServletRequest request = object.getRequest();
FilterInvocation invocation = new FilterInvocation(request.getContextPath(), request.getServletPath(),
request.getPathInfo(), request.getQueryString(), request.getMethod());
Collection<ConfigAttribute> attributes = this.metadataSource.getAttributes(invocation);
try {
this.delegate.decide(authentication.get(), invocation, attributes);
return new AuthorizationDecision(true);
}
catch (AccessDeniedException ex) {
return new AuthorizationDecision(false);
}
}
}
}
@Configuration
@ -311,7 +338,7 @@ public class NamespaceHttpTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/admin").hasRole("ADMIN")
.anyRequest().authenticated())
.exceptionHandling((handling) -> handling
@ -337,7 +364,7 @@ public class NamespaceHttpTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.formLogin(withDefaults());
return http.build();
@ -354,7 +381,7 @@ public class NamespaceHttpTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().permitAll())
.sessionManagement((management) -> management
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS));
@ -372,7 +399,7 @@ public class NamespaceHttpTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().permitAll())
.sessionManagement((management) -> management
.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
@ -391,7 +418,7 @@ public class NamespaceHttpTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/unsecure").permitAll()
.anyRequest().authenticated())
.sessionManagement((management) -> management
@ -411,7 +438,7 @@ public class NamespaceHttpTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().anonymous())
.sessionManagement((management) -> management
.sessionCreationPolicy(SessionCreationPolicy.NEVER));
@ -429,7 +456,7 @@ public class NamespaceHttpTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.exceptionHandling((handling) -> handling
.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/entry-point")))
@ -463,7 +490,7 @@ public class NamespaceHttpTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.httpBasic((basic) -> basic
.realmName("RealmConfig"));
@ -553,7 +580,7 @@ public class NamespaceHttpTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.securityContext((context) -> context
.securityContextRepository(new NullSecurityContextRepository()))
@ -577,7 +604,7 @@ public class NamespaceHttpTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().permitAll())
.servletApi((api) -> api
.disable());
@ -595,7 +622,7 @@ public class NamespaceHttpTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().permitAll());
return http.build();
// @formatter:on
@ -616,76 +643,4 @@ public class NamespaceHttpTests {
}
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class UseExpressionsConfig {
private Class<? extends FilterInvocationSecurityMetadataSource> filterInvocationSecurityMetadataSourceType;
private HttpSecurity httpSecurity;
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.requestMatchers("/users**", "/sessions/**").hasRole("USER")
.requestMatchers("/signup").permitAll()
.anyRequest().hasRole("USER"));
this.httpSecurity = http;
return http.build();
// @formatter:on
}
@Bean
@DependsOn("filterChain")
WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.postBuildAction(() -> {
FilterSecurityInterceptor securityInterceptor = this.httpSecurity
.getSharedObject(FilterSecurityInterceptor.class);
UseExpressionsConfig.this.filterInvocationSecurityMetadataSourceType = securityInterceptor
.getSecurityMetadataSource()
.getClass();
});
}
}
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class DisableUseExpressionsConfig {
private Class<? extends FilterInvocationSecurityMetadataSource> filterInvocationSecurityMetadataSourceType;
private HttpSecurity httpSecurity;
@Bean
SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context) throws Exception {
// @formatter:off
http
.apply(new UrlAuthorizationConfigurer<>(context)).getRegistry()
.requestMatchers("/users**", "/sessions/**").hasRole("USER")
.requestMatchers("/signup").hasRole("ANONYMOUS")
.anyRequest().hasRole("USER");
this.httpSecurity = http;
return http.build();
// @formatter:on
}
@Bean
@DependsOn("filterChain")
WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.postBuildAction(() -> {
FilterSecurityInterceptor securityInterceptor = this.httpSecurity
.getSharedObject(FilterSecurityInterceptor.class);
DisableUseExpressionsConfig.this.filterInvocationSecurityMetadataSourceType = securityInterceptor
.getSecurityMetadataSource()
.getClass();
});
}
}
}

4
config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java
View File

@ -138,7 +138,7 @@ public class WebSecurityTests {
// @formatter:off
http
.httpBasic(withDefaults())
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().denyAll());
// @formatter:on
return http.build();
@ -178,7 +178,7 @@ public class WebSecurityTests {
// @formatter:off
http
.httpBasic(withDefaults())
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().denyAll());
// @formatter:on
return http.build();

62
config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java
View File

@ -32,7 +32,6 @@ import org.mockito.Mock;
import org.mockito.MockedStatic;
import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.beans.factory.BeanCreationException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@ -85,7 +84,6 @@ import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.atLeastOnce;
import static org.mockito.Mockito.mock;
@ -312,22 +310,6 @@ public class HttpSecurityConfigurationTests {
assertThat(CustomAuthenticationEventPublisherConfig.EVENTS).hasSize(1);
}
@Test
public void configureWhenAuthorizeHttpRequestsBeforeAuthorizeRequestThenException() {
assertThatExceptionOfType(BeanCreationException.class)
.isThrownBy(() -> this.spring.register(AuthorizeHttpRequestsBeforeAuthorizeRequestsConfig.class).autowire())
.withMessageContaining(
"authorizeHttpRequests cannot be used in conjunction with authorizeRequests. Please select just one.");
}
@Test
public void configureWhenAuthorizeHttpRequestsAfterAuthorizeRequestThenException() {
assertThatExceptionOfType(BeanCreationException.class)
.isThrownBy(() -> this.spring.register(AuthorizeHttpRequestsAfterAuthorizeRequestsConfig.class).autowire())
.withMessageContaining(
"authorizeHttpRequests cannot be used in conjunction with authorizeRequests. Please select just one.");
}
@Test
public void configureWhenDefaultConfigurerAsSpringFactoryThenDefaultConfigurerApplied() {
DefaultConfigurer configurer = new DefaultConfigurer();
@ -472,7 +454,7 @@ public class HttpSecurityConfigurationTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
return http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().permitAll()
)
.build();
@ -489,7 +471,7 @@ public class HttpSecurityConfigurationTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
return http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.formLogin(withDefaults())
@ -516,46 +498,6 @@ public class HttpSecurityConfigurationTests {
}
@Configuration
@EnableWebSecurity
static class AuthorizeHttpRequestsBeforeAuthorizeRequestsConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
return http
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.authorizeRequests((requests) -> requests
.anyRequest().authenticated()
)
.build();
// @formatter:on
}
}
@Configuration
@EnableWebSecurity
static class AuthorizeHttpRequestsAfterAuthorizeRequestsConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
return http
.authorizeRequests((requests) -> requests
.anyRequest().authenticated()
)
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.build();
// @formatter:on
}
}
@Configuration
static class CustomAuthenticationEventPublisherConfig {

8
config/src/test/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfigurationTests.java
View File

@ -273,7 +273,7 @@ public class OAuth2ClientConfigurationTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.oauth2Login(withDefaults());
return http.build();
@ -311,7 +311,7 @@ public class OAuth2ClientConfigurationTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.oauth2Login(withDefaults());
return http.build();
@ -329,7 +329,7 @@ public class OAuth2ClientConfigurationTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.oauth2Login(withDefaults());
return http.build();
@ -367,7 +367,7 @@ public class OAuth2ClientConfigurationTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.oauth2Login(withDefaults());
return http.build();

79
config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java
View File

@ -38,7 +38,6 @@ import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.expression.EvaluationContext;
import org.springframework.expression.Expression;
import org.springframework.expression.ExpressionParser;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
@ -62,6 +61,7 @@ import org.springframework.security.web.access.PathPatternRequestTransformer;
import org.springframework.security.web.access.RequestMatcherDelegatingWebInvocationPrivilegeEvaluator;
import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.util.ClassUtils;
import org.springframework.web.bind.annotation.GetMapping;
@ -71,7 +71,6 @@ import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.atLeastOnce;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.spy;
@ -137,12 +136,9 @@ public class WebSecurityConfigurationTests {
@Test
public void loadConfigWhenSecurityExpressionHandlerSetThenIsRegistered() {
WebSecurityExpressionHandlerConfig.EXPRESSION_HANDLER = mock(SecurityExpressionHandler.class);
given(WebSecurityExpressionHandlerConfig.EXPRESSION_HANDLER.getExpressionParser())
.willReturn(mock(ExpressionParser.class));
this.spring.register(WebSecurityExpressionHandlerConfig.class).autowire();
assertThat(this.spring.getContext().getBean(SecurityExpressionHandler.class))
.isSameAs(WebSecurityExpressionHandlerConfig.EXPRESSION_HANDLER);
assertThat(this.spring.getContext().getBean("webSecurityExpressionHandler", SecurityExpressionHandler.class))
.isSameAs(this.spring.getContext().getBean("mock"));
}
@Test
@ -316,7 +312,7 @@ public class WebSecurityConfigurationTests {
// null authentication
assertThat(privilegeEvaluator.isAllowed("/user", null)).isFalse();
assertThat(privilegeEvaluator.isAllowed("/admin", null)).isFalse();
assertThat(privilegeEvaluator.isAllowed("/another", null)).isFalse();
assertThat(privilegeEvaluator.isAllowed("/another", null)).isTrue();
assertThat(privilegeEvaluator.isAllowed("/ignoring1", null)).isTrue();
assertThat(privilegeEvaluator.isAllowed("/ignoring1/child", null)).isTrue();
}
@ -415,7 +411,7 @@ public class WebSecurityConfigurationTests {
// @formatter:off
return http
.securityMatcher(pathPattern("/role1/**"))
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().hasRole("1")
)
.build();
@ -428,7 +424,7 @@ public class WebSecurityConfigurationTests {
// @formatter:off
return http
.securityMatcher(pathPattern("/role2/**"))
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().hasRole("2")
)
.build();
@ -441,7 +437,7 @@ public class WebSecurityConfigurationTests {
// @formatter:off
return http
.securityMatcher(pathPattern("/role3/**"))
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().hasRole("3")
)
.build();
@ -452,7 +448,7 @@ public class WebSecurityConfigurationTests {
SecurityFilterChain filterChain4(HttpSecurity http) throws Exception {
// @formatter:off
return http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().hasRole("4")
)
.build();
@ -472,7 +468,7 @@ public class WebSecurityConfigurationTests {
// @formatter:off
return http
.securityMatcher(pathPattern("/role1/**"))
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().hasRole("1")
)
.build();
@ -518,22 +514,16 @@ public class WebSecurityConfigurationTests {
@EnableWebSecurity
static class WebSecurityExpressionHandlerConfig {
static SecurityExpressionHandler EXPRESSION_HANDLER;
SecurityExpressionHandler<FilterInvocation> expressionHandler = mock(SecurityExpressionHandler.class);
@Bean
WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.expressionHandler(EXPRESSION_HANDLER);
return (web) -> web.expressionHandler(this.expressionHandler);
}
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.anyRequest().authenticated()
.expressionHandler(EXPRESSION_HANDLER));
return http.build();
// @formatter:on
@Bean("mock")
SecurityExpressionHandler<FilterInvocation> expressionHandler() {
return this.expressionHandler;
}
}
@ -557,7 +547,7 @@ public class WebSecurityConfigurationTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated());
return http.build();
// @formatter:on
@ -608,7 +598,7 @@ public class WebSecurityConfigurationTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated());
return http.build();
// @formatter:on
@ -624,7 +614,7 @@ public class WebSecurityConfigurationTests {
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
return http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.build();
@ -638,15 +628,22 @@ public class WebSecurityConfigurationTests {
static class DefaultExpressionHandlerSetsBeanResolverConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
SecurityFilterChain filterChain(HttpSecurity http, WebExpressionAuthorizationManager.Builder authz)
throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.anyRequest().access("request.method == 'GET' ? @b.grant() : @b.deny()"));
.authorizeHttpRequests((requests) -> requests
.anyRequest().access(authz.expression("request.method == 'GET' ? @b.grant() : @b.deny()"))
);
return http.build();
// @formatter:on
}
@Bean
WebExpressionAuthorizationManager.Builder authz() {
return WebExpressionAuthorizationManager.withDefaults();
}
@Bean
public MyBean b() {
return new MyBean();
@ -727,7 +724,7 @@ public class WebSecurityConfigurationTests {
// @formatter:off
return http
.securityMatcher(pathPattern("/role1/**"))
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().hasRole("1")
)
.build();
@ -766,7 +763,7 @@ public class WebSecurityConfigurationTests {
// @formatter:off
http
.securityMatchers((requests) -> requests.requestMatchers(pathPattern("/path1/**")))
.authorizeRequests((requests) -> requests.anyRequest().authenticated());
.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
// @formatter:on
return http.build();
}
@ -774,7 +771,7 @@ public class WebSecurityConfigurationTests {
@Bean
@Order(Ordered.LOWEST_PRECEDENCE)
public SecurityFilterChain permitAll(HttpSecurity http) throws Exception {
http.authorizeRequests((requests) -> requests.anyRequest().permitAll());
http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll());
return http.build();
}
@ -790,7 +787,7 @@ public class WebSecurityConfigurationTests {
// @formatter:off
http
.securityMatchers((requests) -> requests.requestMatchers(pathPattern("/path1/**")))
.authorizeRequests((requests) -> requests.anyRequest().authenticated());
.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
// @formatter:on
return http.build();
}
@ -798,7 +795,7 @@ public class WebSecurityConfigurationTests {
@Bean
@Order(Ordered.LOWEST_PRECEDENCE)
public SecurityFilterChain permitAll(HttpSecurity http) throws Exception {
http.authorizeRequests((requests) -> requests.anyRequest().permitAll());
http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll());
return http.build();
}
@ -815,7 +812,7 @@ public class WebSecurityConfigurationTests {
// @formatter:off
http
.securityMatchers((requests) -> requests.requestMatchers(pathPattern("/user")))
.authorizeRequests((requests) -> requests.anyRequest().hasRole("USER"));
.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("USER"));
// @formatter:on
return http.build();
}
@ -826,7 +823,7 @@ public class WebSecurityConfigurationTests {
// @formatter:off
http
.securityMatchers((requests) -> requests.requestMatchers(pathPattern("/admin")))
.authorizeRequests((requests) -> requests.anyRequest().hasRole("ADMIN"));
.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("ADMIN"));
// @formatter:on
return http.build();
}
@ -834,7 +831,7 @@ public class WebSecurityConfigurationTests {
@Bean
@Order(Ordered.LOWEST_PRECEDENCE)
public SecurityFilterChain permitAll(HttpSecurity http) throws Exception {
http.authorizeRequests((requests) -> requests.anyRequest().permitAll());
http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll());
return http.build();
}
@ -857,7 +854,7 @@ public class WebSecurityConfigurationTests {
// @formatter:off
http
.securityMatchers((requests) -> requests.requestMatchers(pathPattern("/user")))
.authorizeRequests((requests) -> requests.anyRequest().hasRole("USER"));
.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("USER"));
// @formatter:on
return http.build();
}
@ -868,7 +865,7 @@ public class WebSecurityConfigurationTests {
// @formatter:off
http
.securityMatchers((requests) -> requests.requestMatchers(pathPattern("/admin")))
.authorizeRequests((requests) -> requests.anyRequest().hasRole("ADMIN"));
.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("ADMIN"));
// @formatter:on
return http.build();
}
@ -876,7 +873,7 @@ public class WebSecurityConfigurationTests {
@Bean
@Order(Ordered.LOWEST_PRECEDENCE)
public SecurityFilterChain permitAll(HttpSecurity http) throws Exception {
http.authorizeRequests((requests) -> requests.anyRequest().permitAll());
http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll());
return http.build();
}

6
config/src/test/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurerTests.java
View File

@ -146,9 +146,7 @@ public class AnonymousConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.anyRequest().permitAll()
)
.authorizeHttpRequests((authorize) -> authorize.anyRequest().anonymous())
.anonymous(AbstractHttpConfigurer::disable);
// @formatter:on
return http.build();
@ -169,7 +167,7 @@ public class AnonymousConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().permitAll()
)
.anonymous(withDefaults());

38
config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java
View File

@ -40,6 +40,7 @@ import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.servlet.MockServletContext;
import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
@ -205,7 +206,7 @@ public class AuthorizeRequestsTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers(pathPattern(HttpMethod.POST, "/**")).denyAll());
// @formatter:on
return http.build();
@ -226,7 +227,7 @@ public class AuthorizeRequestsTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers(pathPattern(HttpMethod.POST, "/**")).denyAll()
);
// @formatter:on
@ -249,10 +250,11 @@ public class AuthorizeRequestsTests {
PathPatternParser parser = new PathPatternParser();
parser.setCaseSensitive(false);
PathPatternRequestMatcher.Builder builder = PathPatternRequestMatcher.withPathPatternParser(parser);
WebExpressionAuthorizationManager authz = new WebExpressionAuthorizationManager("#user == 'user'");
// @formatter:off
http
.authorizeRequests((requests) -> requests
.requestMatchers(builder.matcher("/user/{user}")).access("#user == 'user'")
.authorizeHttpRequests((requests) -> requests
.requestMatchers(builder.matcher("/user/{user}")).access(authz)
.anyRequest().denyAll());
// @formatter:on
return http.build();
@ -274,10 +276,12 @@ public class AuthorizeRequestsTests {
PathPatternParser parser = new PathPatternParser();
parser.setCaseSensitive(false);
PathPatternRequestMatcher.Builder builder = PathPatternRequestMatcher.withPathPatternParser(parser);
WebExpressionAuthorizationManager authz = new WebExpressionAuthorizationManager("#userName == 'user'");
// @formatter:off
http
.authorizeRequests((requests) -> requests
.requestMatchers(builder.matcher("/user/{userName}")).access("#userName == 'user'")
.authorizeHttpRequests((requests) -> requests
.requestMatchers(builder.matcher("/user/{userName}")).access(authz)
.anyRequest().denyAll());
// @formatter:on
return http.build();
@ -298,7 +302,7 @@ public class AuthorizeRequestsTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("ADMIN"));
// @formatter:on
return http.build();
@ -326,7 +330,7 @@ public class AuthorizeRequestsTests {
// @formatter:off
http
.httpBasic(withDefaults())
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/path").denyAll());
// @formatter:on
return http.build();
@ -359,7 +363,7 @@ public class AuthorizeRequestsTests {
// @formatter:off
http
.httpBasic(withDefaults())
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers("/path").denyAll()
);
// @formatter:on
@ -394,7 +398,7 @@ public class AuthorizeRequestsTests {
// @formatter:off
http
.httpBasic(withDefaults())
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers(spring.matcher("/path")).denyAll());
// @formatter:on
return http.build();
@ -428,7 +432,7 @@ public class AuthorizeRequestsTests {
// @formatter:off
http
.httpBasic(withDefaults())
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers(spring.matcher("/path")).denyAll()
);
// @formatter:on
@ -459,11 +463,12 @@ public class AuthorizeRequestsTests {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
WebExpressionAuthorizationManager authz = new WebExpressionAuthorizationManager("#userName == 'user'");
// @formatter:off
http
.httpBasic(withDefaults())
.authorizeRequests((requests) -> requests
.requestMatchers("/user/{userName}").access("#userName == 'user'"));
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/user/{userName}").access(authz));
// @formatter:on
return http.build();
}
@ -492,11 +497,12 @@ public class AuthorizeRequestsTests {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
WebExpressionAuthorizationManager authz = new WebExpressionAuthorizationManager("#userName == 'user'");
// @formatter:off
http
.httpBasic(withDefaults())
.authorizeRequests((authorize) -> authorize
.requestMatchers("/user/{userName}").access("#userName == 'user'")
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers("/user/{userName}").access(authz)
);
// @formatter:on
return http.build();
@ -529,7 +535,7 @@ public class AuthorizeRequestsTests {
// @formatter:off
http
.httpBasic(withDefaults())
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/user").denyAll());
// @formatter:on
return http.build();

14
config/src/test/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurerTests.java
View File

@ -204,7 +204,7 @@ public class CorsConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.cors(withDefaults());
return http.build();
@ -222,7 +222,7 @@ public class CorsConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.cors(withDefaults());
return http.build();
@ -251,7 +251,7 @@ public class CorsConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.cors(withDefaults());
@ -280,7 +280,7 @@ public class CorsConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.cors(withDefaults());
return http.build();
@ -307,7 +307,7 @@ public class CorsConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.cors(withDefaults());
@ -335,7 +335,7 @@ public class CorsConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.cors(withDefaults());
return http.build();
@ -362,7 +362,7 @@ public class CorsConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.cors(withDefaults());

6
config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.java
View File

@ -707,7 +707,7 @@ public class CsrfConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.formLogin(withDefaults())
.csrf((csrf) -> csrf
@ -733,7 +733,7 @@ public class CsrfConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.formLogin(withDefaults())
.csrf((csrf) -> csrf
@ -937,7 +937,7 @@ public class CsrfConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().permitAll())
.formLogin(withDefaults())
.httpBasic(withDefaults());

6
config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java
View File

@ -43,7 +43,7 @@ import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.ExceptionTranslationFilter;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.access.intercept.AuthorizationFilter;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.logout.LogoutFilter;
@ -121,7 +121,7 @@ public class DefaultFiltersTests {
assertThat(classes).contains(SecurityContextHolderAwareRequestFilter.class);
assertThat(classes).contains(AnonymousAuthenticationFilter.class);
assertThat(classes).contains(ExceptionTranslationFilter.class);
assertThat(classes).contains(FilterSecurityInterceptor.class);
assertThat(classes).contains(AuthorizationFilter.class);
}
@Test
@ -190,7 +190,7 @@ public class DefaultFiltersTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"));
return http.build();
// @formatter:on

14
config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurerTests.java
View File

@ -387,7 +387,7 @@ public class DefaultLoginPageConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.formLogin(withDefaults());
// @formatter:on
@ -409,7 +409,7 @@ public class DefaultLoginPageConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.logout((logout) -> logout
.logoutSuccessHandler(new SimpleUrlLogoutSuccessHandler()))
@ -428,7 +428,7 @@ public class DefaultLoginPageConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.logout((logout) -> logout
.logoutSuccessUrl("/login?logout"))
@ -447,7 +447,7 @@ public class DefaultLoginPageConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.formLogin(withDefaults())
.rememberMe(withDefaults());
@ -472,7 +472,7 @@ public class DefaultLoginPageConfigurerTests {
http
.exceptionHandling((handling) -> handling
.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")))
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.formLogin(withDefaults());
return http.build();
@ -512,7 +512,7 @@ public class DefaultLoginPageConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.formLogin(withDefaults());
@ -530,7 +530,7 @@ public class DefaultLoginPageConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.formLogin(withDefaults())

6
config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerAccessDeniedHandlerTests.java
View File

@ -87,7 +87,7 @@ public class ExceptionHandlingConfigurerAccessDeniedHandlerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().denyAll())
.exceptionHandling((handling) -> handling
.defaultAccessDeniedHandlerFor(
@ -113,7 +113,7 @@ public class ExceptionHandlingConfigurerAccessDeniedHandlerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().denyAll()
)
.exceptionHandling((exceptionHandling) -> exceptionHandling
@ -143,7 +143,7 @@ public class ExceptionHandlingConfigurerAccessDeniedHandlerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().denyAll())
.exceptionHandling((handling) -> handling
.defaultAccessDeniedHandlerFor(

6
config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerTests.java
View File

@ -292,7 +292,7 @@ public class ExceptionHandlingConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.httpBasic(withDefaults())
.formLogin(withDefaults());
@ -329,7 +329,7 @@ public class ExceptionHandlingConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.httpBasic(withDefaults())
.formLogin(withDefaults());
@ -349,7 +349,7 @@ public class ExceptionHandlingConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.exceptionHandling((handling) -> handling
.authenticationEntryPoint(AEP))

271
config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurerTests.java
View File

@ -18,27 +18,30 @@ package org.springframework.security.config.annotation.web.configurers;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.function.Supplier;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.springframework.beans.factory.BeanCreationException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationListener;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.expression.EvaluationContext;
import org.springframework.expression.spel.support.StandardEvaluationContext;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.access.event.AuthorizedEvent;
import org.springframework.security.access.expression.SecurityExpressionHandler;
import org.springframework.security.access.expression.SecurityExpressionOperations;
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
import org.springframework.security.access.vote.AffirmativeBased;
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
import org.springframework.security.authentication.RememberMeAuthenticationToken;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationEventPublisher;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.SpringAuthorizationEventPublisher;
import org.springframework.security.authorization.event.AuthorizationEvent;
import org.springframework.security.config.ObjectPostProcessor;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@ -51,12 +54,13 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.PasswordEncodedUser;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
import org.springframework.security.web.access.expression.WebExpressionVoter;
import org.springframework.security.web.access.IpAddressAuthorizationManager;
import org.springframework.security.web.access.expression.DefaultHttpSecurityExpressionHandler;
import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager;
import org.springframework.security.web.access.expression.WebSecurityExpressionRoot;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
import org.springframework.stereotype.Component;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
import org.springframework.web.bind.annotation.GetMapping;
@ -67,9 +71,6 @@ import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.verify;
import static org.springframework.security.config.Customizer.withDefaults;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
@ -79,7 +80,7 @@ import static org.springframework.test.web.servlet.request.MockMvcRequestBuilder
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/**
* Tests for {@link ExpressionUrlAuthorizationConfigurer}
* Tests for {@link AuthorizeHttpRequestsConfigurer}
*
* @author Rob Winch
* @author Eleftheria Stein
@ -98,14 +99,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
assertThatExceptionOfType(BeanCreationException.class)
.isThrownBy(() -> this.spring.register(HasRoleStartingWithRoleConfig.class).autowire())
.withRootCauseInstanceOf(IllegalArgumentException.class)
.withMessageContaining(
"role should not start with 'ROLE_' since it is automatically inserted. Got 'ROLE_USER'");
}
@Test
public void configureWhenNoCustomAccessDecisionManagerThenUsesAffirmativeBased() {
this.spring.register(NoSpecificAccessDecisionManagerConfig.class).autowire();
verify(NoSpecificAccessDecisionManagerConfig.objectPostProcessor).postProcess(any(AffirmativeBased.class));
.withMessageContaining("ROLE_USER should not start with ROLE_");
}
@Test
@ -113,7 +107,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
assertThatExceptionOfType(BeanCreationException.class)
.isThrownBy(() -> this.spring.register(NoRequestsConfig.class).autowire())
.withMessageContaining(
"At least one mapping is required (i.e. authorizeRequests().anyRequest().authenticated())");
"At least one mapping is required (for example, authorizeHttpRequests().anyRequest().authenticated())");
}
@Test
@ -510,13 +504,6 @@ public class ExpressionUrlAuthorizationConfigurerTests {
this.mvc.perform(requestWithUser).andExpect(status().isForbidden());
}
// SEC-3011
@Test
public void configureWhenRegisteringObjectPostProcessorThenInvokedOnAccessDecisionManager() {
this.spring.register(Sec3011Config.class).autowire();
verify(Sec3011Config.objectPostProcessor).postProcess(any(AccessDecisionManager.class));
}
@Test
public void getWhenRegisteringPermissionEvaluatorAndPermissionWithIdAndTypeMatchesThenRespondsWithOk()
throws Exception {
@ -567,7 +554,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("ROLE_USER"));
return http.build();
// @formatter:on
@ -575,29 +562,6 @@ public class ExpressionUrlAuthorizationConfigurerTests {
}
@Configuration
@EnableWebSecurity
static class NoSpecificAccessDecisionManagerConfig {
static ObjectPostProcessor<Object> objectPostProcessor = spy(ReflectingObjectPostProcessor.class);
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.anyRequest().hasRole("USER"));
return http.build();
// @formatter:on
}
@Bean
static ObjectPostProcessor<Object> objectPostProcessor() {
return objectPostProcessor;
}
}
@Configuration
@EnableWebSecurity
static class NoRequestsConfig {
@ -606,7 +570,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests(withDefaults());
.authorizeHttpRequests(withDefaults());
return http.build();
// @formatter:on
}
@ -622,7 +586,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/a").authenticated()
.anyRequest());
return http.build();
@ -640,7 +604,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
// @formatter:off
http
.httpBasic(withDefaults())
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasAnyAuthority("ROLE_USER"));
return http.build();
// @formatter:on
@ -657,7 +621,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
// @formatter:off
http
.httpBasic(withDefaults())
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasAuthority("ROLE_USER"));
return http.build();
// @formatter:on
@ -674,7 +638,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
// @formatter:off
http
.httpBasic(withDefaults())
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasAnyAuthority("ROLE_USER", "ROLE_ADMIN"));
return http.build();
// @formatter:on
@ -690,7 +654,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasAnyRole("USER"));
return http.build();
// @formatter:on
@ -706,7 +670,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasAnyRole("USER"));
return http.build();
// @formatter:on
@ -727,7 +691,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasAnyRole("USER"));
return http.build();
// @formatter:on
@ -748,7 +712,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasAnyRole("USER", "ADMIN"));
return http.build();
// @formatter:on
@ -764,7 +728,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasAnyRole("USER", "ADMIN"));
return http.build();
// @formatter:on
@ -785,7 +749,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasAnyRole("USER", "ADMIN"));
return http.build();
// @formatter:on
@ -807,8 +771,9 @@ public class ExpressionUrlAuthorizationConfigurerTests {
// @formatter:off
http
.httpBasic(withDefaults())
.authorizeRequests((requests) -> requests
.anyRequest().hasIpAddress("192.168.1.0"));
.authorizeHttpRequests((requests) -> requests
.anyRequest().access(IpAddressAuthorizationManager.hasIpAddress("192.168.1.0"))
);
return http.build();
// @formatter:on
}
@ -824,7 +789,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
// @formatter:off
http
.httpBasic(withDefaults())
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().anonymous());
return http.build();
// @formatter:on
@ -842,7 +807,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
http
.rememberMe(withDefaults())
.httpBasic(withDefaults())
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().rememberMe());
// @formatter:on
return http.build();
@ -864,7 +829,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
// @formatter:off
http
.httpBasic(withDefaults())
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().denyAll());
return http.build();
// @formatter:on
@ -881,7 +846,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
// @formatter:off
http
.httpBasic(withDefaults())
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().not().denyAll());
return http.build();
// @formatter:on
@ -899,7 +864,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
http
.rememberMe(withDefaults())
.httpBasic(withDefaults())
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().fullyAuthenticated());
return http.build();
// @formatter:on
@ -918,12 +883,13 @@ public class ExpressionUrlAuthorizationConfigurerTests {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
WebExpressionAuthorizationManager authz = new WebExpressionAuthorizationManager(
"hasRole('ROLE_USER') or request.method == 'GET'");
// @formatter:off
http
.rememberMe(withDefaults())
.httpBasic(withDefaults())
.authorizeRequests((requests) -> requests
.anyRequest().access("hasRole('ROLE_USER') or request.method == 'GET'"));
.authorizeHttpRequests((requests) -> requests.anyRequest().access(authz));
return http.build();
// @formatter:on
}
@ -944,9 +910,9 @@ public class ExpressionUrlAuthorizationConfigurerTests {
// @formatter:off
http
.httpBasic(withDefaults())
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.authorizeRequests(withDefaults());
.authorizeHttpRequests(withDefaults());
return http.build();
// @formatter:on
}
@ -960,15 +926,10 @@ public class ExpressionUrlAuthorizationConfigurerTests {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
SecurityExpressionHandler<FilterInvocation> handler = new DefaultWebSecurityExpressionHandler();
WebExpressionVoter expressionVoter = new WebExpressionVoter();
AffirmativeBased adm = new AffirmativeBased(Collections.singletonList(expressionVoter));
// @formatter:off
http
.authorizeRequests((requests) -> requests
.expressionHandler(handler)
.accessDecisionManager(adm)
.filterSecurityInterceptorOncePerRequest(true)
.authorizeHttpRequests((requests) -> requests
.shouldFilterAllDispatcherTypes(false)
.requestMatchers("/a", "/b").hasRole("ADMIN")
.anyRequest().permitAll())
.formLogin(withDefaults());
@ -986,33 +947,31 @@ public class ExpressionUrlAuthorizationConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.anyRequest().permitAll()
.withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
@Override
public <O extends FilterSecurityInterceptor> O postProcess(
O fsi) {
fsi.setPublishAuthorizationSuccess(true);
return fsi;
}
}));
.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll());
return http.build();
// @formatter:on
}
@Bean
ApplicationListener<AuthorizedEvent> applicationListener() {
AuthorizationEventPublisher publisher(ApplicationEventPublisher publisher) {
SpringAuthorizationEventPublisher authzEvents = new SpringAuthorizationEventPublisher(publisher);
authzEvents.setShouldPublishResult((result) -> true);
return authzEvents;
}
@Bean
ApplicationListener<AuthorizationEvent> applicationListener() {
return new AuthorizedEventApplicationListener();
}
}
static class AuthorizedEventApplicationListener implements ApplicationListener<AuthorizedEvent> {
static class AuthorizedEventApplicationListener implements ApplicationListener<AuthorizationEvent> {
static final List<AuthorizedEvent> EVENTS = new ArrayList<>();
static final List<AuthorizationEvent> EVENTS = new ArrayList<>();
@Override
public void onApplicationEvent(AuthorizedEvent event) {
public void onApplicationEvent(AuthorizationEvent event) {
EVENTS.add(event);
}
@ -1028,14 +987,22 @@ public class ExpressionUrlAuthorizationConfigurerTests {
static class UseBeansInExpressions {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context) throws Exception {
WebExpressionAuthorizationManager user = new WebExpressionAuthorizationManager(
"@permission.check(authentication,'user')");
DefaultHttpSecurityExpressionHandler expressionHandler = new DefaultHttpSecurityExpressionHandler();
expressionHandler.setApplicationContext(context);
user.setExpressionHandler(expressionHandler);
WebExpressionAuthorizationManager admin = new WebExpressionAuthorizationManager(
"@permission.check(authentication,'admin')");
admin.setExpressionHandler(expressionHandler);
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/admin").hasRole("ADMIN")
.requestMatchers("/user").hasRole("USER")
.requestMatchers("/allow").access("@permission.check(authentication,'user')")
.anyRequest().access("@permission.check(authentication,'admin')"));
.requestMatchers("/allow").access(user)
.anyRequest().access(admin));
return http.build();
// @formatter:on
}
@ -1062,14 +1029,17 @@ public class ExpressionUrlAuthorizationConfigurerTests {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
WebExpressionAuthorizationManager user = new WebExpressionAuthorizationManager("check('user')");
user.setExpressionHandler(expressionHandler());
WebExpressionAuthorizationManager admin = new WebExpressionAuthorizationManager("check('admin')");
admin.setExpressionHandler(expressionHandler());
// @formatter:off
http
.authorizeRequests((requests) -> requests
.expressionHandler(expressionHandler())
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/admin").hasRole("ADMIN")
.requestMatchers("/user").hasRole("USER")
.requestMatchers("/allow").access("check('user')")
.anyRequest().access("check('admin')"));
.requestMatchers("/allow").access(user)
.anyRequest().access(admin));
return http.build();
// @formatter:on
}
@ -1079,24 +1049,24 @@ public class ExpressionUrlAuthorizationConfigurerTests {
return new CustomExpressionHandler();
}
static class CustomExpressionHandler extends DefaultWebSecurityExpressionHandler {
static class CustomExpressionHandler extends DefaultHttpSecurityExpressionHandler {
@Override
protected SecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication,
FilterInvocation fi) {
WebSecurityExpressionRoot root = new CustomExpressionRoot(authentication, fi);
root.setPermissionEvaluator(getPermissionEvaluator());
root.setTrustResolver(new AuthenticationTrustResolverImpl());
root.setRoleHierarchy(getRoleHierarchy());
return root;
public EvaluationContext createEvaluationContext(Supplier<Authentication> authentication,
RequestAuthorizationContext context) {
StandardEvaluationContext ctx = (StandardEvaluationContext) super.createEvaluationContext(
authentication, context);
WebSecurityExpressionRoot delegate = (WebSecurityExpressionRoot) ctx.getRootObject().getValue();
ctx.setRootObject(new CustomExpressionRoot(delegate));
return ctx;
}
}
static class CustomExpressionRoot extends WebSecurityExpressionRoot {
CustomExpressionRoot(Authentication a, FilterInvocation fi) {
super(a, fi);
CustomExpressionRoot(WebSecurityExpressionRoot root) {
super(root::getAuthentication, root.request);
}
public boolean check(String customArg) {
@ -1108,48 +1078,20 @@ public class ExpressionUrlAuthorizationConfigurerTests {
}
@Configuration(proxyBeanMethods = false)
@EnableWebSecurity
static class Sec3011Config {
static ObjectPostProcessor<Object> objectPostProcessor = spy(ReflectingObjectPostProcessor.class);
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.anyRequest().authenticated());
// @formatter:on
return http.build();
}
@Bean
UserDetailsService userDetailsService() {
return new InMemoryUserDetailsManager(PasswordEncodedUser.user());
}
@Bean
static ObjectPostProcessor<Object> objectPostProcessor() {
return objectPostProcessor;
}
}
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class PermissionEvaluatorConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
SecurityFilterChain filterChain(HttpSecurity http, PermissionEvaluatorAuthorizations authz) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.requestMatchers("/allow").access("hasPermission('ID', 'TYPE', 'PERMISSION')")
.requestMatchers("/allowObject").access("hasPermission('TESTOBJ', 'PERMISSION')")
.requestMatchers("/deny").access("hasPermission('ID', 'TYPE', 'NO PERMISSION')")
.requestMatchers("/denyObject").access("hasPermission('TESTOBJ', 'NO PERMISSION')")
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/allow").access(authz.hasPermission("TESTOBJ", "PERMISSION"))
.requestMatchers("/allowObject").access(authz.hasPermission("TESTOBJ", "PERMISSION"))
.requestMatchers("/deny").access(authz.hasPermission("ID", "TYPE", "NO PERMISSION"))
.requestMatchers("/denyObject").access(authz.hasPermission("TESTOBJ", "NO PERMISSION"))
.anyRequest().permitAll());
return http.build();
// @formatter:on
@ -1172,6 +1114,29 @@ public class ExpressionUrlAuthorizationConfigurerTests {
};
}
@Component
static class PermissionEvaluatorAuthorizations {
private final PermissionEvaluator permissions;
PermissionEvaluatorAuthorizations(PermissionEvaluator permissions) {
this.permissions = permissions;
}
AuthorizationManager<RequestAuthorizationContext> hasPermission(Object targetDomainObject,
Object permission) {
return (auth, request) -> new AuthorizationDecision(
this.permissions.hasPermission(auth.get(), targetDomainObject, permission));
}
AuthorizationManager<RequestAuthorizationContext> hasPermission(Serializable targetId, String targetType,
Object permission) {
return (auth, request) -> new AuthorizationDecision(
this.permissions.hasPermission(auth.get(), targetId, targetType, permission));
}
}
}
@Configuration
@ -1183,9 +1148,9 @@ public class ExpressionUrlAuthorizationConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.requestMatchers("/allow").access("hasRole('MEMBER')")
.requestMatchers("/deny").access("hasRole('ADMIN')")
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/allow").hasRole("MEMBER")
.requestMatchers("/deny").hasRole("ADMIN")
.anyRequest().permitAll());
return http.build();
// @formatter:on

20
config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java
View File

@ -430,7 +430,7 @@ public class FormLoginConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.formLogin((login) -> login
.loginPage("/login"));
@ -453,7 +453,7 @@ public class FormLoginConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().hasRole("USER")
)
.formLogin(withDefaults());
@ -476,7 +476,7 @@ public class FormLoginConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.formLogin((login) -> login
.permitAll());
@ -494,7 +494,7 @@ public class FormLoginConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.formLogin((login) -> login
.loginPage("/authenticate")
@ -515,7 +515,7 @@ public class FormLoginConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().hasRole("USER")
)
.formLogin((formLogin) -> formLogin
@ -537,7 +537,7 @@ public class FormLoginConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.formLogin((login) -> login
.loginProcessingUrl("/loginCheck")
@ -569,7 +569,7 @@ public class FormLoginConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.formLogin((formLogin) -> formLogin
@ -604,7 +604,7 @@ public class FormLoginConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.formLogin((login) -> login
.permitAll())
@ -630,7 +630,7 @@ public class FormLoginConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.formLogin((login) -> login
.failureHandler(FAILURE_HANDLER)
@ -673,7 +673,7 @@ public class FormLoginConfigurerTests {
http
.csrf((csrf) -> csrf
.disable())
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.formLogin((login) -> login
.failureForwardUrl("/failure_forward_url")

8
config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.java
View File

@ -250,7 +250,7 @@ public class HttpBasicConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.httpBasic(withDefaults());
@ -273,7 +273,7 @@ public class HttpBasicConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.httpBasic(withDefaults());
// @formatter:on
@ -297,7 +297,7 @@ public class HttpBasicConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.httpBasic((basic) -> basic
.authenticationEntryPoint(ENTRY_POINT));
@ -322,7 +322,7 @@ public class HttpBasicConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.httpBasic((basic) -> basic
.authenticationEntryPoint(ENTRY_POINT))

18
config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityRequestMatchersTests.java
View File

@ -167,7 +167,7 @@ public class HttpSecurityRequestMatchersTests {
.requestMatchers(builder.matcher("/test-2"))
.requestMatchers(builder.matcher("/test-3"))
)
.authorizeRequests((authorize) -> authorize.anyRequest().denyAll())
.authorizeHttpRequests((authorize) -> authorize.anyRequest().denyAll())
.httpBasic(withDefaults());
// @formatter:on
return http.build();
@ -180,7 +180,7 @@ public class HttpSecurityRequestMatchersTests {
.securityMatchers((requests) -> requests
.requestMatchers(builder.matcher("/test-1"))
)
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().permitAll()
);
// @formatter:on
@ -213,7 +213,7 @@ public class HttpSecurityRequestMatchersTests {
.requestMatchers(builder.matcher("/test-1"))
.requestMatchers(builder.matcher("/test-2"))
.requestMatchers(builder.matcher("/test-3")))
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().denyAll())
.httpBasic(withDefaults());
// @formatter:on
@ -226,7 +226,7 @@ public class HttpSecurityRequestMatchersTests {
http
.securityMatchers((security) -> security
.requestMatchers(builder.matcher("/test-1")))
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().permitAll());
// @formatter:on
return http.build();
@ -255,7 +255,7 @@ public class HttpSecurityRequestMatchersTests {
http
.securityMatcher(builder.matcher("/path"))
.httpBasic(withDefaults())
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().denyAll());
// @formatter:on
return http.build();
@ -290,7 +290,7 @@ public class HttpSecurityRequestMatchersTests {
.securityMatchers((security) -> security
.requestMatchers(builder.matcher("/path")))
.httpBasic(withDefaults())
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().denyAll());
// @formatter:on
return http.build();
@ -326,7 +326,7 @@ public class HttpSecurityRequestMatchersTests {
.requestMatchers(builder.matcher("/path"))
)
.httpBasic(withDefaults())
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().denyAll()
);
return http.build();
@ -358,7 +358,7 @@ public class HttpSecurityRequestMatchersTests {
.requestMatchers(builder.basePath("/spring").matcher("/path"))
.requestMatchers("/never-match"))
.httpBasic(withDefaults())
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().denyAll());
// @formatter:on
return http.build();
@ -395,7 +395,7 @@ public class HttpSecurityRequestMatchersTests {
.requestMatchers("/never-match")
)
.httpBasic(withDefaults())
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().denyAll()
);
return http.build();

6
config/src/test/java/org/springframework/security/config/annotation/web/configurers/JeeConfigurerTests.java
View File

@ -209,7 +209,7 @@ public class JeeConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().hasRole("USER")
)
.jee((jee) -> jee
@ -229,7 +229,7 @@ public class JeeConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().hasRole("USER")
)
.jee((jee) -> jee
@ -252,7 +252,7 @@ public class JeeConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().hasRole("USER")
)
.jee((jee) -> jee

11
config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpAnonymousTests.java
View File

@ -99,7 +99,7 @@ public class NamespaceHttpAnonymousTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/type").anonymous()
.anyRequest().denyAll());
return http.build();
@ -116,8 +116,7 @@ public class NamespaceHttpAnonymousTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.anyRequest().permitAll())
.authorizeHttpRequests((requests) -> requests.anyRequest().anonymous())
.anonymous((anonymous) -> anonymous.disable());
// @formatter:on
return http.build();
@ -139,7 +138,7 @@ public class NamespaceHttpAnonymousTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/type").hasRole("ANON")
.anyRequest().denyAll())
.anonymous((anonymous) -> anonymous
@ -159,7 +158,7 @@ public class NamespaceHttpAnonymousTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/key").anonymous()
.anyRequest().denyAll())
.anonymous((anonymous) -> anonymous.key("AnonymousKeyConfig"));
@ -178,7 +177,7 @@ public class NamespaceHttpAnonymousTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/principal").anonymous()
.anyRequest().denyAll())
.anonymous((anonymous) -> anonymous.principal("AnonymousUsernameConfig"));

12
config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpBasicTests.java
View File

@ -183,7 +183,7 @@ public class NamespaceHttpBasicTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.httpBasic(withDefaults());
return http.build();
@ -200,7 +200,7 @@ public class NamespaceHttpBasicTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().hasRole("USER")
)
.httpBasic(withDefaults());
@ -218,7 +218,7 @@ public class NamespaceHttpBasicTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.httpBasic((basic) -> basic.realmName("Custom Realm"));
return http.build();
@ -235,7 +235,7 @@ public class NamespaceHttpBasicTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().hasRole("USER")
)
.httpBasic((httpBasicConfig) -> httpBasicConfig.realmName("Custom Realm"));
@ -302,7 +302,7 @@ public class NamespaceHttpBasicTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.httpBasic((basic) -> basic
.authenticationEntryPoint(this.authenticationEntryPoint));
@ -322,7 +322,7 @@ public class NamespaceHttpBasicTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().hasRole("USER")
)
.httpBasic((httpBasicConfig) -> httpBasicConfig.authenticationEntryPoint(this.authenticationEntryPoint));

2
config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpCustomFilterTests.java
View File

@ -182,7 +182,7 @@ public class NamespaceHttpCustomFilterTests {
// @formatter:off
TestHttpSecurities.disableDefaults(http);
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.addFilterBefore(new CustomFilter(), UsernamePasswordAuthenticationFilter.class);
return http.build();

26
config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpExpressionHandlerTests.java
View File

@ -37,7 +37,8 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.test.context.annotation.SecurityTestExecutionListeners;
import org.springframework.security.test.context.support.WithMockUser;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
import org.springframework.security.web.access.expression.DefaultHttpSecurityExpressionHandler;
import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager;
import org.springframework.test.context.junit.jupiter.SpringExtension;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.web.bind.annotation.GetMapping;
@ -94,18 +95,29 @@ public class NamespaceHttpExpressionHandlerTests {
}
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
DefaultWebSecurityExpressionHandler handler = new DefaultWebSecurityExpressionHandler();
handler.setExpressionParser(expressionParser());
SecurityFilterChain filterChain(HttpSecurity http, WebExpressionAuthorizationManager.Builder authz)
throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.expressionHandler(handler)
.anyRequest().access("hasRole('USER')"));
.authorizeHttpRequests((requests) -> requests
.anyRequest().access(authz.expression("hasRole('USER')"))
);
// @formatter:on
return http.build();
}
@Bean
WebExpressionAuthorizationManager.Builder expressions(DefaultHttpSecurityExpressionHandler expressionHandler) {
return WebExpressionAuthorizationManager.withExpressionHandler(expressionHandler);
}
@Bean
DefaultHttpSecurityExpressionHandler expressionHandler(ExpressionParser expressionParser) {
DefaultHttpSecurityExpressionHandler expressionHandler = new DefaultHttpSecurityExpressionHandler();
expressionHandler.setExpressionParser(expressionParser);
return expressionHandler;
}
@Bean
ExpressionParser expressionParser() {
return spy(new SpelExpressionParser());

6
config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFormLoginTests.java
View File

@ -125,7 +125,7 @@ public class NamespaceHttpFormLoginTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.formLogin(withDefaults());
return http.build();
@ -143,7 +143,7 @@ public class NamespaceHttpFormLoginTests {
boolean alwaysUseDefaultSuccess = true;
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.formLogin((login) -> login
.usernameParameter("username") // form-login@username-parameter
@ -168,7 +168,7 @@ public class NamespaceHttpFormLoginTests {
successHandler.setDefaultTargetUrl("/custom/targetUrl");
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.formLogin((login) -> login
.loginPage("/login")

2
config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpInterceptUrlTests.java
View File

@ -118,7 +118,7 @@ public class NamespaceHttpInterceptUrlTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests.requestMatchers(
.authorizeHttpRequests((requests) -> requests.requestMatchers(
// the line below is similar to intercept-url@pattern:
// <intercept-url pattern="/users**" access="hasRole('ROLE_ADMIN')"/>
//" access="hasRole('ROLE_ADMIN')"/>

4
config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpJeeTests.java
View File

@ -104,7 +104,7 @@ public class NamespaceHttpJeeTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("user"))
.jee((jee) -> jee
.mappableRoles("user", "admin"));
@ -125,7 +125,7 @@ public class NamespaceHttpJeeTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("user"))
.jee((jee) -> jee
.mappableAuthorities("ROLE_user", "ROLE_admin")

2
config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpPortMappingsTests.java
View File

@ -70,7 +70,7 @@ public class NamespaceHttpPortMappingsTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.portMapper((mapper) -> mapper
.http(9080).mapsTo(9443))

4
config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpRequestCacheTests.java
View File

@ -88,7 +88,7 @@ public class NamespaceHttpRequestCacheTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.requestCache((cache) -> cache
.requestCache(requestCache()));
@ -116,7 +116,7 @@ public class NamespaceHttpRequestCacheTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated());
// @formatter:on
return http.build();

8
config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java
View File

@ -112,7 +112,7 @@ public class NamespaceHttpServerAccessDeniedHandlerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().denyAll())
.exceptionHandling((handling) -> handling
.accessDeniedPage("/AccessDeniedPageConfig"));
@ -130,7 +130,7 @@ public class NamespaceHttpServerAccessDeniedHandlerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().denyAll()
)
.exceptionHandling((exceptionHandling) -> exceptionHandling.accessDeniedPage("/AccessDeniedPageConfig")
@ -149,7 +149,7 @@ public class NamespaceHttpServerAccessDeniedHandlerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().denyAll())
.exceptionHandling((handling) -> handling
.accessDeniedHandler(accessDeniedHandler()));
@ -174,7 +174,7 @@ public class NamespaceHttpServerAccessDeniedHandlerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().denyAll()
)
.exceptionHandling((exceptionHandling) -> exceptionHandling.accessDeniedHandler(accessDeniedHandler())

12
config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpX509Tests.java
View File

@ -154,7 +154,7 @@ public class NamespaceHttpX509Tests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.x509(withDefaults());
// @formatter:on
@ -182,7 +182,7 @@ public class NamespaceHttpX509Tests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.x509((x509) -> x509
.authenticationDetailsSource(authenticationDetailsSource()));
@ -216,7 +216,7 @@ public class NamespaceHttpX509Tests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.x509((x509) -> x509
.subjectPrincipalRegex("CN=(.*?)@example.com(?:,|$)"));
@ -245,7 +245,7 @@ public class NamespaceHttpX509Tests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.x509((x509) -> x509
.x509PrincipalExtractor(this::extractCommonName));
@ -279,7 +279,7 @@ public class NamespaceHttpX509Tests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.x509((x509) -> x509
.userDetailsService((username) -> USER));
@ -308,7 +308,7 @@ public class NamespaceHttpX509Tests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.x509((x509) -> x509
.authenticationUserDetailsService((authentication) -> USER));

6
config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceRememberMeTests.java
View File

@ -287,7 +287,7 @@ public class NamespaceRememberMeTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.formLogin(withDefaults())
.rememberMe(withDefaults());
@ -362,7 +362,7 @@ public class NamespaceRememberMeTests {
SecurityFilterChain keyFilterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.formLogin(withDefaults())
.rememberMe((me) -> me
@ -402,7 +402,7 @@ public class NamespaceRememberMeTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.formLogin(withDefaults())
.rememberMe((me) -> me

2
config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceSessionManagementTests.java
View File

@ -288,7 +288,7 @@ public class NamespaceSessionManagementTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.httpBasic(withDefaults())
.sessionManagement((management) -> management

31
config/src/test/java/org/springframework/security/config/annotation/web/configurers/PermitAllSupportTests.java
View File

@ -84,14 +84,6 @@ public class PermitAllSupportTests {
"permitAll only works with either HttpSecurity.authorizeRequests() or HttpSecurity.authorizeHttpRequests()");
}
@Test
public void configureWhenBothAuthorizeRequestsAndAuthorizeHttpRequestsThenException() {
assertThatExceptionOfType(BeanCreationException.class)
.isThrownBy(() -> this.spring.register(PermitAllConfigWithBothConfigs.class).autowire())
.withMessageContaining(
"permitAll only works with either HttpSecurity.authorizeRequests() or HttpSecurity.authorizeHttpRequests()");
}
@Configuration
@EnableWebSecurity
static class PermitAllConfig {
@ -100,7 +92,7 @@ public class PermitAllSupportTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.formLogin((login) -> login
.loginPage("/xyz").permitAll()
@ -130,27 +122,6 @@ public class PermitAllSupportTests {
}
@Configuration
@EnableWebSecurity
static class PermitAllConfigWithBothConfigs {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.anyRequest().authenticated())
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated())
.formLogin((login) -> login
.loginPage("/xyz").permitAll()
.loginProcessingUrl("/abc?def").permitAll());
return http.build();
// @formatter:on
}
}
@Configuration
@EnableWebSecurity
static class NoAuthorizedUrlsConfig {

16
config/src/test/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.java
View File

@ -365,7 +365,7 @@ public class RememberMeConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.formLogin(withDefaults())
.rememberMe(withDefaults());
@ -485,7 +485,7 @@ public class RememberMeConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.formLogin(withDefaults())
.rememberMe(withDefaults());
@ -508,7 +508,7 @@ public class RememberMeConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().hasRole("USER")
)
.formLogin(withDefaults())
@ -532,7 +532,7 @@ public class RememberMeConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.formLogin(withDefaults())
.rememberMe((me) -> me
@ -556,7 +556,7 @@ public class RememberMeConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().hasRole("USER")
)
.formLogin(withDefaults())
@ -584,7 +584,7 @@ public class RememberMeConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.formLogin(withDefaults())
.rememberMe((me) -> me
@ -614,7 +614,7 @@ public class RememberMeConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().hasRole("USER"))
.formLogin(withDefaults())
.rememberMe((me) -> me
@ -633,7 +633,7 @@ public class RememberMeConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().hasRole("USER")
)
.sessionManagement((sessionManagement) -> sessionManagement

8
config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java
View File

@ -392,7 +392,7 @@ public class RequestCacheConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.formLogin(withDefaults());
return http.build();
@ -428,7 +428,7 @@ public class RequestCacheConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.formLogin(withDefaults())
@ -447,7 +447,7 @@ public class RequestCacheConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.formLogin(withDefaults())
@ -466,7 +466,7 @@ public class RequestCacheConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.formLogin(withDefaults())

4
config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestMatcherConfigurerTests.java
View File

@ -82,7 +82,7 @@ public class RequestMatcherConfigurerTests {
.requestMatchers(pathPattern("/api/**")))
.securityMatchers((security) -> security
.requestMatchers(pathPattern("/oauth/**")))
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().denyAll());
return http.build();
// @formatter:on
@ -104,7 +104,7 @@ public class RequestMatcherConfigurerTests {
.securityMatchers((securityMatchers) -> securityMatchers
.requestMatchers(pathPattern("/oauth/**"))
)
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().denyAll()
);
return http.build();

2
config/src/test/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.java
View File

@ -204,7 +204,7 @@ public class SecurityContextConfigurerTests {
.addFilter(new WebAsyncManagerIntegrationFilter())
.anonymous(withDefaults())
.securityContext(withDefaults())
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().permitAll())
.httpBasic(withDefaults());
// @formatter:on

2
config/src/test/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.java
View File

@ -285,7 +285,7 @@ public class ServletApiConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.exceptionHandling((handling) -> handling
.authenticationEntryPoint(ENTRYPOINT))

51
config/src/test/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationsTests.java
View File

@ -16,31 +16,23 @@
package org.springframework.security.config.annotation.web.configurers;
import java.util.List;
import jakarta.servlet.Filter;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.vote.AffirmativeBased;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.test.SpringTestContext;
import org.springframework.security.config.test.SpringTestContextExtension;
import org.springframework.security.test.context.annotation.SecurityTestExecutionListeners;
import org.springframework.security.test.context.support.WithMockUser;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.test.context.junit.jupiter.SpringExtension;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import static org.assertj.core.api.Assertions.assertThat;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -97,7 +89,7 @@ public class UrlAuthorizationsTests {
@WithMockUser(roles = "ADMIN")
public void hasAnyRoleWhenRolesSpecifiedThenMatchesRole() throws Exception {
this.spring.register(RoleConfig.class).autowire();
this.mvc.perform(get("/role-admin-user")).andExpect(status().isNotFound());
this.mvc.perform(get("/role-admin-user")).andExpect(status().isForbidden());
this.mvc.perform(get("/role-user")).andExpect(status().isForbidden());
}
@ -113,25 +105,6 @@ public class UrlAuthorizationsTests {
// @formatter:on
}
@Test
public void configureWhenNoAccessDecisionManagerThenDefaultsToAffirmativeBased() {
this.spring.register(NoSpecificAccessDecisionManagerConfig.class).autowire();
FilterSecurityInterceptor interceptor = getFilter(FilterSecurityInterceptor.class);
assertThat(interceptor).isNotNull();
assertThat(interceptor).extracting("accessDecisionManager").isInstanceOf(AffirmativeBased.class);
}
private <T extends Filter> T getFilter(Class<T> filterType) {
FilterChainProxy proxy = this.spring.getContext().getBean(FilterChainProxy.class);
List<Filter> filters = proxy.getFilters("/");
for (Filter filter : filters) {
if (filterType.isAssignableFrom(filter.getClass())) {
return (T) filter;
}
}
return null;
}
@Configuration
@EnableWebSecurity
@EnableWebMvc
@ -141,7 +114,7 @@ public class UrlAuthorizationsTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/role-user-authority").hasAnyAuthority("ROLE_USER")
.requestMatchers("/role-admin-authority").hasAnyAuthority("ROLE_ADMIN")
.requestMatchers("/role-user-admin-authority").hasAnyAuthority("ROLE_USER", "ROLE_ADMIN")
@ -154,24 +127,4 @@ public class UrlAuthorizationsTests {
}
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class NoSpecificAccessDecisionManagerConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context) throws Exception {
UrlAuthorizationConfigurer<HttpSecurity>.StandardInterceptUrlRegistry registry = http
.apply(new UrlAuthorizationConfigurer(context))
.getRegistry();
// @formatter:off
registry
.requestMatchers("/a").hasRole("ADMIN")
.anyRequest().hasRole("USER");
return http.build();
// @formatter:on
}
}
}

4
config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java
View File

@ -354,7 +354,7 @@ public class OAuth2ClientConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.requestCache((cache) -> cache
.requestCache(requestCache))
@ -399,7 +399,7 @@ public class OAuth2ClientConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.oauth2Client(withDefaults());

4
config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java
View File

@ -900,7 +900,7 @@ public class OAuth2LoginConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.securityContext((context) -> context
.securityContextRepository(securityContextRepository()))
@ -1353,7 +1353,7 @@ public class OAuth2LoginConfigurerTests {
SecurityFilterChain configureFilterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.securityContext((context) -> context
.securityContextRepository(securityContextRepository()))

86
config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java
View File

@ -1581,8 +1581,8 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
.anyRequest().authenticated())
.oauth2ResourceServer((server) -> server
.jwt(Customizer.withDefaults()));
@ -1601,8 +1601,8 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
.anyRequest().authenticated()
)
.oauth2ResourceServer((oauth2) -> oauth2
@ -1628,8 +1628,8 @@ public class OAuth2ResourceServerConfigurerTests {
DefaultBearerTokenResolver defaultBearerTokenResolver = new DefaultBearerTokenResolver();
defaultBearerTokenResolver.setAllowUriQueryParameter(true);
http
.authorizeRequests((requests) -> requests
.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
.anyRequest().authenticated())
.oauth2ResourceServer((server) -> server
.bearerTokenResolver(defaultBearerTokenResolver)
@ -1652,8 +1652,8 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
.anyRequest().authenticated()
)
.oauth2ResourceServer((oauth2) -> oauth2
@ -1679,8 +1679,8 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
.anyRequest().authenticated())
.csrf((csrf) -> csrf.disable())
.oauth2ResourceServer((server) -> server
@ -1699,7 +1699,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.anonymous((anonymous) -> anonymous.disable())
.oauth2ResourceServer((server) -> server
@ -1719,7 +1719,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.oauth2ResourceServer((server) -> server
.jwt(Customizer.withDefaults()));
@ -1737,7 +1737,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.oauth2ResourceServer(withDefaults());
return http.build();
@ -1754,7 +1754,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.oauth2ResourceServer((server) -> server
.authenticationEntryPoint(authenticationEntryPoint())
@ -1779,7 +1779,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().denyAll())
.oauth2ResourceServer((server) -> server
.accessDeniedHandler(accessDeniedHandler())
@ -1804,7 +1804,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().denyAll())
.exceptionHandling((handling) -> handling
.defaultAccessDeniedHandlerFor(new AccessDeniedHandlerImpl(), (request) -> false))
@ -1839,7 +1839,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.oauth2ResourceServer((server) -> server
.jwt((jwt) -> jwt
@ -1863,8 +1863,8 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.requestMatchers("/requires-read-scope").access("hasAuthority('message:read')"))
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/requires-read-scope").hasAuthority("message:read"))
.oauth2ResourceServer((server) -> server
.jwt((jwt) -> jwt
.jwtAuthenticationConverter(getJwtAuthenticationConverter())));
@ -1889,7 +1889,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.httpBasic(withDefaults())
.oauth2ResourceServer((server) -> server
@ -1920,7 +1920,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.formLogin(withDefaults())
.oauth2ResourceServer((server) -> server
@ -1939,7 +1939,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authz) -> authz
.authorizeHttpRequests((authz) -> authz
.anyRequest().authenticated()
)
.oauth2Login(withDefaults())
@ -1964,7 +1964,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.oauth2ResourceServer((server) -> server
.jwt(Customizer.withDefaults()));
@ -2000,7 +2000,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.oauth2ResourceServer((server) -> server
.bearerTokenResolver(allowRequestBody())
@ -2025,7 +2025,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.oauth2ResourceServer((server) -> server
.jwt(Customizer.withDefaults()));
@ -2050,7 +2050,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.oauth2ResourceServer((server) -> server
.jwt(Customizer.withDefaults()));
@ -2085,7 +2085,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain web(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.oauth2ResourceServer((oauth2) -> oauth2
@ -2117,7 +2117,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.oauth2ResourceServer((server) -> server
.jwt((jwt) -> jwt.decoder(decoder())));
@ -2141,7 +2141,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.oauth2ResourceServer((oauth2) -> oauth2
@ -2167,7 +2167,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.oauth2ResourceServer((server) -> server
.jwt(Customizer.withDefaults()));
@ -2190,7 +2190,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.oauth2ResourceServer((server) -> server
.jwt((jwt) -> jwt
@ -2219,7 +2219,7 @@ public class OAuth2ResourceServerConfigurerTests {
// @formatter:off
http
.authenticationManager(this.defaultAuthenticationManager)
.authorizeRequests((authz) -> authz
.authorizeHttpRequests((authz) -> authz
.anyRequest().authenticated()
)
.oauth2ResourceServer((oauth2) -> oauth2
@ -2328,7 +2328,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.oauth2ResourceServer((server) -> server
.jwt(Customizer.withDefaults()));
@ -2353,7 +2353,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.oauth2ResourceServer((server) -> server
.jwt(Customizer.withDefaults()));
@ -2382,7 +2382,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
.anyRequest().authenticated())
.oauth2ResourceServer((server) -> server
@ -2402,7 +2402,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
.anyRequest().authenticated()
)
@ -2423,7 +2423,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.oauth2ResourceServer((server) -> server
.opaqueToken((opaqueToken) -> opaqueToken
@ -2447,7 +2447,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.oauth2ResourceServer((oauth2) -> oauth2
@ -2479,7 +2479,7 @@ public class OAuth2ResourceServerConfigurerTests {
// @formatter:off
http
.authenticationManager(this.defaultAuthenticationManager)
.authorizeRequests((authz) -> authz
.authorizeHttpRequests((authz) -> authz
.anyRequest().authenticated()
)
.oauth2ResourceServer((oauth2) -> oauth2
@ -2526,7 +2526,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.oauth2ResourceServer((server) -> server
.opaqueToken((opaqueToken) -> opaqueToken
@ -2545,7 +2545,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.oauth2ResourceServer((server) -> server
.jwt(Customizer.withDefaults()));
@ -2605,7 +2605,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.oauth2ResourceServer((server) -> server
.authenticationManagerResolver(mock(AuthenticationManagerResolver.class))
@ -2625,7 +2625,7 @@ public class OAuth2ResourceServerConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
.anyRequest().authenticated())
.oauth2ResourceServer((server) -> server

18
config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurerTests.java
View File

@ -520,7 +520,7 @@ public class Saml2LoginConfigurerTests {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeRequests((authz) -> authz.anyRequest().authenticated())
http.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
.saml2Login((saml2) -> saml2.failureHandler(authenticationFailureHandler));
return http.build();
}
@ -536,7 +536,7 @@ public class Saml2LoginConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authz) -> authz
.authorizeHttpRequests((authz) -> authz
.anyRequest().authenticated()
)
.saml2Login(Customizer.withDefaults());
@ -574,7 +574,7 @@ public class Saml2LoginConfigurerTests {
throws Exception {
// @formatter:off
http
.authorizeRequests((authz) -> authz
.authorizeHttpRequests((authz) -> authz
.anyRequest().authenticated()
)
.saml2Login((saml2) -> saml2
@ -612,7 +612,7 @@ public class Saml2LoginConfigurerTests {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeRequests((authz) -> authz.anyRequest().authenticated())
http.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
.saml2Login((saml2) -> saml2.authenticationConverter(authenticationConverter));
return http.build();
}
@ -651,7 +651,7 @@ public class Saml2LoginConfigurerTests {
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests((authz) -> authz.anyRequest().authenticated());
http.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated());
http.saml2Login(withDefaults());
return http.build();
}
@ -672,7 +672,7 @@ public class Saml2LoginConfigurerTests {
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authz) -> authz.anyRequest().authenticated())
.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
.saml2Login((saml2) -> saml2.loginProcessingUrl("/my/custom/url"));
// @formatter:on
return http.build();
@ -697,7 +697,7 @@ public class Saml2LoginConfigurerTests {
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authz) -> authz.anyRequest().authenticated())
.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
.saml2Login((saml2) -> saml2.authenticationRequestUri("/custom/auth/{registrationId}"));
// @formatter:on
return http.build();
@ -731,7 +731,7 @@ public class Saml2LoginConfigurerTests {
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authz) -> authz.anyRequest().authenticated())
.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
.saml2Login((saml2) -> saml2
.loginProcessingUrl("/my/custom/url")
.authenticationConverter(AUTHENTICATION_CONVERTER)
@ -754,7 +754,7 @@ public class Saml2LoginConfigurerTests {
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authz) -> authz.anyRequest().authenticated())
.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
.saml2Login((saml2) -> saml2.loginProcessingUrl("/my/custom/url"));
// @formatter:on
return http.build();

10
config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurerTests.java
View File

@ -562,7 +562,7 @@ public class Saml2LogoutConfigurerTests {
SecurityFilterChain web(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize.anyRequest().authenticated())
.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
.logout((logout) -> logout.addLogoutHandler(this.mockLogoutHandler))
.saml2Login(withDefaults())
.saml2Logout(withDefaults());
@ -588,7 +588,7 @@ public class Saml2LogoutConfigurerTests {
SecurityFilterChain web(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize.anyRequest().authenticated())
.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
.logout((logout) -> logout.logoutSuccessHandler(this.mockLogoutSuccessHandler))
.saml2Login(withDefaults())
.saml2Logout(withDefaults())
@ -615,7 +615,7 @@ public class Saml2LogoutConfigurerTests {
SecurityFilterChain web(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize.anyRequest().authenticated())
.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
.logout((logout) -> logout.addLogoutHandler(this.mockLogoutHandler))
.saml2Login(withDefaults())
.saml2Logout((saml2) -> saml2.addObjectPostProcessor(new ObjectPostProcessor<LogoutFilter>() {
@ -647,7 +647,7 @@ public class Saml2LogoutConfigurerTests {
SecurityFilterChain web(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize.anyRequest().authenticated())
.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
.saml2Login(withDefaults())
.saml2Logout(withDefaults());
return http.build();
@ -680,7 +680,7 @@ public class Saml2LogoutConfigurerTests {
SecurityFilterChain web(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize.anyRequest().authenticated())
.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
.saml2Login(withDefaults())
.saml2Logout((logout) -> logout
.logoutRequest((request) -> request

3
config/src/test/java/org/springframework/security/config/core/GrantedAuthorityDefaultsJcTests.java
View File

@ -165,8 +165,7 @@ public class GrantedAuthorityDefaultsJcTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.anyRequest().access("hasRole('USER')"));
.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("USER"));
return http.build();
// @formatter:on
}

2
config/src/test/java/org/springframework/security/config/http/customconfigurer/CustomConfigurer.java
View File

@ -44,7 +44,7 @@ public class CustomConfigurer extends SecurityConfigurerAdapter<DefaultSecurityF
context.getAutowireCapableBeanFactory().autowireBean(this);
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers(pathPattern(this.permitAllPattern)).permitAll()
.anyRequest().authenticated());
// @formatter:on

2
config/src/test/kotlin/org/springframework/security/config/annotation/web/AnonymousDslTests.kt
View File

@ -145,7 +145,7 @@ class AnonymousDslTests {
anonymous {
authorities = listOf(SimpleGrantedAuthority("TEST"))
}
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, hasAuthority("TEST"))
}
}

30
config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt
View File

@ -57,8 +57,6 @@ import org.springframework.web.bind.annotation.PathVariable
import org.springframework.web.bind.annotation.RequestMapping
import org.springframework.web.bind.annotation.RestController
import org.springframework.web.servlet.config.annotation.EnableWebMvc
import org.springframework.web.servlet.config.annotation.PathMatchConfigurer
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer
import org.springframework.web.util.WebUtils
import java.util.function.Supplier
@ -611,34 +609,6 @@ class AuthorizeHttpRequestsDslTests {
}
}
@Test
fun `request when both authorizeRequests and authorizeHttpRequests configured then exception`() {
assertThatThrownBy { this.spring.register(BothAuthorizeRequestsConfig::class.java).autowire() }
.isInstanceOf(UnsatisfiedDependencyException::class.java)
.hasRootCauseInstanceOf(IllegalStateException::class.java)
.hasMessageContaining(
"authorizeHttpRequests cannot be used in conjunction with authorizeRequests. Please select just one."
)
}
@Configuration
@EnableWebSecurity
@EnableWebMvc
open class BothAuthorizeRequestsConfig {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorize(anyRequest, permitAll)
}
authorizeHttpRequests {
authorize(anyRequest, denyAll)
}
}
return http.build()
}
}
@Test
fun `request when shouldFilterAllDispatcherTypes and denyAll and ERROR then responds with forbidden`() {
this.spring.register(ShouldFilterAllDispatcherTypesTrueDenyAllConfig::class.java).autowire()

14
config/src/test/kotlin/org/springframework/security/config/annotation/web/ExceptionHandlingDslTests.kt
View File

@ -67,7 +67,7 @@ class ExceptionHandlingDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
exceptionHandling { }
@ -91,7 +91,7 @@ class ExceptionHandlingDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
exceptionHandling {
@ -121,7 +121,7 @@ class ExceptionHandlingDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize("/admin", hasAuthority("ROLE_ADMIN"))
authorize(anyRequest, authenticated)
}
@ -154,7 +154,7 @@ class ExceptionHandlingDslTests {
val customAccessDeniedHandler = AccessDeniedHandlerImpl()
customAccessDeniedHandler.setErrorPage("/access-denied")
http {
authorizeRequests {
authorizeHttpRequests {
authorize("/admin", hasAuthority("ROLE_ADMIN"))
authorize(anyRequest, authenticated)
}
@ -197,7 +197,7 @@ class ExceptionHandlingDslTests {
customAccessDeniedHandler2.setErrorPage("/access-denied2")
val builder = PathPatternRequestMatcher.withDefaults()
http {
authorizeRequests {
authorizeHttpRequests {
authorize("/admin1", hasAuthority("ROLE_ADMIN"))
authorize("/admin2", hasAuthority("ROLE_ADMIN"))
authorize(anyRequest, authenticated)
@ -229,7 +229,7 @@ class ExceptionHandlingDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
exceptionHandling {
@ -267,7 +267,7 @@ class ExceptionHandlingDslTests {
val customAuthenticationEntryPoint2 = LoginUrlAuthenticationEntryPoint("/custom-login2")
val builder = PathPatternRequestMatcher.withDefaults();
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
exceptionHandling {

6
config/src/test/kotlin/org/springframework/security/config/annotation/web/FormLoginDslTests.kt
View File

@ -156,7 +156,7 @@ class FormLoginDslTests {
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
formLogin {}
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
}
@ -184,7 +184,7 @@ class FormLoginDslTests {
formLogin {
loginPage = "/log-in"
}
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
}
@ -356,7 +356,7 @@ class FormLoginDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
formLogin {

8
config/src/test/kotlin/org/springframework/security/config/annotation/web/HttpBasicDslTests.kt
View File

@ -94,7 +94,7 @@ class HttpBasicDslTests {
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
httpBasic {}
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
}
@ -121,7 +121,7 @@ class HttpBasicDslTests {
httpBasic {
realmName = "Custom Realm"
}
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
}
@ -154,7 +154,7 @@ class HttpBasicDslTests {
httpBasic {
authenticationEntryPoint = ENTRY_POINT
}
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
}
@ -193,7 +193,7 @@ class HttpBasicDslTests {
httpBasic {
authenticationDetailsSource = AUTHENTICATION_DETAILS_SOURCE
}
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
}

8
config/src/test/kotlin/org/springframework/security/config/annotation/web/HttpSecurityDslTests.kt
View File

@ -168,7 +168,7 @@ class HttpSecurityDslTests {
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
securityMatcher(RegexRequestMatcher("/path", null))
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
}
@ -227,7 +227,7 @@ class HttpSecurityDslTests {
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
securityMatcher("/path")
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
}
@ -284,7 +284,7 @@ class HttpSecurityDslTests {
http {
securityMatcher("/path1")
securityMatcher(RegexRequestMatcher("/path2", null))
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
}
@ -337,7 +337,7 @@ class HttpSecurityDslTests {
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authenticationManager = AuthenticationManagerConfig.AUTHENTICATION_MANAGER
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
httpBasic { }

2
config/src/test/kotlin/org/springframework/security/config/annotation/web/LogoutDslTests.kt
View File

@ -179,7 +179,7 @@ class LogoutDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
logout {

2
config/src/test/kotlin/org/springframework/security/config/annotation/web/OAuth2ClientDslTests.kt
View File

@ -142,7 +142,7 @@ class OAuth2ClientDslTests {
accessTokenResponseClient = CLIENT
}
}
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
}

10
config/src/test/kotlin/org/springframework/security/config/annotation/web/OAuth2ResourceServerDslTests.kt
View File

@ -91,7 +91,7 @@ class OAuth2ResourceServerDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {
@ -131,7 +131,7 @@ class OAuth2ResourceServerDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {
@ -187,7 +187,7 @@ class OAuth2ResourceServerDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, denyAll)
}
oauth2ResourceServer {
@ -229,7 +229,7 @@ class OAuth2ResourceServerDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {
@ -261,7 +261,7 @@ class OAuth2ResourceServerDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {

12
config/src/test/kotlin/org/springframework/security/config/annotation/web/RememberMeDslTests.kt
View File

@ -16,11 +16,7 @@
package org.springframework.security.config.annotation.web
import io.mockk.every
import io.mockk.justRun
import io.mockk.mockk
import io.mockk.mockkObject
import io.mockk.verify
import io.mockk.*
import org.assertj.core.api.Assertions.assertThat
import org.junit.jupiter.api.Test
import org.junit.jupiter.api.fail
@ -396,7 +392,7 @@ internal class RememberMeDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, hasRole("USER"))
}
formLogin {}
@ -412,7 +408,7 @@ internal class RememberMeDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, hasRole("USER"))
}
formLogin {}
@ -483,7 +479,7 @@ internal class RememberMeDslTests {
@Bean
open fun securityFilterChainWithKey(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
formLogin {}

14
config/src/test/kotlin/org/springframework/security/config/annotation/web/SessionManagementDslTests.kt
View File

@ -16,11 +16,7 @@
package org.springframework.security.config.annotation.web
import io.mockk.every
import io.mockk.justRun
import io.mockk.mockk
import io.mockk.mockkObject
import io.mockk.verify
import io.mockk.*
import org.assertj.core.api.Assertions.assertThat
import org.junit.jupiter.api.Test
import org.junit.jupiter.api.extension.ExtendWith
@ -137,7 +133,7 @@ class SessionManagementDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
sessionManagement {
@ -169,7 +165,7 @@ class SessionManagementDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
sessionManagement {
@ -196,7 +192,7 @@ class SessionManagementDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
sessionManagement {
@ -235,7 +231,7 @@ class SessionManagementDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
sessionManagement {

8
config/src/test/kotlin/org/springframework/security/config/annotation/web/oauth2/client/AuthorizationCodeGrantDslTests.kt
View File

@ -99,7 +99,7 @@ class AuthorizationCodeGrantDslTests {
authorizationRequestRepository = REQUEST_REPOSITORY
}
}
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
}
@ -133,7 +133,7 @@ class AuthorizationCodeGrantDslTests {
authorizationRedirectStrategy = REDIRECT_STRATEGY
}
}
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
}
@ -187,7 +187,7 @@ class AuthorizationCodeGrantDslTests {
accessTokenResponseClient = CLIENT
}
}
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
}
@ -226,7 +226,7 @@ class AuthorizationCodeGrantDslTests {
authorizationRequestResolver = requestResolver
}
}
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
}

2
config/src/test/kotlin/org/springframework/security/config/annotation/web/oauth2/login/RedirectionEndpointDslTests.kt
View File

@ -117,7 +117,7 @@ class RedirectionEndpointDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2Login {

2
config/src/test/kotlin/org/springframework/security/config/annotation/web/oauth2/login/TokenEndpointDslTests.kt
View File

@ -107,7 +107,7 @@ class TokenEndpointDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2Login {

4
config/src/test/kotlin/org/springframework/security/config/annotation/web/oauth2/login/UserInfoEndpointDslTests.kt
View File

@ -27,10 +27,10 @@ import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
import org.springframework.security.config.annotation.web.invoke
import org.springframework.security.config.oauth2.client.CommonOAuth2Provider
import org.springframework.security.config.test.SpringTestContext
import org.springframework.security.config.test.SpringTestContextExtension
import org.springframework.security.config.annotation.web.invoke
import org.springframework.security.core.authority.SimpleGrantedAuthority
import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient
import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest
@ -114,7 +114,7 @@ class UserInfoEndpointDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2Login {

14
config/src/test/kotlin/org/springframework/security/config/annotation/web/oauth2/resourceserver/JwtDslTests.kt
View File

@ -26,16 +26,12 @@ import org.springframework.beans.factory.annotation.Autowired
import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration
import org.springframework.core.convert.converter.Converter
import org.springframework.security.authentication.AbstractAuthenticationToken
import org.springframework.security.authentication.AuthenticationManager
import org.springframework.security.authentication.ProviderManager
import org.springframework.security.authentication.TestingAuthenticationProvider
import org.springframework.security.authentication.TestingAuthenticationToken
import org.springframework.security.authentication.*
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
import org.springframework.security.config.annotation.web.invoke
import org.springframework.security.config.test.SpringTestContext
import org.springframework.security.config.test.SpringTestContextExtension
import org.springframework.security.config.annotation.web.invoke
import org.springframework.security.core.Authentication
import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames
import org.springframework.security.oauth2.jwt.Jwt
@ -145,7 +141,7 @@ class JwtDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {
@ -196,7 +192,7 @@ class JwtDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {
@ -245,7 +241,7 @@ class JwtDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {

10
config/src/test/kotlin/org/springframework/security/config/annotation/web/oauth2/resourceserver/OpaqueTokenDslTests.kt
View File

@ -34,9 +34,9 @@ import org.springframework.security.authentication.ProviderManager
import org.springframework.security.authentication.TestingAuthenticationProvider
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
import org.springframework.security.config.annotation.web.invoke
import org.springframework.security.config.test.SpringTestContext
import org.springframework.security.config.test.SpringTestContextExtension
import org.springframework.security.config.annotation.web.invoke
import org.springframework.security.core.Authentication
import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal
import org.springframework.security.oauth2.core.TestOAuth2AccessTokens
@ -113,7 +113,7 @@ class OpaqueTokenDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {
@ -159,7 +159,7 @@ class OpaqueTokenDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {
@ -198,7 +198,7 @@ class OpaqueTokenDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {
@ -242,7 +242,7 @@ class OpaqueTokenDslTests {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {

2
docs/modules/ROOT/pages/servlet/integrations/websocket.adoc
View File

@ -669,7 +669,7 @@ open class WebSecurityConfig {
sameOrigin = true
}
}
authorizeRequests {
authorizeHttpRequests {
// ...
}
// ...

2
docs/modules/ROOT/pages/servlet/oauth2/client/authorization-grants.adoc
View File

@ -193,7 +193,7 @@ class SecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2Login {

6
docs/modules/ROOT/pages/servlet/oauth2/login/core.adoc
View File

@ -351,7 +351,7 @@ class OAuth2LoginSecurityConfig {
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2Login { }
@ -422,7 +422,7 @@ class OAuth2LoginConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2Login { }
@ -518,7 +518,7 @@ open class OAuth2LoginConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2Login { }

2
docs/modules/ROOT/pages/servlet/oauth2/login/logout.adoc
View File

@ -173,7 +173,7 @@ fun oidcLogoutHandler(): OidcBackChannelLogoutHandler {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2Login { }

12
docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc
View File

@ -189,7 +189,7 @@ Kotlin::
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {
@ -246,7 +246,7 @@ class MyCustomSecurityConfiguration {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize("/messages/**", hasScope("message:read"))
authorize(anyRequest, authenticated)
}
@ -378,7 +378,7 @@ class DirectlyConfiguredJwkSetUri {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {
@ -448,7 +448,7 @@ class DirectlyConfiguredJwtDecoder {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {
@ -900,7 +900,7 @@ class DirectlyConfiguredJwkSetUri {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize("/contacts/**", hasScope("contacts"))
authorize("/messages/**", hasScope("messages"))
authorize(anyRequest, authenticated)
@ -1138,7 +1138,7 @@ class CustomAuthenticationConverterConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {

6
docs/modules/ROOT/pages/servlet/oauth2/resource-server/multitenancy.adoc
View File

@ -71,7 +71,7 @@ Kotlin::
[source,kotlin,role="secondary"]
----
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {
@ -133,7 +133,7 @@ Kotlin::
val customAuthenticationManagerResolver = JwtIssuerAuthenticationManagerResolver
.fromTrustedIssuers("https://idp.example.org/issuerOne", "https://idp.example.org/issuerTwo")
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {
@ -213,7 +213,7 @@ private fun addManager(authenticationManagers: MutableMap<String, Authentication
val customAuthenticationManagerResolver: JwtIssuerAuthenticationManagerResolver =
JwtIssuerAuthenticationManagerResolver(authenticationManagers::get)
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {

10
docs/modules/ROOT/pages/servlet/oauth2/resource-server/opaque-token.adoc
View File

@ -218,7 +218,7 @@ Kotlin::
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {
@ -275,7 +275,7 @@ class MyCustomSecurityConfiguration {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize("/messages/**", hasScope("SCOPE_message:read"))
authorize(anyRequest, authenticated)
}
@ -424,7 +424,7 @@ class DirectlyConfiguredIntrospectionUri {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {
@ -495,7 +495,7 @@ class DirectlyConfiguredIntrospector {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2ResourceServer {
@ -589,7 +589,7 @@ class MappedAuthorities {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize("/contacts/**", hasScope("contacts"))
authorize("/messages/**", hasScope("messages"))
authorize(anyRequest, authenticated)

8
docs/modules/ROOT/pages/servlet/saml2/login/authentication.adoc
View File

@ -179,7 +179,7 @@ open class SecurityConfig {
})
)
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
saml2Login {
@ -300,7 +300,7 @@ open class SecurityConfig {
val authenticationProvider = OpenSaml5AuthenticationProvider()
authenticationProvider.setResponseAuthenticationConverter(this.authenticationConverter)
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
saml2Login {
@ -443,7 +443,7 @@ open class SecurityConfig {
MySaml2Authentication(userDetails, authentication) <3>
}
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
saml2Login {
@ -803,7 +803,7 @@ open class SecurityConfig {
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
val customAuthenticationManager: AuthenticationManager = MySaml2AuthenticationManager(...)
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
saml2Login {

6
docs/modules/ROOT/pages/servlet/saml2/login/overview.adoc
View File

@ -357,7 +357,7 @@ Kotlin::
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
saml2Login { }
@ -404,7 +404,7 @@ class MyCustomSecurityConfiguration {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize("/messages/**", hasAuthority("ROLE_USER"))
authorize(anyRequest, authenticated)
}
@ -571,7 +571,7 @@ class MyCustomSecurityConfiguration {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorizeHttpRequests {
authorize("/messages/**", hasAuthority("ROLE_USER"))
authorize(anyRequest, authenticated)
}

2
test/src/test/java/org/springframework/security/test/web/servlet/request/Sec2935Tests.java
View File

@ -133,7 +133,7 @@ public class Sec2935Tests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated())
.httpBasic(withDefaults());

2
test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOAuth2ClientTests.java
View File

@ -181,7 +181,7 @@ public class SecurityMockMvcRequestPostProcessorsOAuth2ClientTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authz) -> authz
.authorizeHttpRequests((authz) -> authz
.anyRequest().permitAll()
)
.oauth2Client(withDefaults());

2
test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOAuth2LoginTests.java
View File

@ -158,7 +158,7 @@ public class SecurityMockMvcRequestPostProcessorsOAuth2LoginTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((authorize) -> authorize
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers("/admin/**").hasAuthority("SCOPE_admin")
.anyRequest().hasAuthority("SCOPE_read")
).oauth2Login(withDefaults());

2
test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOidcLoginTests.java
View File

@ -156,7 +156,7 @@ public class SecurityMockMvcRequestPostProcessorsOidcLoginTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/admin/**").hasAuthority("SCOPE_admin")
.anyRequest().hasAuthority("SCOPE_read"))
.oauth2Login(withDefaults());

2
test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOpaqueTokenTests.java
View File

@ -130,7 +130,7 @@ public class SecurityMockMvcRequestPostProcessorsOpaqueTokenTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/admin/**").hasAuthority("SCOPE_admin")
.anyRequest().hasAuthority("SCOPE_read"))
.oauth2ResourceServer((server) -> server

2
test/src/test/java/org/springframework/security/test/web/servlet/response/Gh3409Tests.java
View File

@ -99,7 +99,7 @@ public class Gh3409Tests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/public/**").permitAll()
.anyRequest().authenticated())
.formLogin(withDefaults())

2
test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/CustomConfigAuthenticationTests.java
View File

@ -99,7 +99,7 @@ public class CustomConfigAuthenticationTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.securityContext((context) -> context
.securityContextRepository(securityContextRepository()))

2
test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/CustomLoginRequestBuilderAuthenticationTests.java
View File

@ -90,7 +90,7 @@ public class CustomLoginRequestBuilderAuthenticationTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated())
.formLogin((login) -> login
.usernameParameter("user")

2
test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/DefaultfSecurityRequestsTests.java
View File

@ -98,7 +98,7 @@ public class DefaultfSecurityRequestsTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated())
.httpBasic(withDefaults());

2
test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/SecurityRequestsTests.java
View File

@ -113,7 +113,7 @@ public class SecurityRequestsTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated())
.formLogin(withDefaults());

2
test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserAuthenticationTests.java
View File

@ -98,7 +98,7 @@ public class WithUserAuthenticationTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated())
.formLogin(withDefaults());

2
test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserClassLevelAuthenticationTests.java
View File

@ -97,7 +97,7 @@ public class WithUserClassLevelAuthenticationTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated())
.httpBasic(withDefaults());

2
test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserDetailsAuthenticationTests.java
View File

@ -88,7 +88,7 @@ public class WithUserDetailsAuthenticationTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated())
.formLogin(withDefaults());

2
test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserDetailsClassLevelAuthenticationTests.java
View File

@ -87,7 +87,7 @@ public class WithUserDetailsClassLevelAuthenticationTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests((requests) -> requests
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated())
.formLogin(withDefaults());