Remove deprecated RequestMatcher methods from Java Configuration
Closes gh-11939
This commit is contained in:
Marcus Da Coregio
parent
9fd195d419
commit
398f5dee7f
|
|
@ -89,90 +89,6 @@ public abstract class AbstractRequestMatcherRegistry<C> {
|
|||
return configurer;
|
||||
}
|
||||
|
||||
/**
|
||||
* Maps a {@link List} of
|
||||
* {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher}
|
||||
* instances.
|
||||
* @param method the {@link HttpMethod} to use for any {@link HttpMethod}.
|
||||
* @return the object that is chained after creating the {@link RequestMatcher}
|
||||
* @deprecated use {@link #requestMatchers(HttpMethod)} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public C antMatchers(HttpMethod method) {
|
||||
return antMatchers(method, "/**");
|
||||
}
|
||||
|
||||
/**
|
||||
* Maps a {@link List} of
|
||||
* {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher}
|
||||
* instances.
|
||||
* @param method the {@link HttpMethod} to use or {@code null} for any
|
||||
* {@link HttpMethod}.
|
||||
* @param antPatterns the ant patterns to create. If {@code null} or empty, then
|
||||
* matches on nothing.
|
||||
* @return the object that is chained after creating the {@link RequestMatcher}
|
||||
* @deprecated use {@link #requestMatchers(HttpMethod, String...)} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public C antMatchers(HttpMethod method, String... antPatterns) {
|
||||
Assert.state(!this.anyRequestConfigured, "Can't configure antMatchers after anyRequest");
|
||||
return chainRequestMatchers(RequestMatchers.antMatchers(method, antPatterns));
|
||||
}
|
||||
|
||||
/**
|
||||
* Maps a {@link List} of
|
||||
* {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher}
|
||||
* instances that do not care which {@link HttpMethod} is used.
|
||||
* @param antPatterns the ant patterns to create
|
||||
* {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher} from
|
||||
* @return the object that is chained after creating the {@link RequestMatcher}
|
||||
* @deprecated use {@link #requestMatchers(String...)} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public C antMatchers(String... antPatterns) {
|
||||
Assert.state(!this.anyRequestConfigured, "Can't configure antMatchers after anyRequest");
|
||||
return chainRequestMatchers(RequestMatchers.antMatchers(antPatterns));
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Maps an {@link MvcRequestMatcher} that does not care which {@link HttpMethod} is
|
||||
* used. This matcher will use the same rules that Spring MVC uses for matching. For
|
||||
* example, often times a mapping of the path "/path" will match on "/path", "/path/",
|
||||
* "/path.html", etc.
|
||||
* </p>
|
||||
* <p>
|
||||
* If the current request will not be processed by Spring MVC, a reasonable default
|
||||
* using the pattern as a ant pattern will be used.
|
||||
* </p>
|
||||
* @param mvcPatterns the patterns to match on. The rules for matching are defined by
|
||||
* Spring MVC
|
||||
* @return the object that is chained after creating the {@link RequestMatcher}.
|
||||
* @deprecated use {@link #requestMatchers(String...)} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public abstract C mvcMatchers(String... mvcPatterns);
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Maps an {@link MvcRequestMatcher} that also specifies a specific {@link HttpMethod}
|
||||
* to match on. This matcher will use the same rules that Spring MVC uses for
|
||||
* matching. For example, often times a mapping of the path "/path" will match on
|
||||
* "/path", "/path/", "/path.html", etc.
|
||||
* </p>
|
||||
* <p>
|
||||
* If the current request will not be processed by Spring MVC, a reasonable default
|
||||
* using the pattern as a ant pattern will be used.
|
||||
* </p>
|
||||
* @param method the HTTP method to match on
|
||||
* @param mvcPatterns the patterns to match on. The rules for matching are defined by
|
||||
* Spring MVC
|
||||
* @return the object that is chained after creating the {@link RequestMatcher}.
|
||||
* @deprecated use {@link #requestMatchers(HttpMethod, String...)} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public abstract C mvcMatchers(HttpMethod method, String... mvcPatterns);
|
||||
|
||||
/**
|
||||
* Creates {@link MvcRequestMatcher} instances for the method and patterns passed in
|
||||
* @param method the HTTP method to use or null if any should be used
|
||||
|
|
@ -201,40 +117,6 @@ public abstract class AbstractRequestMatcherRegistry<C> {
|
|||
return matchers;
|
||||
}
|
||||
|
||||
/**
|
||||
* Maps a {@link List} of
|
||||
* {@link org.springframework.security.web.util.matcher.RegexRequestMatcher}
|
||||
* instances.
|
||||
* @param method the {@link HttpMethod} to use or {@code null} for any
|
||||
* {@link HttpMethod}.
|
||||
* @param regexPatterns the regular expressions to create
|
||||
* {@link org.springframework.security.web.util.matcher.RegexRequestMatcher} from
|
||||
* @return the object that is chained after creating the {@link RequestMatcher}
|
||||
* @deprecated use {@link #requestMatchers(RequestMatcher...)} with a
|
||||
* {@link RegexRequestMatcher} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public C regexMatchers(HttpMethod method, String... regexPatterns) {
|
||||
Assert.state(!this.anyRequestConfigured, "Can't configure regexMatchers after anyRequest");
|
||||
return chainRequestMatchers(RequestMatchers.regexMatchers(method, regexPatterns));
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a {@link List} of
|
||||
* {@link org.springframework.security.web.util.matcher.RegexRequestMatcher} instances
|
||||
* that do not specify an {@link HttpMethod}.
|
||||
* @param regexPatterns the regular expressions to create
|
||||
* {@link org.springframework.security.web.util.matcher.RegexRequestMatcher} from
|
||||
* @return the object that is chained after creating the {@link RequestMatcher}
|
||||
* @deprecated use {@link #requestMatchers(RequestMatcher...)} with a
|
||||
* {@link RegexRequestMatcher} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public C regexMatchers(String... regexPatterns) {
|
||||
Assert.state(!this.anyRequestConfigured, "Can't configure regexMatchers after anyRequest");
|
||||
return chainRequestMatchers(RequestMatchers.regexMatchers(regexPatterns));
|
||||
}
|
||||
|
||||
/**
|
||||
* Maps a {@link List} of
|
||||
* {@link org.springframework.security.web.util.matcher.DispatcherTypeRequestMatcher}
|
||||
|
|
|
|||
|
|
@ -32,7 +32,6 @@ import org.springframework.beans.factory.NoSuchBeanDefinitionException;
|
|||
import org.springframework.context.ApplicationContext;
|
||||
import org.springframework.core.OrderComparator;
|
||||
import org.springframework.core.Ordered;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.security.authentication.AuthenticationManager;
|
||||
import org.springframework.security.authentication.AuthenticationProvider;
|
||||
import org.springframework.security.config.Customizer;
|
||||
|
|
@ -89,7 +88,6 @@ import org.springframework.security.web.session.HttpSessionEventPublisher;
|
|||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.OrRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RegexRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.util.ClassUtils;
|
||||
|
|
@ -587,7 +585,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
*
|
||||
* @Bean
|
||||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin()
|
||||
* http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin()
|
||||
* .permitAll().and()
|
||||
* // Example portMapper() configuration
|
||||
* .portMapper().http(9090).mapsTo(9443).http(80).mapsTo(443);
|
||||
|
|
@ -688,7 +686,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
*
|
||||
* @Bean
|
||||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http.authorizeRequests().antMatchers("/**").hasRole("USER").and()
|
||||
* http.authorizeRequests().requestMatchers("/**").hasRole("USER").and()
|
||||
* // Example jee() configuration
|
||||
* .jee().mappableRoles("USER", "ADMIN");
|
||||
* return http.build();
|
||||
|
|
@ -763,7 +761,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* http
|
||||
* .authorizeRequests((authorizeRequests) ->
|
||||
* authorizeRequests
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* )
|
||||
* .jee((jee) ->
|
||||
* jee
|
||||
|
|
@ -840,7 +838,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
*
|
||||
* @Bean
|
||||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http.authorizeRequests().antMatchers("/**").hasRole("USER").and()
|
||||
* http.authorizeRequests().requestMatchers("/**").hasRole("USER").and()
|
||||
* // Example x509() configuration
|
||||
* .x509();
|
||||
* return http.build();
|
||||
|
|
@ -873,7 +871,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* http
|
||||
* .authorizeRequests((authorizeRequests) ->
|
||||
* authorizeRequests
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* )
|
||||
* .x509(withDefaults());
|
||||
* return http.build();
|
||||
|
|
@ -907,7 +905,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
*
|
||||
* @Bean
|
||||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin()
|
||||
* http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin()
|
||||
* .permitAll().and()
|
||||
* // Example Remember Me Configuration
|
||||
* .rememberMe();
|
||||
|
|
@ -952,7 +950,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* http
|
||||
* .authorizeRequests((authorizeRequests) ->
|
||||
* authorizeRequests
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* )
|
||||
* .formLogin(withDefaults())
|
||||
* .rememberMe(withDefaults());
|
||||
|
|
@ -998,7 +996,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
*
|
||||
* @Bean
|
||||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin();
|
||||
* http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin();
|
||||
* return http.build();
|
||||
* }
|
||||
*
|
||||
|
|
@ -1030,8 +1028,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
*
|
||||
* @Bean
|
||||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http.authorizeRequests().antMatchers("/admin/**").hasRole("ADMIN")
|
||||
* .antMatchers("/**").hasRole("USER").and().formLogin();
|
||||
* http.authorizeRequests().requestMatchers("/admin/**").hasRole("ADMIN")
|
||||
* .requestMatchers("/**").hasRole("USER").and().formLogin();
|
||||
* return http.build();
|
||||
* }
|
||||
*
|
||||
|
|
@ -1063,7 +1061,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
*
|
||||
* @Bean
|
||||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http.authorizeRequests().antMatchers("/**").hasRole("USER").antMatchers("/admin/**")
|
||||
* http.authorizeRequests().requestMatchers("/**").hasRole("USER").requestMatchers("/admin/**")
|
||||
* .hasRole("ADMIN")
|
||||
* return http.build();
|
||||
* }
|
||||
|
|
@ -1072,7 +1070,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* @return the {@link ExpressionUrlAuthorizationConfigurer} for further customizations
|
||||
* @throws Exception
|
||||
* @deprecated Use {@link #authorizeHttpRequests()} instead
|
||||
* @see #requestMatcher(RequestMatcher)
|
||||
*/
|
||||
@Deprecated
|
||||
public ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry authorizeRequests()
|
||||
|
|
@ -1101,7 +1098,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* http
|
||||
* .authorizeRequests((authorizeRequests) ->
|
||||
* authorizeRequests
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* )
|
||||
* .formLogin(withDefaults());
|
||||
* return http.build();
|
||||
|
|
@ -1138,8 +1135,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* http
|
||||
* .authorizeRequests((authorizeRequests) ->
|
||||
* authorizeRequests
|
||||
* .antMatchers("/admin/**").hasRole("ADMIN")
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/admin/**").hasRole("ADMIN")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* )
|
||||
* .formLogin(withDefaults());
|
||||
* return http.build();
|
||||
|
|
@ -1176,8 +1173,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* http
|
||||
* .authorizeRequests((authorizeRequests) ->
|
||||
* authorizeRequests
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .antMatchers("/admin/**").hasRole("ADMIN")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/admin/**").hasRole("ADMIN")
|
||||
* );
|
||||
* return http.build();
|
||||
* }
|
||||
|
|
@ -1188,7 +1185,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* @return the {@link HttpSecurity} for further customizations
|
||||
* @throws Exception
|
||||
* @deprecated Use {@link #authorizeHttpRequests} instead
|
||||
* @see #requestMatcher(RequestMatcher)
|
||||
*/
|
||||
@Deprecated
|
||||
public HttpSecurity authorizeRequests(
|
||||
|
|
@ -1219,7 +1215,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http
|
||||
* .authorizeHttpRequests()
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* .and()
|
||||
* .formLogin();
|
||||
* return http.build();
|
||||
|
|
@ -1255,8 +1251,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http
|
||||
* .authorizeHttpRequests()
|
||||
* .antMatchers("/admin").hasRole("ADMIN")
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/admin").hasRole("ADMIN")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* .and()
|
||||
* .formLogin();
|
||||
* return http.build();
|
||||
|
|
@ -1292,8 +1288,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http
|
||||
* .authorizeHttpRequests()
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .antMatchers("/admin/**").hasRole("ADMIN")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/admin/**").hasRole("ADMIN")
|
||||
* .and()
|
||||
* .formLogin();
|
||||
* return http.build();
|
||||
|
|
@ -1303,7 +1299,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* @return the {@link HttpSecurity} for further customizations
|
||||
* @throws Exception
|
||||
* @since 5.6
|
||||
* @see #requestMatcher(RequestMatcher)
|
||||
*/
|
||||
public AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizeHttpRequests()
|
||||
throws Exception {
|
||||
|
|
@ -1331,7 +1326,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* http
|
||||
* .authorizeHttpRequests((authorizeHttpRequests) ->
|
||||
* authorizeHttpRequests
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* )
|
||||
* .formLogin(withDefaults());
|
||||
* return http.build();
|
||||
|
|
@ -1368,8 +1363,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* http
|
||||
* .authorizeHttpRequests((authorizeHttpRequests) ->
|
||||
* authorizeHttpRequests
|
||||
* .antMatchers("/admin/**").hasRole("ADMIN")
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/admin/**").hasRole("ADMIN")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* )
|
||||
* .formLogin(withDefaults());
|
||||
* return http.build();
|
||||
|
|
@ -1406,8 +1401,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* http
|
||||
* .authorizeHttpRequests((authorizeHttpRequests) ->
|
||||
* authorizeHttpRequests
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .antMatchers("/admin/**").hasRole("ADMIN")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/admin/**").hasRole("ADMIN")
|
||||
* );
|
||||
* return http.build();
|
||||
* }
|
||||
|
|
@ -1418,7 +1413,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* @return the {@link HttpSecurity} for further customizations
|
||||
* @throws Exception
|
||||
* @since 5.5
|
||||
* @see #requestMatcher(RequestMatcher)
|
||||
*/
|
||||
public HttpSecurity authorizeHttpRequests(
|
||||
Customizer<AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry> authorizeHttpRequestsCustomizer)
|
||||
|
|
@ -1463,7 +1457,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* http
|
||||
* .authorizeRequests((authorizeRequests) ->
|
||||
* authorizeRequests
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* )
|
||||
* .requestCache((requestCache) ->
|
||||
* requestCache.disable()
|
||||
|
|
@ -1512,7 +1506,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* http
|
||||
* .authorizeRequests((authorizeRequests) ->
|
||||
* authorizeRequests
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* )
|
||||
* // sample exception handling customization
|
||||
* .exceptionHandling((exceptionHandling) ->
|
||||
|
|
@ -1695,7 +1689,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
*
|
||||
* @Bean
|
||||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin()
|
||||
* http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin()
|
||||
* .and()
|
||||
* // sample logout customization
|
||||
* .logout().deleteCookies("remove").invalidateHttpSession(false)
|
||||
|
|
@ -1744,7 +1738,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* http
|
||||
* .authorizeRequests((authorizeRequests) ->
|
||||
* authorizeRequests
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* )
|
||||
* .formLogin(withDefaults())
|
||||
* // sample logout customization
|
||||
|
|
@ -1799,7 +1793,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http
|
||||
* .authorizeRequests()
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* .and()
|
||||
* .formLogin()
|
||||
* .and()
|
||||
|
|
@ -1833,7 +1827,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http
|
||||
* .authorizeRequests()
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* .and()
|
||||
* .formLogin()
|
||||
* .and()
|
||||
|
|
@ -1882,7 +1876,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* http
|
||||
* .authorizeRequests((authorizeRequests) ->
|
||||
* authorizeRequests
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* )
|
||||
* .formLogin(withDefaults())
|
||||
* // sample anonymous customization
|
||||
|
|
@ -1919,7 +1913,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* http
|
||||
* .authorizeRequests((authorizeRequests) ->
|
||||
* authorizeRequests
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* )
|
||||
* .formLogin(withDefaults())
|
||||
* // sample anonymous customization
|
||||
|
|
@ -1969,7 +1963,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
*
|
||||
* @Bean
|
||||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin();
|
||||
* http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin();
|
||||
* return http.build();
|
||||
* }
|
||||
*
|
||||
|
|
@ -1994,7 +1988,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
*
|
||||
* @Bean
|
||||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin()
|
||||
* http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin()
|
||||
* .usernameParameter("username") // default is username
|
||||
* .passwordParameter("password") // default is password
|
||||
* .loginPage("/authentication/login") // default is /login with an HTTP get
|
||||
|
|
@ -2046,7 +2040,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* http
|
||||
* .authorizeRequests((authorizeRequests) ->
|
||||
* authorizeRequests
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* )
|
||||
* .formLogin(withDefaults());
|
||||
* return http.build();
|
||||
|
|
@ -2076,7 +2070,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* http
|
||||
* .authorizeRequests((authorizeRequests) ->
|
||||
* authorizeRequests
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* )
|
||||
* .formLogin((formLogin) ->
|
||||
* formLogin
|
||||
|
|
@ -2773,7 +2767,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
*
|
||||
* @Bean
|
||||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin()
|
||||
* http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin()
|
||||
* .and().requiresChannel().anyRequest().requiresSecure();
|
||||
* return http.build();
|
||||
* }
|
||||
|
|
@ -2819,7 +2813,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* http
|
||||
* .authorizeRequests((authorizeRequests) ->
|
||||
* authorizeRequests
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* )
|
||||
* .formLogin(withDefaults())
|
||||
* .requiresChannel((requiresChannel) ->
|
||||
|
|
@ -2869,7 +2863,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
*
|
||||
* @Bean
|
||||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http.authorizeRequests().antMatchers("/**").hasRole("USER").and().httpBasic();
|
||||
* http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().httpBasic();
|
||||
* return http.build();
|
||||
* }
|
||||
*
|
||||
|
|
@ -2910,7 +2904,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* http
|
||||
* .authorizeRequests((authorizeRequests) ->
|
||||
* authorizeRequests
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* )
|
||||
* .httpBasic(withDefaults());
|
||||
* return http.build();
|
||||
|
|
@ -2955,7 +2949,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
* http
|
||||
* .authorizeRequests(authorizeRequests ->
|
||||
* authorizeRequests
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .requestMatchers("/**").hasRole("USER")
|
||||
* )
|
||||
* .passwordManagement(passwordManagement ->
|
||||
* passwordManagement
|
||||
|
|
@ -3087,291 +3081,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
return addFilterAtOffsetOf(filter, 0, atFilter);
|
||||
}
|
||||
|
||||
/**
|
||||
* Allows specifying which {@link HttpServletRequest} instances this
|
||||
* {@link HttpSecurity} will be invoked on. This method allows for easily invoking the
|
||||
* {@link HttpSecurity} for multiple different {@link RequestMatcher} instances. If
|
||||
* only a single {@link RequestMatcher} is necessary consider using
|
||||
* {@link #mvcMatcher(String)}, {@link #antMatcher(String)},
|
||||
* {@link #regexMatcher(String)}, or {@link #requestMatcher(RequestMatcher)}.
|
||||
*
|
||||
* <p>
|
||||
* Invoking {@link #requestMatchers()} will not override previous invocations of
|
||||
* {@link #mvcMatcher(String)}}, {@link #requestMatchers()},
|
||||
* {@link #antMatcher(String)}, {@link #regexMatcher(String)}, and
|
||||
* {@link #requestMatcher(RequestMatcher)}.
|
||||
* </p>
|
||||
*
|
||||
* <h3>Example Configurations</h3>
|
||||
*
|
||||
* The following configuration enables the {@link HttpSecurity} for URLs that begin
|
||||
* with "/api/" or "/oauth/".
|
||||
*
|
||||
* <pre>
|
||||
* @Configuration
|
||||
* @EnableWebSecurity
|
||||
* public class RequestMatchersSecurityConfig {
|
||||
*
|
||||
* @Bean
|
||||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http
|
||||
* .requestMatchers()
|
||||
* .antMatchers("/api/**", "/oauth/**")
|
||||
* .and()
|
||||
* .authorizeRequests()
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .and()
|
||||
* .httpBasic();
|
||||
* return http.build();
|
||||
* }
|
||||
*
|
||||
* @Bean
|
||||
* public UserDetailsService userDetailsService() {
|
||||
* UserDetails user = User.withDefaultPasswordEncoder()
|
||||
* .username("user")
|
||||
* .password("password")
|
||||
* .roles("USER")
|
||||
* .build();
|
||||
* return new InMemoryUserDetailsManager(user);
|
||||
* }
|
||||
* }
|
||||
* </pre>
|
||||
*
|
||||
* The configuration below is the same as the previous configuration.
|
||||
*
|
||||
* <pre>
|
||||
* @Configuration
|
||||
* @EnableWebSecurity
|
||||
* public class RequestMatchersSecurityConfig {
|
||||
*
|
||||
* @Bean
|
||||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http
|
||||
* .requestMatchers()
|
||||
* .antMatchers("/api/**")
|
||||
* .antMatchers("/oauth/**")
|
||||
* .and()
|
||||
* .authorizeRequests()
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .and()
|
||||
* .httpBasic();
|
||||
* return http.build();
|
||||
* }
|
||||
*
|
||||
* @Bean
|
||||
* public UserDetailsService userDetailsService() {
|
||||
* UserDetails user = User.withDefaultPasswordEncoder()
|
||||
* .username("user")
|
||||
* .password("password")
|
||||
* .roles("USER")
|
||||
* .build();
|
||||
* return new InMemoryUserDetailsManager(user);
|
||||
* }
|
||||
* }
|
||||
* </pre>
|
||||
*
|
||||
* The configuration below is also the same as the above configuration.
|
||||
*
|
||||
* <pre>
|
||||
* @Configuration
|
||||
* @EnableWebSecurity
|
||||
* public class RequestMatchersSecurityConfig {
|
||||
*
|
||||
* @Bean
|
||||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http
|
||||
* .requestMatchers()
|
||||
* .antMatchers("/api/**")
|
||||
* .and()
|
||||
* .requestMatchers()
|
||||
* .antMatchers("/oauth/**")
|
||||
* .and()
|
||||
* .authorizeRequests()
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* .and()
|
||||
* .httpBasic();
|
||||
* return http.build();
|
||||
* }
|
||||
*
|
||||
* @Bean
|
||||
* public UserDetailsService userDetailsService() {
|
||||
* UserDetails user = User.withDefaultPasswordEncoder()
|
||||
* .username("user")
|
||||
* .password("password")
|
||||
* .roles("USER")
|
||||
* .build();
|
||||
* return new InMemoryUserDetailsManager(user);
|
||||
* }
|
||||
* }
|
||||
* </pre>
|
||||
* @return the {@link RequestMatcherConfigurer} for further customizations
|
||||
* @deprecated use {@link #securityMatchers()} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public RequestMatcherConfigurer requestMatchers() {
|
||||
return this.requestMatcherConfigurer;
|
||||
}
|
||||
|
||||
/**
|
||||
* Allows specifying which {@link HttpServletRequest} instances this
|
||||
* {@link HttpSecurity} will be invoked on. This method allows for easily invoking the
|
||||
* {@link HttpSecurity} for multiple different {@link RequestMatcher} instances. If
|
||||
* only a single {@link RequestMatcher} is necessary consider using
|
||||
* {@link #mvcMatcher(String)}, {@link #antMatcher(String)},
|
||||
* {@link #regexMatcher(String)}, or {@link #requestMatcher(RequestMatcher)}.
|
||||
*
|
||||
* <p>
|
||||
* Invoking {@link #requestMatchers()} will not override previous invocations of
|
||||
* {@link #mvcMatcher(String)}}, {@link #requestMatchers()},
|
||||
* {@link #antMatcher(String)}, {@link #regexMatcher(String)}, and
|
||||
* {@link #requestMatcher(RequestMatcher)}.
|
||||
* </p>
|
||||
*
|
||||
* <h3>Example Configurations</h3>
|
||||
*
|
||||
* The following configuration enables the {@link HttpSecurity} for URLs that begin
|
||||
* with "/api/" or "/oauth/".
|
||||
*
|
||||
* <pre>
|
||||
* @Configuration
|
||||
* @EnableWebSecurity
|
||||
* public class RequestMatchersSecurityConfig {
|
||||
*
|
||||
* @Bean
|
||||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http
|
||||
* .requestMatchers((requestMatchers) ->
|
||||
* requestMatchers
|
||||
* .antMatchers("/api/**", "/oauth/**")
|
||||
* )
|
||||
* .authorizeRequests((authorizeRequests) ->
|
||||
* authorizeRequests
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* )
|
||||
* .httpBasic(withDefaults());
|
||||
* return http.build();
|
||||
* }
|
||||
*
|
||||
* @Bean
|
||||
* public UserDetailsService userDetailsService() {
|
||||
* UserDetails user = User.withDefaultPasswordEncoder()
|
||||
* .username("user")
|
||||
* .password("password")
|
||||
* .roles("USER")
|
||||
* .build();
|
||||
* return new InMemoryUserDetailsManager(user);
|
||||
* }
|
||||
* }
|
||||
* </pre>
|
||||
*
|
||||
* The configuration below is the same as the previous configuration.
|
||||
*
|
||||
* <pre>
|
||||
* @Configuration
|
||||
* @EnableWebSecurity
|
||||
* public class RequestMatchersSecurityConfig {
|
||||
*
|
||||
* @Bean
|
||||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http
|
||||
* .requestMatchers((requestMatchers) ->
|
||||
* requestMatchers
|
||||
* .antMatchers("/api/**")
|
||||
* .antMatchers("/oauth/**")
|
||||
* )
|
||||
* .authorizeRequests((authorizeRequests) ->
|
||||
* authorizeRequests
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* )
|
||||
* .httpBasic(withDefaults());
|
||||
* return http.build();
|
||||
* }
|
||||
*
|
||||
* @Bean
|
||||
* public UserDetailsService userDetailsService() {
|
||||
* UserDetails user = User.withDefaultPasswordEncoder()
|
||||
* .username("user")
|
||||
* .password("password")
|
||||
* .roles("USER")
|
||||
* .build();
|
||||
* return new InMemoryUserDetailsManager(user);
|
||||
* }
|
||||
* }
|
||||
* </pre>
|
||||
*
|
||||
* The configuration below is also the same as the above configuration.
|
||||
*
|
||||
* <pre>
|
||||
* @Configuration
|
||||
* @EnableWebSecurity
|
||||
* public class RequestMatchersSecurityConfig {
|
||||
*
|
||||
* @Bean
|
||||
* public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
* http
|
||||
* .requestMatchers((requestMatchers) ->
|
||||
* requestMatchers
|
||||
* .antMatchers("/api/**")
|
||||
* )
|
||||
* .requestMatchers((requestMatchers) ->
|
||||
* requestMatchers
|
||||
* .antMatchers("/oauth/**")
|
||||
* )
|
||||
* .authorizeRequests((authorizeRequests) ->
|
||||
* authorizeRequests
|
||||
* .antMatchers("/**").hasRole("USER")
|
||||
* )
|
||||
* .httpBasic(withDefaults());
|
||||
* return http.build();
|
||||
* }
|
||||
*
|
||||
* @Bean
|
||||
* public UserDetailsService userDetailsService() {
|
||||
* UserDetails user = User.withDefaultPasswordEncoder()
|
||||
* .username("user")
|
||||
* .password("password")
|
||||
* .roles("USER")
|
||||
* .build();
|
||||
* return new InMemoryUserDetailsManager(user);
|
||||
* }
|
||||
* }
|
||||
* </pre>
|
||||
* @param requestMatcherCustomizer the {@link Customizer} to provide more options for
|
||||
* the {@link RequestMatcherConfigurer}
|
||||
* @return the {@link HttpSecurity} for further customizations
|
||||
* @deprecated use {@link #securityMatchers(Customizer)} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public HttpSecurity requestMatchers(Customizer<RequestMatcherConfigurer> requestMatcherCustomizer) {
|
||||
requestMatcherCustomizer.customize(this.requestMatcherConfigurer);
|
||||
return HttpSecurity.this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Allows configuring the {@link HttpSecurity} to only be invoked when matching the
|
||||
* provided {@link RequestMatcher}. If more advanced configuration is necessary,
|
||||
* consider using {@link #requestMatchers()}.
|
||||
*
|
||||
* <p>
|
||||
* Invoking {@link #requestMatcher(RequestMatcher)} will override previous invocations
|
||||
* of {@link #requestMatchers()}, {@link #mvcMatcher(String)},
|
||||
* {@link #antMatcher(String)}, {@link #regexMatcher(String)}, and
|
||||
* {@link #requestMatcher(RequestMatcher)}.
|
||||
* </p>
|
||||
* @param requestMatcher the {@link RequestMatcher} to use (i.e. new
|
||||
* AntPathRequestMatcher("/admin/**","GET") )
|
||||
* @return the {@link HttpSecurity} for further customizations
|
||||
* @deprecated use {@link #securityMatcher(RequestMatcher)} instead
|
||||
* @see #requestMatchers()
|
||||
* @see #antMatcher(String)
|
||||
* @see #regexMatcher(String)
|
||||
*/
|
||||
@Deprecated
|
||||
public HttpSecurity requestMatcher(RequestMatcher requestMatcher) {
|
||||
this.requestMatcher = requestMatcher;
|
||||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Allows specifying which {@link HttpServletRequest} instances this
|
||||
* {@link HttpSecurity} will be invoked on. This method allows for easily invoking the
|
||||
|
|
@ -3624,10 +3333,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
*
|
||||
* <p>
|
||||
* Invoking {@link #securityMatcher(RequestMatcher)} will override previous
|
||||
* invocations of {@link #requestMatchers()}, {@link #mvcMatcher(String)},
|
||||
* {@link #antMatcher(String)}, {@link #regexMatcher(String)},
|
||||
* {@link #requestMatcher(RequestMatcher)}, {@link #securityMatchers(Customizer)},
|
||||
* {@link #securityMatchers()} and {@link #securityMatcher(String...)}
|
||||
* invocations of {@link #securityMatcher(RequestMatcher)},
|
||||
* {@link #securityMatcher(String...)}, {@link #securityMatchers(Customizer)} and
|
||||
* {@link #securityMatchers()}
|
||||
* </p>
|
||||
* @param requestMatcher the {@link RequestMatcher} to use (i.e. new
|
||||
* AntPathRequestMatcher("/admin/**","GET") )
|
||||
|
|
@ -3648,9 +3356,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
*
|
||||
* <p>
|
||||
* Invoking {@link #securityMatcher(String...)} will override previous invocations of
|
||||
* {@link #mvcMatcher(String)}}, {@link #requestMatchers()},
|
||||
* {@link #antMatcher(String)}, {@link #regexMatcher(String)}, and
|
||||
* {@link #requestMatcher(RequestMatcher)}.
|
||||
* {@link #securityMatcher(String...)} (String)}},
|
||||
* {@link #securityMatcher(RequestMatcher)} ()}, {@link #securityMatchers(Customizer)}
|
||||
* (String)} and {@link #securityMatchers()} (String)}.
|
||||
* </p>
|
||||
* @param patterns the pattern to match on (i.e. "/admin/**")
|
||||
* @return the {@link HttpSecurity} for further customizations
|
||||
|
|
@ -3692,72 +3400,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
return matchers;
|
||||
}
|
||||
|
||||
/**
|
||||
* Allows configuring the {@link HttpSecurity} to only be invoked when matching the
|
||||
* provided ant pattern. If more advanced configuration is necessary, consider using
|
||||
* {@link #requestMatchers()} or {@link #requestMatcher(RequestMatcher)}.
|
||||
*
|
||||
* <p>
|
||||
* Invoking {@link #antMatcher(String)} will override previous invocations of
|
||||
* {@link #mvcMatcher(String)}}, {@link #requestMatchers()},
|
||||
* {@link #antMatcher(String)}, {@link #regexMatcher(String)}, and
|
||||
* {@link #requestMatcher(RequestMatcher)}.
|
||||
* </p>
|
||||
* @param antPattern the Ant Pattern to match on (i.e. "/admin/**")
|
||||
* @return the {@link HttpSecurity} for further customizations
|
||||
* @deprecated use {@link #securityMatcher(String...)} instead
|
||||
* @see AntPathRequestMatcher
|
||||
*/
|
||||
@Deprecated
|
||||
public HttpSecurity antMatcher(String antPattern) {
|
||||
return requestMatcher(new AntPathRequestMatcher(antPattern));
|
||||
}
|
||||
|
||||
/**
|
||||
* Allows configuring the {@link HttpSecurity} to only be invoked when matching the
|
||||
* provided Spring MVC pattern. If more advanced configuration is necessary, consider
|
||||
* using {@link #requestMatchers()} or {@link #requestMatcher(RequestMatcher)}.
|
||||
*
|
||||
* <p>
|
||||
* Invoking {@link #mvcMatcher(String)} will override previous invocations of
|
||||
* {@link #mvcMatcher(String)}}, {@link #requestMatchers()},
|
||||
* {@link #antMatcher(String)}, {@link #regexMatcher(String)}, and
|
||||
* {@link #requestMatcher(RequestMatcher)}.
|
||||
* </p>
|
||||
* @param mvcPattern the Spring MVC Pattern to match on (i.e. "/admin/**")
|
||||
* @return the {@link HttpSecurity} for further customizations
|
||||
* @deprecated use {@link #securityMatcher(String...)} instead
|
||||
* @see MvcRequestMatcher
|
||||
*/
|
||||
@Deprecated
|
||||
public HttpSecurity mvcMatcher(String mvcPattern) {
|
||||
HandlerMappingIntrospector introspector = new HandlerMappingIntrospector();
|
||||
introspector.setApplicationContext(getContext());
|
||||
introspector.afterPropertiesSet();
|
||||
return requestMatcher(new MvcRequestMatcher(introspector, mvcPattern));
|
||||
}
|
||||
|
||||
/**
|
||||
* Allows configuring the {@link HttpSecurity} to only be invoked when matching the
|
||||
* provided regex pattern. If more advanced configuration is necessary, consider using
|
||||
* {@link #requestMatchers()} or {@link #requestMatcher(RequestMatcher)}.
|
||||
*
|
||||
* <p>
|
||||
* Invoking {@link #regexMatcher(String)} will override previous invocations of
|
||||
* {@link #mvcMatcher(String)}}, {@link #requestMatchers()},
|
||||
* {@link #antMatcher(String)}, {@link #regexMatcher(String)}, and
|
||||
* {@link #requestMatcher(RequestMatcher)}.
|
||||
* </p>
|
||||
* @param pattern the Regular Expression to match on (i.e. "/admin/.+")
|
||||
* @return the {@link HttpSecurity} for further customizations
|
||||
* @deprecated use {@link #securityMatcher(RequestMatcher)} with a
|
||||
* {@link RegexRequestMatcher} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public HttpSecurity regexMatcher(String pattern) {
|
||||
return requestMatcher(new RegexRequestMatcher(pattern, null));
|
||||
}
|
||||
|
||||
/**
|
||||
* If the {@link SecurityConfigurer} has already been specified get the original,
|
||||
* otherwise apply the new {@link SecurityConfigurerAdapter}.
|
||||
|
|
@ -3776,40 +3418,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
return apply(configurer);
|
||||
}
|
||||
|
||||
/**
|
||||
* An extension to {@link RequestMatcherConfigurer} that allows optionally configuring
|
||||
* the servlet path.
|
||||
*
|
||||
* @author Rob Winch
|
||||
*/
|
||||
public final class MvcMatchersRequestMatcherConfigurer extends RequestMatcherConfigurer {
|
||||
|
||||
private final List<MvcRequestMatcher> mvcMatchers;
|
||||
|
||||
/**
|
||||
* Creates a new instance
|
||||
* @param context the {@link ApplicationContext} to use
|
||||
* @param mvcMatchers the {@link MvcRequestMatcher} instances to set the servlet
|
||||
* path on if {@link #servletPath(String)} is set.
|
||||
* @param allMatchers the {@link RequestMatcher} instances to continue the
|
||||
* configuration
|
||||
*/
|
||||
private MvcMatchersRequestMatcherConfigurer(ApplicationContext context, List<MvcRequestMatcher> mvcMatchers,
|
||||
List<RequestMatcher> allMatchers) {
|
||||
super(context);
|
||||
this.mvcMatchers = new ArrayList<>(mvcMatchers);
|
||||
this.matchers = allMatchers;
|
||||
}
|
||||
|
||||
public RequestMatcherConfigurer servletPath(String servletPath) {
|
||||
for (MvcRequestMatcher matcher : this.mvcMatchers) {
|
||||
matcher.setServletPath(servletPath);
|
||||
}
|
||||
return this;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Allows mapping HTTP requests that this {@link HttpSecurity} will be used for
|
||||
*
|
||||
|
|
@ -3824,26 +3432,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
|||
setApplicationContext(context);
|
||||
}
|
||||
|
||||
/**
|
||||
* @deprecated use {@link #requestMatchers(HttpMethod, String...)} instead
|
||||
*/
|
||||
@Override
|
||||
@Deprecated
|
||||
public MvcMatchersRequestMatcherConfigurer mvcMatchers(HttpMethod method, String... mvcPatterns) {
|
||||
List<MvcRequestMatcher> mvcMatchers = createMvcMatchers(method, mvcPatterns);
|
||||
setMatchers(mvcMatchers);
|
||||
return new MvcMatchersRequestMatcherConfigurer(getContext(), mvcMatchers, this.matchers);
|
||||
}
|
||||
|
||||
/**
|
||||
* @deprecated use {@link #requestMatchers(String...)} instead
|
||||
*/
|
||||
@Override
|
||||
@Deprecated
|
||||
public MvcMatchersRequestMatcherConfigurer mvcMatchers(String... patterns) {
|
||||
return mvcMatchers(null, patterns);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected RequestMatcherConfigurer chainRequestMatchers(List<RequestMatcher> requestMatchers) {
|
||||
setMatchers(requestMatchers);
|
||||
|
|
|
|||
|
|
@ -29,7 +29,6 @@ import org.springframework.beans.BeansException;
|
|||
import org.springframework.beans.factory.NoSuchBeanDefinitionException;
|
||||
import org.springframework.context.ApplicationContext;
|
||||
import org.springframework.context.ApplicationContextAware;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.security.access.PermissionEvaluator;
|
||||
import org.springframework.security.access.expression.SecurityExpressionHandler;
|
||||
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
|
||||
|
|
@ -58,7 +57,6 @@ import org.springframework.security.web.debug.DebugFilter;
|
|||
import org.springframework.security.web.firewall.HttpFirewall;
|
||||
import org.springframework.security.web.firewall.RequestRejectedHandler;
|
||||
import org.springframework.security.web.firewall.StrictHttpFirewall;
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcherEntry;
|
||||
import org.springframework.util.Assert;
|
||||
|
|
@ -375,32 +373,6 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
|
|||
this.servletContext = servletContext;
|
||||
}
|
||||
|
||||
/**
|
||||
* An {@link IgnoredRequestConfigurer} that allows optionally configuring the
|
||||
* {@link MvcRequestMatcher#setMethod(HttpMethod)}
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @deprecated use {@link MvcRequestMatcher.Builder} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public final class MvcMatchersIgnoredRequestConfigurer extends IgnoredRequestConfigurer {
|
||||
|
||||
private final List<MvcRequestMatcher> mvcMatchers;
|
||||
|
||||
private MvcMatchersIgnoredRequestConfigurer(ApplicationContext context, List<MvcRequestMatcher> mvcMatchers) {
|
||||
super(context);
|
||||
this.mvcMatchers = mvcMatchers;
|
||||
}
|
||||
|
||||
public IgnoredRequestConfigurer servletPath(String servletPath) {
|
||||
for (MvcRequestMatcher matcher : this.mvcMatchers) {
|
||||
matcher.setServletPath(servletPath);
|
||||
}
|
||||
return this;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Allows registering {@link RequestMatcher} instances that should be ignored by
|
||||
* Spring Security.
|
||||
|
|
@ -414,26 +386,6 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
|
|||
setApplicationContext(context);
|
||||
}
|
||||
|
||||
/**
|
||||
* @deprecated use {@link #requestMatchers(HttpMethod, String...)} instead
|
||||
*/
|
||||
@Override
|
||||
@Deprecated
|
||||
public MvcMatchersIgnoredRequestConfigurer mvcMatchers(HttpMethod method, String... mvcPatterns) {
|
||||
List<MvcRequestMatcher> mvcMatchers = createMvcMatchers(method, mvcPatterns);
|
||||
WebSecurity.this.ignoredRequests.addAll(mvcMatchers);
|
||||
return new MvcMatchersIgnoredRequestConfigurer(getApplicationContext(), mvcMatchers);
|
||||
}
|
||||
|
||||
/**
|
||||
* @deprecated use {@link #requestMatchers(String...)} instead
|
||||
*/
|
||||
@Override
|
||||
@Deprecated
|
||||
public MvcMatchersIgnoredRequestConfigurer mvcMatchers(String... mvcPatterns) {
|
||||
return mvcMatchers(null, mvcPatterns);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected IgnoredRequestConfigurer chainRequestMatchers(List<RequestMatcher> requestMatchers) {
|
||||
WebSecurity.this.ignoredRequests.addAll(requestMatchers);
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ import org.springframework.security.config.annotation.web.builders.WebSecurity;
|
|||
* <pre>
|
||||
* @Bean
|
||||
* public WebSecurityCustomizer ignoringCustomizer() {
|
||||
* return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2");
|
||||
* return (web) -> web.ignoring().requestMatchers("/ignore1", "/ignore2");
|
||||
* }
|
||||
* </pre>
|
||||
*
|
||||
|
|
|
|||
|
|
@ -21,7 +21,6 @@ import java.util.List;
|
|||
import jakarta.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.springframework.context.ApplicationContext;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.security.authorization.AuthenticatedAuthorizationManager;
|
||||
import org.springframework.security.authorization.AuthorityAuthorizationManager;
|
||||
import org.springframework.security.authorization.AuthorizationDecision;
|
||||
|
|
@ -34,7 +33,6 @@ import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
|
|||
import org.springframework.security.web.access.intercept.AuthorizationFilter;
|
||||
import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
|
||||
import org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager;
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcherEntry;
|
||||
import org.springframework.util.Assert;
|
||||
|
|
@ -146,24 +144,6 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
|
|||
return postProcess(this.managerBuilder.build());
|
||||
}
|
||||
|
||||
/**
|
||||
* @deprecated use {@link #requestMatchers(String...)} instead
|
||||
*/
|
||||
@Override
|
||||
@Deprecated
|
||||
public MvcMatchersAuthorizedUrl mvcMatchers(String... mvcPatterns) {
|
||||
return mvcMatchers(null, mvcPatterns);
|
||||
}
|
||||
|
||||
/**
|
||||
* @deprecated use {@link #requestMatchers(HttpMethod, String...)} instead
|
||||
*/
|
||||
@Override
|
||||
@Deprecated
|
||||
public MvcMatchersAuthorizedUrl mvcMatchers(HttpMethod method, String... mvcPatterns) {
|
||||
return new MvcMatchersAuthorizedUrl(createMvcMatchers(method, mvcPatterns));
|
||||
}
|
||||
|
||||
@Override
|
||||
protected AuthorizedUrl chainRequestMatchers(List<RequestMatcher> requestMatchers) {
|
||||
this.unmappedMatchers = requestMatchers;
|
||||
|
|
@ -205,35 +185,6 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
|
|||
|
||||
}
|
||||
|
||||
/**
|
||||
* An {@link AuthorizeHttpRequestsConfigurer.AuthorizedUrl} that allows optionally
|
||||
* configuring the {@link MvcRequestMatcher#setServletPath(String)}.
|
||||
*
|
||||
* @author Evgeniy Cheban
|
||||
* @deprecated use {@link MvcRequestMatcher.Builder} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public final class MvcMatchersAuthorizedUrl extends AuthorizedUrl {
|
||||
|
||||
private MvcMatchersAuthorizedUrl(List<MvcRequestMatcher> matchers) {
|
||||
super(matchers);
|
||||
}
|
||||
|
||||
/**
|
||||
* Configures <code>servletPath</code> to {@link MvcRequestMatcher}s.
|
||||
* @param servletPath the servlet path
|
||||
* @return the {@link MvcMatchersAuthorizedUrl} for further customizations
|
||||
*/
|
||||
@SuppressWarnings("unchecked")
|
||||
public MvcMatchersAuthorizedUrl servletPath(String servletPath) {
|
||||
for (MvcRequestMatcher matcher : (List<MvcRequestMatcher>) getMatchers()) {
|
||||
matcher.setServletPath(servletPath);
|
||||
}
|
||||
return this;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* An object that allows configuring the {@link AuthorizationManager} for
|
||||
* {@link RequestMatcher}s.
|
||||
|
|
|
|||
|
|
@ -22,7 +22,6 @@ import java.util.LinkedHashMap;
|
|||
import java.util.List;
|
||||
|
||||
import org.springframework.context.ApplicationContext;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.security.access.ConfigAttribute;
|
||||
import org.springframework.security.access.SecurityConfig;
|
||||
import org.springframework.security.config.annotation.ObjectPostProcessor;
|
||||
|
|
@ -41,7 +40,6 @@ import org.springframework.security.web.access.channel.RetryWithHttpEntryPoint;
|
|||
import org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint;
|
||||
import org.springframework.security.web.access.channel.SecureChannelProcessor;
|
||||
import org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource;
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
|
||||
/**
|
||||
|
|
@ -155,25 +153,6 @@ public final class ChannelSecurityConfigurer<H extends HttpSecurityBuilder<H>>
|
|||
setApplicationContext(context);
|
||||
}
|
||||
|
||||
/**
|
||||
* @deprecated use {@link #requestMatchers(HttpMethod, String...)} instead
|
||||
*/
|
||||
@Override
|
||||
@Deprecated
|
||||
public MvcMatchersRequiresChannelUrl mvcMatchers(HttpMethod method, String... mvcPatterns) {
|
||||
List<MvcRequestMatcher> mvcMatchers = createMvcMatchers(method, mvcPatterns);
|
||||
return new MvcMatchersRequiresChannelUrl(mvcMatchers);
|
||||
}
|
||||
|
||||
/**
|
||||
* @deprecated use {@link #requestMatchers(String...)} instead
|
||||
*/
|
||||
@Override
|
||||
@Deprecated
|
||||
public MvcMatchersRequiresChannelUrl mvcMatchers(String... patterns) {
|
||||
return mvcMatchers(null, patterns);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected RequiresChannelUrl chainRequestMatchersInternal(List<RequestMatcher> requestMatchers) {
|
||||
return new RequiresChannelUrl(requestMatchers);
|
||||
|
|
@ -222,21 +201,6 @@ public final class ChannelSecurityConfigurer<H extends HttpSecurityBuilder<H>>
|
|||
|
||||
}
|
||||
|
||||
public final class MvcMatchersRequiresChannelUrl extends RequiresChannelUrl {
|
||||
|
||||
private MvcMatchersRequiresChannelUrl(List<MvcRequestMatcher> matchers) {
|
||||
super(matchers);
|
||||
}
|
||||
|
||||
public RequiresChannelUrl servletPath(String servletPath) {
|
||||
for (RequestMatcher matcher : this.requestMatchers) {
|
||||
((MvcRequestMatcher) matcher).setServletPath(servletPath);
|
||||
}
|
||||
return this;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
public class RequiresChannelUrl {
|
||||
|
||||
protected List<? extends RequestMatcher> requestMatchers;
|
||||
|
|
|
|||
|
|
@ -23,7 +23,6 @@ import java.util.List;
|
|||
import jakarta.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.springframework.context.ApplicationContext;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.security.access.AccessDeniedException;
|
||||
import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry;
|
||||
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
|
||||
|
|
@ -40,7 +39,6 @@ import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
|
|||
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
|
||||
import org.springframework.security.web.csrf.LazyCsrfTokenRepository;
|
||||
import org.springframework.security.web.csrf.MissingCsrfTokenException;
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
|
||||
import org.springframework.security.web.session.InvalidSessionAccessDeniedHandler;
|
||||
import org.springframework.security.web.session.InvalidSessionStrategy;
|
||||
import org.springframework.security.web.util.matcher.AndRequestMatcher;
|
||||
|
|
@ -139,37 +137,6 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
|
|||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Allows specifying {@link HttpServletRequest} that should not use CSRF Protection
|
||||
* even if they match the {@link #requireCsrfProtectionMatcher(RequestMatcher)}.
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* For example, the following configuration will ensure CSRF protection ignores:
|
||||
* </p>
|
||||
* <ul>
|
||||
* <li>Any GET, HEAD, TRACE, OPTIONS (this is the default)</li>
|
||||
* <li>We also explicitly state to ignore any request that starts with "/sockjs/"</li>
|
||||
* </ul>
|
||||
*
|
||||
* <pre>
|
||||
* http
|
||||
* .csrf()
|
||||
* .ignoringAntMatchers("/sockjs/**")
|
||||
* .and()
|
||||
* ...
|
||||
* </pre>
|
||||
*
|
||||
* @since 4.0
|
||||
* @deprecated use {@link #ignoringRequestMatchers(RequestMatcher...)} with an
|
||||
* {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public CsrfConfigurer<H> ignoringAntMatchers(String... antPatterns) {
|
||||
return new IgnoreCsrfProtectionRegistry(this.context).antMatchers(antPatterns).and();
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Allows specifying {@link HttpServletRequest}s that should not use CSRF Protection
|
||||
|
|
@ -378,26 +345,6 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
|
|||
setApplicationContext(context);
|
||||
}
|
||||
|
||||
/**
|
||||
* @deprecated use {@link #requestMatchers(HttpMethod, String...)} instead
|
||||
*/
|
||||
@Override
|
||||
@Deprecated
|
||||
public MvcMatchersIgnoreCsrfProtectionRegistry mvcMatchers(HttpMethod method, String... mvcPatterns) {
|
||||
List<MvcRequestMatcher> mvcMatchers = createMvcMatchers(method, mvcPatterns);
|
||||
CsrfConfigurer.this.ignoredCsrfProtectionMatchers.addAll(mvcMatchers);
|
||||
return new MvcMatchersIgnoreCsrfProtectionRegistry(getApplicationContext(), mvcMatchers);
|
||||
}
|
||||
|
||||
/**
|
||||
* @deprecated use {@link #requestMatchers(String...)} instead
|
||||
*/
|
||||
@Override
|
||||
@Deprecated
|
||||
public MvcMatchersIgnoreCsrfProtectionRegistry mvcMatchers(String... mvcPatterns) {
|
||||
return mvcMatchers(null, mvcPatterns);
|
||||
}
|
||||
|
||||
CsrfConfigurer<H> and() {
|
||||
return CsrfConfigurer.this;
|
||||
}
|
||||
|
|
@ -410,29 +357,4 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
|
|||
|
||||
}
|
||||
|
||||
/**
|
||||
* An {@link IgnoreCsrfProtectionRegistry} that allows optionally configuring the
|
||||
* {@link MvcRequestMatcher#setMethod(HttpMethod)}
|
||||
*
|
||||
* @author Rob Winch
|
||||
*/
|
||||
private final class MvcMatchersIgnoreCsrfProtectionRegistry extends IgnoreCsrfProtectionRegistry {
|
||||
|
||||
private final List<MvcRequestMatcher> mvcMatchers;
|
||||
|
||||
private MvcMatchersIgnoreCsrfProtectionRegistry(ApplicationContext context,
|
||||
List<MvcRequestMatcher> mvcMatchers) {
|
||||
super(context);
|
||||
this.mvcMatchers = mvcMatchers;
|
||||
}
|
||||
|
||||
IgnoreCsrfProtectionRegistry servletPath(String servletPath) {
|
||||
for (MvcRequestMatcher matcher : this.mvcMatchers) {
|
||||
matcher.setServletPath(servletPath);
|
||||
}
|
||||
return this;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -22,7 +22,6 @@ import java.util.LinkedHashMap;
|
|||
import java.util.List;
|
||||
|
||||
import org.springframework.context.ApplicationContext;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.security.access.AccessDecisionVoter;
|
||||
import org.springframework.security.access.ConfigAttribute;
|
||||
import org.springframework.security.access.PermissionEvaluator;
|
||||
|
|
@ -38,7 +37,6 @@ import org.springframework.security.web.FilterInvocation;
|
|||
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
|
||||
import org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource;
|
||||
import org.springframework.security.web.access.expression.WebExpressionVoter;
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.util.StringUtils;
|
||||
|
|
@ -222,24 +220,6 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
|
|||
setApplicationContext(context);
|
||||
}
|
||||
|
||||
/**
|
||||
* @deprecated use {@link #requestMatchers(HttpMethod, String...)} instead
|
||||
*/
|
||||
@Override
|
||||
@Deprecated
|
||||
public MvcMatchersAuthorizedUrl mvcMatchers(HttpMethod method, String... mvcPatterns) {
|
||||
return new MvcMatchersAuthorizedUrl(createMvcMatchers(method, mvcPatterns));
|
||||
}
|
||||
|
||||
/**
|
||||
* @deprecated use {@link #requestMatchers(String...)} instead
|
||||
*/
|
||||
@Override
|
||||
@Deprecated
|
||||
public MvcMatchersAuthorizedUrl mvcMatchers(String... patterns) {
|
||||
return mvcMatchers(null, patterns);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected AuthorizedUrl chainRequestMatchersInternal(List<RequestMatcher> requestMatchers) {
|
||||
return new AuthorizedUrl(requestMatchers);
|
||||
|
|
@ -275,31 +255,6 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
|
|||
|
||||
}
|
||||
|
||||
/**
|
||||
* An {@link AuthorizedUrl} that allows optionally configuring the
|
||||
* {@link MvcRequestMatcher#setMethod(HttpMethod)}
|
||||
*
|
||||
* @author Rob Winch
|
||||
*/
|
||||
public final class MvcMatchersAuthorizedUrl extends AuthorizedUrl {
|
||||
|
||||
/**
|
||||
* Creates a new instance
|
||||
* @param requestMatchers the {@link RequestMatcher} instances to map
|
||||
*/
|
||||
private MvcMatchersAuthorizedUrl(List<MvcRequestMatcher> requestMatchers) {
|
||||
super(requestMatchers);
|
||||
}
|
||||
|
||||
public AuthorizedUrl servletPath(String servletPath) {
|
||||
for (MvcRequestMatcher matcher : (List<MvcRequestMatcher>) getMatchers()) {
|
||||
matcher.setServletPath(servletPath);
|
||||
}
|
||||
return this;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
public class AuthorizedUrl {
|
||||
|
||||
private List<? extends RequestMatcher> requestMatchers;
|
||||
|
|
|
|||
|
|
@ -32,7 +32,6 @@ import org.springframework.security.config.annotation.ObjectPostProcessor;
|
|||
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
|
||||
import org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource;
|
||||
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
|
|
@ -51,8 +50,8 @@ import org.springframework.util.Assert;
|
|||
* <pre>
|
||||
* protected void configure(HttpSecurity http) throws Exception {
|
||||
* http.apply(new UrlAuthorizationConfigurer<HttpSecurity>()).getRegistry()
|
||||
* .antMatchers("/users**", "/sessions/**").hasRole("USER")
|
||||
* .antMatchers("/signup").hasRole("ANONYMOUS").anyRequest().hasRole("USER");
|
||||
* .requestMatchers("/users**", "/sessions/**").hasRole("USER")
|
||||
* .requestMatchers("/signup").hasRole("ANONYMOUS").anyRequest().hasRole("USER");
|
||||
* }
|
||||
* </pre>
|
||||
*
|
||||
|
|
@ -202,22 +201,24 @@ public final class UrlAuthorizationConfigurer<H extends HttpSecurityBuilder<H>>
|
|||
setApplicationContext(context);
|
||||
}
|
||||
|
||||
/**
|
||||
* @deprecated use {@link #requestMatchers(HttpMethod, String...)} instead
|
||||
*/
|
||||
@Override
|
||||
@Deprecated
|
||||
public MvcMatchersAuthorizedUrl mvcMatchers(HttpMethod method, String... mvcPatterns) {
|
||||
return new MvcMatchersAuthorizedUrl(createMvcMatchers(method, mvcPatterns));
|
||||
public AuthorizedUrl requestMatchers(String... patterns) {
|
||||
return super.requestMatchers(patterns);
|
||||
}
|
||||
|
||||
/**
|
||||
* @deprecated use {@link #requestMatchers(String...)} instead
|
||||
*/
|
||||
@Override
|
||||
@Deprecated
|
||||
public MvcMatchersAuthorizedUrl mvcMatchers(String... patterns) {
|
||||
return mvcMatchers(null, patterns);
|
||||
public AuthorizedUrl requestMatchers(HttpMethod method, String... patterns) {
|
||||
return super.requestMatchers(method, patterns);
|
||||
}
|
||||
|
||||
@Override
|
||||
public AuthorizedUrl requestMatchers(HttpMethod method) {
|
||||
return super.requestMatchers(method);
|
||||
}
|
||||
|
||||
@Override
|
||||
public AuthorizedUrl requestMatchers(RequestMatcher... requestMatchers) {
|
||||
return super.requestMatchers(requestMatchers);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
@ -242,32 +243,6 @@ public final class UrlAuthorizationConfigurer<H extends HttpSecurityBuilder<H>>
|
|||
|
||||
}
|
||||
|
||||
/**
|
||||
* An {@link AuthorizedUrl} that allows optionally configuring the
|
||||
* {@link MvcRequestMatcher#setMethod(HttpMethod)}
|
||||
*
|
||||
* @author Rob Winch
|
||||
*/
|
||||
public final class MvcMatchersAuthorizedUrl extends AuthorizedUrl {
|
||||
|
||||
/**
|
||||
* Creates a new instance
|
||||
* @param requestMatchers the {@link RequestMatcher} instances to map
|
||||
*/
|
||||
private MvcMatchersAuthorizedUrl(List<MvcRequestMatcher> requestMatchers) {
|
||||
super(requestMatchers);
|
||||
}
|
||||
|
||||
@SuppressWarnings("unchecked")
|
||||
public AuthorizedUrl servletPath(String servletPath) {
|
||||
for (MvcRequestMatcher matcher : (List<MvcRequestMatcher>) getMatchers()) {
|
||||
matcher.setServletPath(servletPath);
|
||||
}
|
||||
return this;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Maps the specified {@link RequestMatcher} instances to {@link ConfigAttribute}
|
||||
* instances.
|
||||
|
|
|
|||
|
|
@ -26,9 +26,11 @@ import org.springframework.security.config.annotation.web.configurers.AuthorizeH
|
|||
import org.springframework.security.core.Authentication
|
||||
import org.springframework.security.web.access.intercept.AuthorizationFilter
|
||||
import org.springframework.security.web.access.intercept.RequestAuthorizationContext
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher
|
||||
import org.springframework.security.web.util.matcher.AnyRequestMatcher
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher
|
||||
import org.springframework.util.ClassUtils
|
||||
import org.springframework.web.servlet.handler.HandlerMappingIntrospector
|
||||
import java.util.function.Supplier
|
||||
|
||||
/**
|
||||
|
|
@ -43,6 +45,7 @@ class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl() {
|
|||
|
||||
private val authorizationRules = mutableListOf<AuthorizationManagerRule>()
|
||||
|
||||
private val HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME = "mvcHandlerMappingIntrospector"
|
||||
private val HANDLER_MAPPING_INTROSPECTOR = "org.springframework.web.servlet.handler.HandlerMappingIntrospector"
|
||||
private val MVC_PRESENT = ClassUtils.isPresent(
|
||||
HANDLER_MAPPING_INTROSPECTOR,
|
||||
|
|
@ -244,10 +247,15 @@ class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl() {
|
|||
is MatcherAuthorizationManagerRule -> requests.requestMatchers(rule.matcher).access(rule.rule)
|
||||
is PatternAuthorizationManagerRule -> {
|
||||
when (rule.patternType) {
|
||||
PatternType.ANT -> requests.antMatchers(rule.httpMethod, rule.pattern).access(rule.rule)
|
||||
PatternType.MVC -> requests.mvcMatchers(rule.httpMethod, rule.pattern)
|
||||
.apply { if (rule.servletPath != null) servletPath(rule.servletPath) }
|
||||
.access(rule.rule)
|
||||
PatternType.ANT -> requests.requestMatchers(rule.httpMethod, rule.pattern).access(rule.rule)
|
||||
PatternType.MVC -> {
|
||||
val introspector = requests.applicationContext.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME, HandlerMappingIntrospector::class.java)
|
||||
val mvcMatcher = MvcRequestMatcher.Builder(introspector)
|
||||
.servletPath(rule.servletPath)
|
||||
.pattern(rule.pattern)
|
||||
mvcMatcher.setMethod(rule.httpMethod)
|
||||
requests.requestMatchers(mvcMatcher).access(rule.rule)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,9 +19,11 @@ package org.springframework.security.config.annotation.web
|
|||
import org.springframework.http.HttpMethod
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity
|
||||
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher
|
||||
import org.springframework.security.web.util.matcher.AnyRequestMatcher
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher
|
||||
import org.springframework.util.ClassUtils
|
||||
import org.springframework.web.servlet.handler.HandlerMappingIntrospector
|
||||
|
||||
/**
|
||||
* A Kotlin DSL to configure [HttpSecurity] request authorization using idiomatic Kotlin code.
|
||||
|
|
@ -32,6 +34,7 @@ import org.springframework.util.ClassUtils
|
|||
class AuthorizeRequestsDsl : AbstractRequestMatcherDsl() {
|
||||
private val authorizationRules = mutableListOf<AuthorizationRule>()
|
||||
|
||||
private val HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME = "mvcHandlerMappingIntrospector"
|
||||
private val HANDLER_MAPPING_INTROSPECTOR = "org.springframework.web.servlet.handler.HandlerMappingIntrospector"
|
||||
private val MVC_PRESENT = ClassUtils.isPresent(
|
||||
HANDLER_MAPPING_INTROSPECTOR,
|
||||
|
|
@ -224,10 +227,15 @@ class AuthorizeRequestsDsl : AbstractRequestMatcherDsl() {
|
|||
is MatcherAuthorizationRule -> requests.requestMatchers(rule.matcher).access(rule.rule)
|
||||
is PatternAuthorizationRule -> {
|
||||
when (rule.patternType) {
|
||||
PatternType.ANT -> requests.antMatchers(rule.httpMethod, rule.pattern).access(rule.rule)
|
||||
PatternType.MVC -> requests.mvcMatchers(rule.httpMethod, rule.pattern)
|
||||
.apply { if(rule.servletPath != null) servletPath(rule.servletPath) }
|
||||
.access(rule.rule)
|
||||
PatternType.ANT -> requests.requestMatchers(rule.httpMethod, rule.pattern).access(rule.rule)
|
||||
PatternType.MVC -> {
|
||||
val introspector = requests.applicationContext.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME, HandlerMappingIntrospector::class.java)
|
||||
val mvcMatcher = MvcRequestMatcher.Builder(introspector)
|
||||
.servletPath(rule.servletPath)
|
||||
.pattern(rule.pattern)
|
||||
mvcMatcher.setMethod(rule.httpMethod)
|
||||
requests.requestMatchers(mvcMatcher).access(rule.rule)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -16,13 +16,13 @@
|
|||
|
||||
package org.springframework.security.config.annotation.web
|
||||
|
||||
import jakarta.servlet.http.HttpServletRequest
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity
|
||||
import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer
|
||||
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy
|
||||
import org.springframework.security.web.csrf.CsrfTokenRepository
|
||||
import org.springframework.security.web.csrf.CsrfTokenRequestHandler
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher
|
||||
import jakarta.servlet.http.HttpServletRequest
|
||||
|
||||
/**
|
||||
* A Kotlin DSL to configure [HttpSecurity] CSRF protection
|
||||
|
|
@ -42,23 +42,10 @@ class CsrfDsl {
|
|||
var sessionAuthenticationStrategy: SessionAuthenticationStrategy? = null
|
||||
var csrfTokenRequestHandler: CsrfTokenRequestHandler? = null
|
||||
|
||||
private var ignoringAntMatchers: Array<out String>? = null
|
||||
private var ignoringRequestMatchers: Array<out RequestMatcher>? = null
|
||||
private var ignoringRequestMatchersPatterns: Array<out String>? = null
|
||||
private var disabled = false
|
||||
|
||||
/**
|
||||
* Allows specifying [HttpServletRequest]s that should not use CSRF Protection
|
||||
* even if they match the [requireCsrfProtectionMatcher].
|
||||
*
|
||||
* @param antMatchers the ANT pattern matchers that should not use CSRF
|
||||
* protection
|
||||
*/
|
||||
@Deprecated("Use ignoringRequestMatchers instead")
|
||||
fun ignoringAntMatchers(vararg antMatchers: String) {
|
||||
ignoringAntMatchers = antMatchers
|
||||
}
|
||||
|
||||
/**
|
||||
* Allows specifying [HttpServletRequest]s that should not use CSRF Protection
|
||||
* even if they match the [requireCsrfProtectionMatcher].
|
||||
|
|
@ -93,7 +80,6 @@ class CsrfDsl {
|
|||
requireCsrfProtectionMatcher?.also { csrf.requireCsrfProtectionMatcher(requireCsrfProtectionMatcher) }
|
||||
sessionAuthenticationStrategy?.also { csrf.sessionAuthenticationStrategy(sessionAuthenticationStrategy) }
|
||||
csrfTokenRequestHandler?.also { csrf.csrfTokenRequestHandler(csrfTokenRequestHandler) }
|
||||
ignoringAntMatchers?.also { csrf.ignoringAntMatchers(*ignoringAntMatchers!!) }
|
||||
ignoringRequestMatchers?.also { csrf.ignoringRequestMatchers(*ignoringRequestMatchers!!) }
|
||||
ignoringRequestMatchersPatterns?.also { csrf.ignoringRequestMatchers(*ignoringRequestMatchersPatterns!!) }
|
||||
if (disabled) {
|
||||
|
|
|
|||
|
|
@ -137,18 +137,8 @@ class HttpSecurityDsl(private val http: HttpSecurity, private val init: HttpSecu
|
|||
* configuration should be invoked.
|
||||
*/
|
||||
fun securityMatcher(vararg pattern: String) {
|
||||
val mvcPresent = ClassUtils.isPresent(
|
||||
HANDLER_MAPPING_INTROSPECTOR,
|
||||
AuthorizeRequestsDsl::class.java.classLoader) ||
|
||||
ClassUtils.isPresent(
|
||||
HANDLER_MAPPING_INTROSPECTOR,
|
||||
AuthorizeHttpRequestsDsl::class.java.classLoader)
|
||||
this.http.requestMatchers {
|
||||
if (mvcPresent) {
|
||||
it.mvcMatchers(*pattern)
|
||||
} else {
|
||||
it.antMatchers(*pattern)
|
||||
}
|
||||
this.http.securityMatchers {
|
||||
it.requestMatchers(*pattern)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -180,7 +170,7 @@ class HttpSecurityDsl(private val http: HttpSecurity, private val init: HttpSecu
|
|||
* this configuration should be invoked.
|
||||
*/
|
||||
fun securityMatcher(vararg requestMatcher: RequestMatcher) {
|
||||
this.http.requestMatchers {
|
||||
this.http.securityMatchers {
|
||||
it.requestMatchers(*requestMatcher)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -20,9 +20,11 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity
|
|||
import org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer
|
||||
import org.springframework.security.web.access.channel.ChannelDecisionManagerImpl
|
||||
import org.springframework.security.web.access.channel.ChannelProcessor
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher
|
||||
import org.springframework.security.web.util.matcher.AnyRequestMatcher
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher
|
||||
import org.springframework.util.ClassUtils
|
||||
import org.springframework.web.servlet.handler.HandlerMappingIntrospector
|
||||
|
||||
/**
|
||||
* A Kotlin DSL to configure [HttpSecurity] channel security using idiomatic
|
||||
|
|
@ -36,6 +38,7 @@ import org.springframework.util.ClassUtils
|
|||
class RequiresChannelDsl : AbstractRequestMatcherDsl() {
|
||||
private val channelSecurityRules = mutableListOf<AuthorizationRule>()
|
||||
|
||||
private val HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME = "mvcHandlerMappingIntrospector"
|
||||
private val HANDLER_MAPPING_INTROSPECTOR = "org.springframework.web.servlet.handler.HandlerMappingIntrospector"
|
||||
private val MVC_PRESENT = ClassUtils.isPresent(
|
||||
HANDLER_MAPPING_INTROSPECTOR,
|
||||
|
|
@ -119,11 +122,14 @@ class RequiresChannelDsl : AbstractRequestMatcherDsl() {
|
|||
is MatcherAuthorizationRule -> channelSecurity.requestMatchers(rule.matcher).requires(rule.rule)
|
||||
is PatternAuthorizationRule -> {
|
||||
when (rule.patternType) {
|
||||
PatternType.ANT -> channelSecurity.antMatchers(rule.pattern).requires(rule.rule)
|
||||
PatternType.ANT -> channelSecurity.requestMatchers(rule.pattern).requires(rule.rule)
|
||||
PatternType.MVC -> {
|
||||
val mvcMatchersRequiresChannel = channelSecurity.mvcMatchers(rule.pattern)
|
||||
rule.servletPath?.also { mvcMatchersRequiresChannel.servletPath(rule.servletPath) }
|
||||
mvcMatchersRequiresChannel.requires(rule.rule)
|
||||
val introspector = channelSecurity.applicationContext.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME, HandlerMappingIntrospector::class.java)
|
||||
val mvcMatcher = MvcRequestMatcher.Builder(introspector)
|
||||
.servletPath(rule.servletPath)
|
||||
.pattern(rule.pattern)
|
||||
mvcMatcher.setMethod(rule.httpMethod)
|
||||
channelSecurity.requestMatchers(mvcMatcher).requires(rule.rule)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@ import org.springframework.security.core.Authentication;
|
|||
import org.springframework.security.core.AuthenticationException;
|
||||
import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
|
|
@ -51,7 +52,7 @@ public class SecurityConfig {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/*").permitAll()
|
||||
.requestMatchers(new AntPathRequestMatcher("/*")).permitAll()
|
||||
.and()
|
||||
.authenticationProvider(authenticationProvider());
|
||||
// @formatter:on
|
||||
|
|
|
|||
|
|
@ -25,8 +25,11 @@ import org.springframework.mock.web.MockServletContext;
|
|||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RegexRequestMatcher;
|
||||
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
|
||||
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
|
||||
|
|
@ -85,7 +88,7 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
|
|||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.antMatchers("/demo/**").permitAll();
|
||||
.requestMatchers(new AntPathRequestMatcher("/demo/**")).permitAll();
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
}
|
||||
|
|
@ -97,12 +100,12 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
|
|||
static class MvcMatchersAfterAnyRequestConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.mvcMatchers("/demo/**").permitAll();
|
||||
.requestMatchers(new MvcRequestMatcher(introspector, "/demo/**")).permitAll();
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
}
|
||||
|
|
@ -119,7 +122,7 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
|
|||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.regexMatchers(".*").permitAll();
|
||||
.requestMatchers(new RegexRequestMatcher(".*", null)).permitAll();
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
}
|
||||
|
|
|
|||
|
|
@ -69,16 +69,6 @@ public class AbstractRequestMatcherRegistryNoMvcTests {
|
|||
|
||||
private static class TestRequestMatcherRegistry extends AbstractRequestMatcherRegistry<List<RequestMatcher>> {
|
||||
|
||||
@Override
|
||||
public List<RequestMatcher> mvcMatchers(String... mvcPatterns) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<RequestMatcher> mvcMatchers(HttpMethod method, String... mvcPatterns) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected List<RequestMatcher> chainRequestMatchers(List<RequestMatcher> requestMatchers) {
|
||||
return requestMatchers;
|
||||
|
|
|
|||
|
|
@ -65,7 +65,8 @@ public class AbstractRequestMatcherRegistryTests {
|
|||
|
||||
@Test
|
||||
public void regexMatchersWhenHttpMethodAndPatternParamsThenReturnRegexRequestMatcherType() {
|
||||
List<RequestMatcher> requestMatchers = this.matcherRegistry.regexMatchers(HttpMethod.GET, "/a.*");
|
||||
List<RequestMatcher> requestMatchers = this.matcherRegistry
|
||||
.requestMatchers(new RegexRequestMatcher("/a.*", HttpMethod.GET.name()));
|
||||
assertThat(requestMatchers).isNotEmpty();
|
||||
assertThat(requestMatchers.size()).isEqualTo(1);
|
||||
assertThat(requestMatchers.get(0)).isExactlyInstanceOf(RegexRequestMatcher.class);
|
||||
|
|
@ -73,7 +74,8 @@ public class AbstractRequestMatcherRegistryTests {
|
|||
|
||||
@Test
|
||||
public void regexMatchersWhenPatternParamThenReturnRegexRequestMatcherType() {
|
||||
List<RequestMatcher> requestMatchers = this.matcherRegistry.regexMatchers("/a.*");
|
||||
List<RequestMatcher> requestMatchers = this.matcherRegistry
|
||||
.requestMatchers(new RegexRequestMatcher("/a.*", null));
|
||||
assertThat(requestMatchers).isNotEmpty();
|
||||
assertThat(requestMatchers.size()).isEqualTo(1);
|
||||
assertThat(requestMatchers.get(0)).isExactlyInstanceOf(RegexRequestMatcher.class);
|
||||
|
|
@ -81,7 +83,8 @@ public class AbstractRequestMatcherRegistryTests {
|
|||
|
||||
@Test
|
||||
public void antMatchersWhenHttpMethodAndPatternParamsThenReturnAntPathRequestMatcherType() {
|
||||
List<RequestMatcher> requestMatchers = this.matcherRegistry.antMatchers(HttpMethod.GET, "/a.*");
|
||||
List<RequestMatcher> requestMatchers = this.matcherRegistry
|
||||
.requestMatchers(new AntPathRequestMatcher("/a.*", HttpMethod.GET.name()));
|
||||
assertThat(requestMatchers).isNotEmpty();
|
||||
assertThat(requestMatchers.size()).isEqualTo(1);
|
||||
assertThat(requestMatchers.get(0)).isExactlyInstanceOf(AntPathRequestMatcher.class);
|
||||
|
|
@ -89,7 +92,7 @@ public class AbstractRequestMatcherRegistryTests {
|
|||
|
||||
@Test
|
||||
public void antMatchersWhenPatternParamThenReturnAntPathRequestMatcherType() {
|
||||
List<RequestMatcher> requestMatchers = this.matcherRegistry.antMatchers("/a.*");
|
||||
List<RequestMatcher> requestMatchers = this.matcherRegistry.requestMatchers(new AntPathRequestMatcher("/a.*"));
|
||||
assertThat(requestMatchers).isNotEmpty();
|
||||
assertThat(requestMatchers.size()).isEqualTo(1);
|
||||
assertThat(requestMatchers.get(0)).isExactlyInstanceOf(AntPathRequestMatcher.class);
|
||||
|
|
@ -151,16 +154,6 @@ public class AbstractRequestMatcherRegistryTests {
|
|||
|
||||
private static class TestRequestMatcherRegistry extends AbstractRequestMatcherRegistry<List<RequestMatcher>> {
|
||||
|
||||
@Override
|
||||
public List<RequestMatcher> mvcMatchers(String... mvcPatterns) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<RequestMatcher> mvcMatchers(HttpMethod method, String... mvcPatterns) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected List<RequestMatcher> chainRequestMatchers(List<RequestMatcher> requestMatchers) {
|
||||
return requestMatchers;
|
||||
|
|
|
|||
|
|
@ -36,8 +36,10 @@ import org.springframework.security.core.userdetails.PasswordEncodedUser;
|
|||
import org.springframework.security.core.userdetails.UserDetailsService;
|
||||
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.web.filter.OncePerRequestFilter;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||
|
|
@ -107,18 +109,19 @@ public class HttpConfigurationTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class RequestMatcherRegistryConfigs {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers()
|
||||
.antMatchers("/api/**")
|
||||
.antMatchers("/oauth/**")
|
||||
.securityMatchers()
|
||||
.requestMatchers(new AntPathRequestMatcher("/api/**"))
|
||||
.requestMatchers(new AntPathRequestMatcher("/oauth/**"))
|
||||
.and()
|
||||
.authorizeRequests()
|
||||
.antMatchers("/**").hasRole("USER")
|
||||
.anyRequest().hasRole("USER")
|
||||
.and()
|
||||
.httpBasic();
|
||||
return http.build();
|
||||
|
|
|
|||
|
|
@ -62,6 +62,7 @@ import org.springframework.stereotype.Controller;
|
|||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.MvcResult;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
|
|
@ -302,6 +303,7 @@ public class NamespaceHttpTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class AccessDeniedPageConfig {
|
||||
|
||||
@Bean
|
||||
|
|
@ -309,7 +311,7 @@ public class NamespaceHttpTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/admin").hasRole("ADMIN")
|
||||
.requestMatchers("/admin").hasRole("ADMIN")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.exceptionHandling()
|
||||
|
|
@ -385,6 +387,7 @@ public class NamespaceHttpTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class IfRequiredConfig {
|
||||
|
||||
@Bean
|
||||
|
|
@ -392,7 +395,7 @@ public class NamespaceHttpTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/unsecure").permitAll()
|
||||
.requestMatchers("/unsecure").permitAll()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.sessionManagement()
|
||||
|
|
@ -487,7 +490,7 @@ public class NamespaceHttpTests {
|
|||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.antMatcher("/api/**");
|
||||
.securityMatcher(new AntPathRequestMatcher("/api/**"));
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
}
|
||||
|
|
@ -502,7 +505,7 @@ public class NamespaceHttpTests {
|
|||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.regexMatcher("/regex/.*");
|
||||
.securityMatcher(new RegexRequestMatcher("/regex/.*", null));
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
}
|
||||
|
|
@ -517,7 +520,7 @@ public class NamespaceHttpTests {
|
|||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatcher(new MyRequestMatcher());
|
||||
.securityMatcher(new MyRequestMatcher());
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
}
|
||||
|
|
@ -539,7 +542,8 @@ public class NamespaceHttpTests {
|
|||
|
||||
@Bean
|
||||
WebSecurityCustomizer webSecurityCustomizer() {
|
||||
return (web) -> web.ignoring().antMatchers("/resources/**", "/public/**");
|
||||
return (web) -> web.ignoring().requestMatchers(new AntPathRequestMatcher("/resources/**"),
|
||||
new AntPathRequestMatcher("/public/**"));
|
||||
}
|
||||
|
||||
@Bean
|
||||
|
|
@ -625,6 +629,7 @@ public class NamespaceHttpTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class UseExpressionsConfig {
|
||||
|
||||
private Class<? extends FilterInvocationSecurityMetadataSource> filterInvocationSecurityMetadataSourceType;
|
||||
|
|
@ -636,8 +641,8 @@ public class NamespaceHttpTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/users**", "/sessions/**").hasRole("USER")
|
||||
.antMatchers("/signup").permitAll()
|
||||
.requestMatchers("/users**", "/sessions/**").hasRole("USER")
|
||||
.requestMatchers("/signup").permitAll()
|
||||
.anyRequest().hasRole("USER");
|
||||
this.httpSecurity = http;
|
||||
return http.build();
|
||||
|
|
@ -659,6 +664,7 @@ public class NamespaceHttpTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class DisableUseExpressionsConfig {
|
||||
|
||||
private Class<? extends FilterInvocationSecurityMetadataSource> filterInvocationSecurityMetadataSourceType;
|
||||
|
|
@ -670,8 +676,8 @@ public class NamespaceHttpTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.apply(new UrlAuthorizationConfigurer<>(context)).getRegistry()
|
||||
.antMatchers("/users**", "/sessions/**").hasRole("USER")
|
||||
.antMatchers("/signup").hasRole("ANONYMOUS")
|
||||
.requestMatchers("/users**", "/sessions/**").hasRole("USER")
|
||||
.requestMatchers("/signup").hasRole("ANONYMOUS")
|
||||
.anyRequest().hasRole("USER");
|
||||
this.httpSecurity = http;
|
||||
return http.build();
|
||||
|
|
|
|||
|
|
@ -40,12 +40,14 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
|||
import org.springframework.security.web.FilterChainProxy;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.firewall.HttpStatusRequestRejectedHandler;
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
|
||||
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
|
||||
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
|
|
@ -147,8 +149,8 @@ public class WebSecurityTests {
|
|||
static class MvcMatcherConfig {
|
||||
|
||||
@Bean
|
||||
WebSecurityCustomizer webSecurityCustomizer() {
|
||||
return (web) -> web.ignoring().mvcMatchers("/path");
|
||||
WebSecurityCustomizer webSecurityCustomizer(HandlerMappingIntrospector introspector) {
|
||||
return (web) -> web.ignoring().requestMatchers(new MvcRequestMatcher(introspector, "/path"));
|
||||
}
|
||||
|
||||
@Bean
|
||||
|
|
@ -185,8 +187,9 @@ public class WebSecurityTests {
|
|||
static class MvcMatcherServletPathConfig {
|
||||
|
||||
@Bean
|
||||
WebSecurityCustomizer webSecurityCustomizer() {
|
||||
return (web) -> web.ignoring().mvcMatchers("/path").servletPath("/spring").mvcMatchers("/notused");
|
||||
WebSecurityCustomizer webSecurityCustomizer(HandlerMappingIntrospector introspector) {
|
||||
MvcRequestMatcher.Builder builder = new MvcRequestMatcher.Builder(introspector).servletPath("/spring");
|
||||
return (web) -> web.ignoring().requestMatchers(builder.pattern("/path")).requestMatchers("/notused");
|
||||
}
|
||||
|
||||
@Bean
|
||||
|
|
|
|||
|
|
@ -58,10 +58,12 @@ import org.springframework.security.web.SecurityFilterChain;
|
|||
import org.springframework.security.web.access.RequestMatcherDelegatingWebInvocationPrivilegeEvaluator;
|
||||
import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
|
||||
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.util.ClassUtils;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
|
|
@ -346,7 +348,7 @@ public class WebSecurityConfigurationTests {
|
|||
SecurityFilterChain filterChain1(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
return http
|
||||
.antMatcher("/role1/**")
|
||||
.securityMatcher(new AntPathRequestMatcher("/role1/**"))
|
||||
.authorizeRequests((authorize) -> authorize
|
||||
.anyRequest().hasRole("1")
|
||||
)
|
||||
|
|
@ -359,7 +361,7 @@ public class WebSecurityConfigurationTests {
|
|||
SecurityFilterChain filterChain2(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
return http
|
||||
.antMatcher("/role2/**")
|
||||
.securityMatcher(new AntPathRequestMatcher("/role2/**"))
|
||||
.authorizeRequests((authorize) -> authorize
|
||||
.anyRequest().hasRole("2")
|
||||
)
|
||||
|
|
@ -372,7 +374,7 @@ public class WebSecurityConfigurationTests {
|
|||
SecurityFilterChain filterChain3(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
return http
|
||||
.antMatcher("/role3/**")
|
||||
.securityMatcher(new AntPathRequestMatcher("/role3/**"))
|
||||
.authorizeRequests((authorize) -> authorize
|
||||
.anyRequest().hasRole("3")
|
||||
)
|
||||
|
|
@ -403,7 +405,7 @@ public class WebSecurityConfigurationTests {
|
|||
SecurityFilterChain securityFilterChain1(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
return http
|
||||
.antMatcher("/role1/**")
|
||||
.securityMatcher(new AntPathRequestMatcher("/role1/**"))
|
||||
.authorizeRequests((authorize) -> authorize
|
||||
.anyRequest().hasRole("1")
|
||||
)
|
||||
|
|
@ -634,31 +636,33 @@ public class WebSecurityConfigurationTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
@Import(AuthenticationTestConfiguration.class)
|
||||
static class WebSecurityCustomizerConfig {
|
||||
|
||||
@Bean
|
||||
public WebSecurityCustomizer webSecurityCustomizer() {
|
||||
return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2");
|
||||
return (web) -> web.ignoring().requestMatchers("/ignore1", "/ignore2");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
@Import(AuthenticationTestConfiguration.class)
|
||||
static class CustomizerAndFilterChainConfig {
|
||||
|
||||
@Bean
|
||||
public WebSecurityCustomizer webSecurityCustomizer() {
|
||||
return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2");
|
||||
return (web) -> web.ignoring().requestMatchers("/ignore1", "/ignore2");
|
||||
}
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
return http
|
||||
.antMatcher("/role1/**")
|
||||
.securityMatcher(new AntPathRequestMatcher("/role1/**"))
|
||||
.authorizeRequests((authorize) -> authorize
|
||||
.anyRequest().hasRole("1")
|
||||
)
|
||||
|
|
@ -670,19 +674,20 @@ public class WebSecurityConfigurationTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
@Import(AuthenticationTestConfiguration.class)
|
||||
static class OrderedCustomizerConfig {
|
||||
|
||||
@Order(1)
|
||||
@Bean
|
||||
public WebSecurityCustomizer webSecurityCustomizer1() {
|
||||
return (web) -> web.ignoring().antMatchers("/ignore1");
|
||||
return (web) -> web.ignoring().requestMatchers("/ignore1");
|
||||
}
|
||||
|
||||
@Order(2)
|
||||
@Bean
|
||||
public WebSecurityCustomizer webSecurityCustomizer2() {
|
||||
return (web) -> web.ignoring().antMatchers("/ignore2");
|
||||
return (web) -> web.ignoring().requestMatchers("/ignore2");
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -696,7 +701,7 @@ public class WebSecurityConfigurationTests {
|
|||
public SecurityFilterChain path1(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requests) -> requests.antMatchers("/path1/**"))
|
||||
.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/path1/**")))
|
||||
.authorizeRequests((requests) -> requests.anyRequest().authenticated());
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
|
|
@ -720,7 +725,7 @@ public class WebSecurityConfigurationTests {
|
|||
public SecurityFilterChain path1(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requests) -> requests.antMatchers("/path1/**"))
|
||||
.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/path1/**")))
|
||||
.authorizeRequests((requests) -> requests.anyRequest().authenticated());
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
|
|
@ -745,7 +750,7 @@ public class WebSecurityConfigurationTests {
|
|||
public SecurityFilterChain notAuthorized(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requests) -> requests.antMatchers("/user"))
|
||||
.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/user")))
|
||||
.authorizeRequests((requests) -> requests.anyRequest().hasRole("USER"));
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
|
|
@ -756,7 +761,7 @@ public class WebSecurityConfigurationTests {
|
|||
public SecurityFilterChain path1(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requests) -> requests.antMatchers("/admin"))
|
||||
.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/admin")))
|
||||
.authorizeRequests((requests) -> requests.anyRequest().hasRole("ADMIN"));
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
|
|
@ -773,12 +778,13 @@ public class WebSecurityConfigurationTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
@Import(AuthenticationTestConfiguration.class)
|
||||
static class MultipleSecurityFilterChainIgnoringConfig {
|
||||
|
||||
@Bean
|
||||
public WebSecurityCustomizer webSecurityCustomizer() {
|
||||
return (web) -> web.ignoring().antMatchers("/ignoring1/**");
|
||||
return (web) -> web.ignoring().requestMatchers("/ignoring1/**");
|
||||
}
|
||||
|
||||
@Bean
|
||||
|
|
@ -786,7 +792,7 @@ public class WebSecurityConfigurationTests {
|
|||
public SecurityFilterChain notAuthorized(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requests) -> requests.antMatchers("/user"))
|
||||
.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/user")))
|
||||
.authorizeRequests((requests) -> requests.anyRequest().hasRole("USER"));
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
|
|
@ -797,7 +803,7 @@ public class WebSecurityConfigurationTests {
|
|||
public SecurityFilterChain admin(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requests) -> requests.antMatchers("/admin"))
|
||||
.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/admin")))
|
||||
.authorizeRequests((requests) -> requests.anyRequest().hasRole("ADMIN"));
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
|
|
|
|||
|
|
@ -22,7 +22,6 @@ import org.junit.jupiter.api.BeforeEach;
|
|||
import org.junit.jupiter.api.Test;
|
||||
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.security.access.AccessDecisionVoter;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RegexRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
|
|
@ -40,7 +39,8 @@ public class AbstractConfigAttributeRequestMatcherRegistryTests {
|
|||
|
||||
@Test
|
||||
public void testGetRequestMatcherIsTypeRegexMatcher() {
|
||||
List<RequestMatcher> requestMatchers = this.registry.regexMatchers(HttpMethod.GET, "/a.*");
|
||||
List<RequestMatcher> requestMatchers = this.registry
|
||||
.requestMatchers(new RegexRequestMatcher("/a.*", HttpMethod.GET.name()));
|
||||
for (RequestMatcher requestMatcher : requestMatchers) {
|
||||
assertThat(requestMatcher).isInstanceOf(RegexRequestMatcher.class);
|
||||
}
|
||||
|
|
@ -48,7 +48,7 @@ public class AbstractConfigAttributeRequestMatcherRegistryTests {
|
|||
|
||||
@Test
|
||||
public void testRequestMatcherIsTypeRegexMatcher() {
|
||||
List<RequestMatcher> requestMatchers = this.registry.regexMatchers("/a.*");
|
||||
List<RequestMatcher> requestMatchers = this.registry.requestMatchers(new RegexRequestMatcher("/a.*", null));
|
||||
for (RequestMatcher requestMatcher : requestMatchers) {
|
||||
assertThat(requestMatcher).isInstanceOf(RegexRequestMatcher.class);
|
||||
}
|
||||
|
|
@ -56,7 +56,8 @@ public class AbstractConfigAttributeRequestMatcherRegistryTests {
|
|||
|
||||
@Test
|
||||
public void testGetRequestMatcherIsTypeAntPathRequestMatcher() {
|
||||
List<RequestMatcher> requestMatchers = this.registry.antMatchers(HttpMethod.GET, "/a.*");
|
||||
List<RequestMatcher> requestMatchers = this.registry
|
||||
.requestMatchers(new AntPathRequestMatcher("/a.*", HttpMethod.GET.name()));
|
||||
for (RequestMatcher requestMatcher : requestMatchers) {
|
||||
assertThat(requestMatcher).isInstanceOf(AntPathRequestMatcher.class);
|
||||
}
|
||||
|
|
@ -64,7 +65,7 @@ public class AbstractConfigAttributeRequestMatcherRegistryTests {
|
|||
|
||||
@Test
|
||||
public void testRequestMatcherIsTypeAntPathRequestMatcher() {
|
||||
List<RequestMatcher> requestMatchers = this.registry.antMatchers("/a.*");
|
||||
List<RequestMatcher> requestMatchers = this.registry.requestMatchers(new AntPathRequestMatcher("/a.*"));
|
||||
for (RequestMatcher requestMatcher : requestMatchers) {
|
||||
assertThat(requestMatcher).isInstanceOf(AntPathRequestMatcher.class);
|
||||
}
|
||||
|
|
@ -73,25 +74,11 @@ public class AbstractConfigAttributeRequestMatcherRegistryTests {
|
|||
static class ConcreteAbstractRequestMatcherMappingConfigurer
|
||||
extends AbstractConfigAttributeRequestMatcherRegistry<List<RequestMatcher>> {
|
||||
|
||||
List<AccessDecisionVoter> decisionVoters() {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected List<RequestMatcher> chainRequestMatchersInternal(List<RequestMatcher> requestMatchers) {
|
||||
return requestMatchers;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<RequestMatcher> mvcMatchers(String... mvcPatterns) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<RequestMatcher> mvcMatchers(HttpMethod method, String... mvcPatterns) {
|
||||
return null;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -46,6 +46,7 @@ import org.springframework.security.web.access.expression.WebExpressionAuthoriza
|
|||
import org.springframework.security.web.access.intercept.AuthorizationFilter;
|
||||
import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
|
||||
import org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager;
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
|
||||
import org.springframework.test.web.servlet.request.RequestPostProcessor;
|
||||
|
|
@ -55,6 +56,7 @@ import org.springframework.web.bind.annotation.PostMapping;
|
|||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
import static org.mockito.Mockito.any;
|
||||
|
|
@ -615,7 +617,7 @@ public class AuthorizeHttpRequestsConfigurerTests {
|
|||
return http
|
||||
.authorizeHttpRequests((requests) -> requests
|
||||
.anyRequest().authenticated()
|
||||
.mvcMatchers("/path").hasRole("USER")
|
||||
.requestMatchers("/path").hasRole("USER")
|
||||
)
|
||||
.build();
|
||||
// @formatter:on
|
||||
|
|
@ -847,11 +849,13 @@ public class AuthorizeHttpRequestsConfigurerTests {
|
|||
static class ServletPathConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector)
|
||||
.servletPath("/spring");
|
||||
// @formatter:off
|
||||
return http
|
||||
.authorizeHttpRequests((requests) -> requests
|
||||
.mvcMatchers("/").servletPath("/spring").hasRole("ADMIN")
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/")).hasRole("ADMIN")
|
||||
)
|
||||
.build();
|
||||
// @formatter:on
|
||||
|
|
@ -940,7 +944,7 @@ public class AuthorizeHttpRequestsConfigurerTests {
|
|||
http
|
||||
.httpBasic(withDefaults())
|
||||
.authorizeHttpRequests((requests) -> requests
|
||||
.mvcMatchers("/user/{username}").access(new WebExpressionAuthorizationManager("#username == 'user'"))
|
||||
.requestMatchers("/user/{username}").access(new WebExpressionAuthorizationManager("#username == 'user'"))
|
||||
);
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
|
|
|
|||
|
|
@ -42,6 +42,7 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
|||
import org.springframework.security.web.FilterChainProxy;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
|
@ -49,6 +50,7 @@ import org.springframework.web.context.support.AnnotationConfigWebApplicationCon
|
|||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
|
||||
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
|
||||
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.mockito.Mockito.spy;
|
||||
|
|
@ -289,7 +291,7 @@ public class AuthorizeRequestsTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers(HttpMethod.POST).denyAll();
|
||||
.requestMatchers(new AntPathRequestMatcher("/**", HttpMethod.POST.name())).denyAll();
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
}
|
||||
|
|
@ -311,7 +313,7 @@ public class AuthorizeRequestsTests {
|
|||
http
|
||||
.authorizeRequests((authorizeRequests) ->
|
||||
authorizeRequests
|
||||
.antMatchers(HttpMethod.POST).denyAll()
|
||||
.requestMatchers(new AntPathRequestMatcher("/**", HttpMethod.POST.name())).denyAll()
|
||||
);
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
|
|
@ -407,7 +409,7 @@ public class AuthorizeRequestsTests {
|
|||
http
|
||||
.httpBasic().and()
|
||||
.authorizeRequests()
|
||||
.mvcMatchers("/path").denyAll();
|
||||
.requestMatchers("/path").denyAll();
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
}
|
||||
|
|
@ -441,7 +443,7 @@ public class AuthorizeRequestsTests {
|
|||
.httpBasic(withDefaults())
|
||||
.authorizeRequests((authorizeRequests) ->
|
||||
authorizeRequests
|
||||
.mvcMatchers("/path").denyAll()
|
||||
.requestMatchers("/path").denyAll()
|
||||
);
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
|
|
@ -470,12 +472,14 @@ public class AuthorizeRequestsTests {
|
|||
static class MvcMatcherServletPathConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector)
|
||||
.servletPath("/spring");
|
||||
// @formatter:off
|
||||
http
|
||||
.httpBasic().and()
|
||||
.authorizeRequests()
|
||||
.mvcMatchers("/path").servletPath("/spring").denyAll();
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/path")).denyAll();
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
}
|
||||
|
|
@ -503,13 +507,15 @@ public class AuthorizeRequestsTests {
|
|||
static class MvcMatcherServletPathInLambdaConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector)
|
||||
.servletPath("/spring");
|
||||
// @formatter:off
|
||||
http
|
||||
.httpBasic(withDefaults())
|
||||
.authorizeRequests((authorizeRequests) ->
|
||||
authorizeRequests
|
||||
.mvcMatchers("/path").servletPath("/spring").denyAll()
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/path")).denyAll()
|
||||
);
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
|
|
@ -543,7 +549,7 @@ public class AuthorizeRequestsTests {
|
|||
http
|
||||
.httpBasic().and()
|
||||
.authorizeRequests()
|
||||
.mvcMatchers("/user/{userName}").access("#userName == 'user'");
|
||||
.requestMatchers("/user/{userName}").access("#userName == 'user'");
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
}
|
||||
|
|
@ -577,7 +583,7 @@ public class AuthorizeRequestsTests {
|
|||
.httpBasic(withDefaults())
|
||||
.authorizeRequests((authorizeRequests) ->
|
||||
authorizeRequests
|
||||
.mvcMatchers("/user/{userName}").access("#userName == 'user'")
|
||||
.requestMatchers("/user/{userName}").access("#userName == 'user'")
|
||||
);
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
|
|
@ -611,7 +617,7 @@ public class AuthorizeRequestsTests {
|
|||
http
|
||||
.httpBasic().and()
|
||||
.authorizeRequests()
|
||||
.mvcMatchers("/user").denyAll();
|
||||
.requestMatchers("/user").denyAll();
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -243,11 +243,11 @@ public class ChannelSecurityConfigurerTests {
|
|||
.portMapper(new PortMapperImpl())
|
||||
.and()
|
||||
.requiresChannel()
|
||||
.mvcMatchers("/test-1")
|
||||
.requestMatchers("/test-1")
|
||||
.requiresSecure()
|
||||
.mvcMatchers("/test-2")
|
||||
.requestMatchers("/test-2")
|
||||
.requiresSecure()
|
||||
.mvcMatchers("/test-3")
|
||||
.requestMatchers("/test-3")
|
||||
.requiresSecure()
|
||||
.anyRequest()
|
||||
.requiresInsecure();
|
||||
|
|
@ -271,11 +271,11 @@ public class ChannelSecurityConfigurerTests {
|
|||
.portMapper(new PortMapperImpl())
|
||||
)
|
||||
.requiresChannel((channel) -> channel
|
||||
.mvcMatchers("/test-1")
|
||||
.requestMatchers("/test-1")
|
||||
.requiresSecure()
|
||||
.mvcMatchers("/test-2")
|
||||
.requestMatchers("/test-2")
|
||||
.requiresSecure()
|
||||
.mvcMatchers("/test-3")
|
||||
.requestMatchers("/test-3")
|
||||
.requiresSecure()
|
||||
.anyRequest()
|
||||
.requiresInsecure()
|
||||
|
|
|
|||
|
|
@ -119,6 +119,7 @@ public class CsrfConfigurerIgnoringRequestMatchersTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class IgnoringRequestInLambdaMatchers {
|
||||
|
||||
RequestMatcher requestMatcher = (request) -> HttpMethod.POST.name().equals(request.getMethod());
|
||||
|
|
@ -149,7 +150,7 @@ public class CsrfConfigurerIgnoringRequestMatchersTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.csrf()
|
||||
.ignoringAntMatchers("/no-csrf")
|
||||
.ignoringRequestMatchers(new AntPathRequestMatcher("/no-csrf"))
|
||||
.ignoringRequestMatchers(this.requestMatcher);
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
|
|
@ -159,6 +160,7 @@ public class CsrfConfigurerIgnoringRequestMatchersTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class IgnoringPathsAndMatchersInLambdaConfig {
|
||||
|
||||
RequestMatcher requestMatcher = (request) -> HttpMethod.POST.name().equals(request.getMethod());
|
||||
|
|
@ -169,7 +171,7 @@ public class CsrfConfigurerIgnoringRequestMatchersTests {
|
|||
http
|
||||
.csrf((csrf) ->
|
||||
csrf
|
||||
.ignoringAntMatchers("/no-csrf")
|
||||
.ignoringRequestMatchers(new AntPathRequestMatcher("/no-csrf"))
|
||||
.ignoringRequestMatchers(this.requestMatcher)
|
||||
);
|
||||
return http.build();
|
||||
|
|
|
|||
|
|
@ -57,6 +57,7 @@ import org.springframework.security.web.header.HeaderWriterFilter;
|
|||
import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
|
||||
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
|
||||
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
|
|
@ -163,11 +164,12 @@ public class DefaultFiltersTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class FilterChainProxyBuilderIgnoringConfig {
|
||||
|
||||
@Bean
|
||||
WebSecurityCustomizer webSecurityCustomizer() {
|
||||
return (web) -> web.ignoring().antMatchers("/resources/**");
|
||||
return (web) -> web.ignoring().requestMatchers("/resources/**");
|
||||
}
|
||||
|
||||
@Bean
|
||||
|
|
|
|||
|
|
@ -63,6 +63,7 @@ import org.springframework.web.bind.annotation.GetMapping;
|
|||
import org.springframework.web.bind.annotation.PathVariable;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
|
|
@ -611,6 +612,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class IncompleteMappingConfig {
|
||||
|
||||
@Bean
|
||||
|
|
@ -618,7 +620,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/a").authenticated()
|
||||
.requestMatchers("/a").authenticated()
|
||||
.anyRequest();
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
|
|
@ -965,6 +967,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class AllPropertiesWorkConfig {
|
||||
|
||||
@Bean
|
||||
|
|
@ -978,7 +981,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
|||
.expressionHandler(handler)
|
||||
.accessDecisionManager(adm)
|
||||
.filterSecurityInterceptorOncePerRequest(true)
|
||||
.antMatchers("/a", "/b").hasRole("ADMIN")
|
||||
.requestMatchers("/a", "/b").hasRole("ADMIN")
|
||||
.anyRequest().permitAll()
|
||||
.and()
|
||||
.formLogin();
|
||||
|
|
@ -1034,6 +1037,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class UseBeansInExpressions {
|
||||
|
||||
@Bean
|
||||
|
|
@ -1041,9 +1045,9 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/admin").hasRole("ADMIN")
|
||||
.antMatchers("/user").hasRole("USER")
|
||||
.antMatchers("/allow").access("@permission.check(authentication,'user')")
|
||||
.requestMatchers("/admin").hasRole("ADMIN")
|
||||
.requestMatchers("/user").hasRole("USER")
|
||||
.requestMatchers("/allow").access("@permission.check(authentication,'user')")
|
||||
.anyRequest().access("@permission.check(authentication,'admin')");
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
|
|
@ -1066,6 +1070,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class CustomExpressionRootConfig {
|
||||
|
||||
@Bean
|
||||
|
|
@ -1074,9 +1079,9 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
|||
http
|
||||
.authorizeRequests()
|
||||
.expressionHandler(expressionHandler())
|
||||
.antMatchers("/admin").hasRole("ADMIN")
|
||||
.antMatchers("/user").hasRole("USER")
|
||||
.antMatchers("/allow").access("check('user')")
|
||||
.requestMatchers("/admin").hasRole("ADMIN")
|
||||
.requestMatchers("/user").hasRole("USER")
|
||||
.requestMatchers("/allow").access("check('user')")
|
||||
.anyRequest().access("check('admin')");
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
|
|
@ -1146,6 +1151,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class PermissionEvaluatorConfig {
|
||||
|
||||
@Bean
|
||||
|
|
@ -1153,10 +1159,10 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/allow").access("hasPermission('ID', 'TYPE', 'PERMISSION')")
|
||||
.antMatchers("/allowObject").access("hasPermission('TESTOBJ', 'PERMISSION')")
|
||||
.antMatchers("/deny").access("hasPermission('ID', 'TYPE', 'NO PERMISSION')")
|
||||
.antMatchers("/denyObject").access("hasPermission('TESTOBJ', 'NO PERMISSION')")
|
||||
.requestMatchers("/allow").access("hasPermission('ID', 'TYPE', 'PERMISSION')")
|
||||
.requestMatchers("/allowObject").access("hasPermission('TESTOBJ', 'PERMISSION')")
|
||||
.requestMatchers("/deny").access("hasPermission('ID', 'TYPE', 'NO PERMISSION')")
|
||||
.requestMatchers("/denyObject").access("hasPermission('TESTOBJ', 'NO PERMISSION')")
|
||||
.anyRequest().permitAll();
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
|
|
@ -1183,6 +1189,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class RoleHierarchyConfig {
|
||||
|
||||
@Bean
|
||||
|
|
@ -1190,8 +1197,8 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/allow").access("hasRole('MEMBER')")
|
||||
.antMatchers("/deny").access("hasRole('ADMIN')")
|
||||
.requestMatchers("/allow").access("hasRole('MEMBER')")
|
||||
.requestMatchers("/deny").access("hasRole('ADMIN')")
|
||||
.anyRequest().permitAll();
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
|
|
|
|||
|
|
@ -45,6 +45,7 @@ import org.springframework.security.web.authentication.LoginUrlAuthenticationEnt
|
|||
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
|
||||
import org.springframework.security.web.savedrequest.RequestCache;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.BDDMockito.given;
|
||||
|
|
@ -409,11 +410,12 @@ public class FormLoginConfigurerTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class FormLoginConfig {
|
||||
|
||||
@Bean
|
||||
WebSecurityCustomizer webSecurityCustomizer() {
|
||||
return (web) -> web.ignoring().antMatchers("/resources/**");
|
||||
return (web) -> web.ignoring().requestMatchers("/resources/**");
|
||||
}
|
||||
|
||||
@Bean
|
||||
|
|
|
|||
|
|
@ -1,146 +0,0 @@
|
|||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.config.annotation.web.configurers;
|
||||
|
||||
import jakarta.servlet.http.HttpServletResponse;
|
||||
import org.junit.jupiter.api.AfterEach;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.mock.web.MockFilterChain;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.core.userdetails.UserDetailsService;
|
||||
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
||||
import org.springframework.security.web.FilterChainProxy;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
*
|
||||
*/
|
||||
public class HttpSecurityAntMatchersTests {
|
||||
|
||||
AnnotationConfigWebApplicationContext context;
|
||||
|
||||
MockHttpServletRequest request;
|
||||
|
||||
MockHttpServletResponse response;
|
||||
|
||||
MockFilterChain chain;
|
||||
|
||||
@Autowired
|
||||
FilterChainProxy springSecurityFilterChain;
|
||||
|
||||
@BeforeEach
|
||||
public void setup() {
|
||||
this.request = new MockHttpServletRequest("GET", "");
|
||||
this.response = new MockHttpServletResponse();
|
||||
this.chain = new MockFilterChain();
|
||||
}
|
||||
|
||||
@AfterEach
|
||||
public void cleanup() {
|
||||
if (this.context != null) {
|
||||
this.context.close();
|
||||
}
|
||||
}
|
||||
|
||||
// SEC-3135
|
||||
@Test
|
||||
public void antMatchersMethodAndNoPatterns() throws Exception {
|
||||
loadConfig(AntMatchersNoPatternsConfig.class);
|
||||
this.request.setMethod("POST");
|
||||
this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
|
||||
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
|
||||
}
|
||||
|
||||
// SEC-3135
|
||||
@Test
|
||||
public void antMatchersMethodAndEmptyPatterns() throws Exception {
|
||||
loadConfig(AntMatchersEmptyPatternsConfig.class);
|
||||
this.request.setMethod("POST");
|
||||
this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
|
||||
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
|
||||
}
|
||||
|
||||
public void loadConfig(Class<?>... configs) {
|
||||
this.context = new AnnotationConfigWebApplicationContext();
|
||||
this.context.register(configs);
|
||||
this.context.refresh();
|
||||
this.context.getAutowireCapableBeanFactory().autowireBean(this);
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
@Configuration
|
||||
static class AntMatchersNoPatternsConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers()
|
||||
.antMatchers(HttpMethod.POST)
|
||||
.and()
|
||||
.authorizeRequests()
|
||||
.anyRequest().denyAll();
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
}
|
||||
|
||||
@Bean
|
||||
UserDetailsService userDetailsService() {
|
||||
return new InMemoryUserDetailsManager();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
@Configuration
|
||||
static class AntMatchersEmptyPatternsConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers()
|
||||
.antMatchers("/never/")
|
||||
.antMatchers(HttpMethod.POST, new String[0])
|
||||
.and()
|
||||
.authorizeRequests()
|
||||
.anyRequest().denyAll();
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
}
|
||||
|
||||
@Bean
|
||||
UserDetailsService userDetailsService() {
|
||||
return new InMemoryUserDetailsManager();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -36,12 +36,14 @@ import org.springframework.security.core.userdetails.UserDetailsService;
|
|||
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
||||
import org.springframework.security.web.FilterChainProxy;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
|
||||
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
|
||||
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.springframework.security.config.Customizer.withDefaults;
|
||||
|
|
@ -217,13 +219,14 @@ public class HttpSecurityRequestMatchersTests {
|
|||
|
||||
@Bean
|
||||
@Order(Ordered.HIGHEST_PRECEDENCE)
|
||||
SecurityFilterChain first(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain first(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requests) -> requests
|
||||
.mvcMatchers("/test-1")
|
||||
.mvcMatchers("/test-2")
|
||||
.mvcMatchers("/test-3")
|
||||
.securityMatchers((requests) -> requests
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/test-1"))
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/test-2"))
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/test-3"))
|
||||
)
|
||||
.authorizeRequests((authorize) -> authorize.anyRequest().denyAll())
|
||||
.httpBasic(withDefaults());
|
||||
|
|
@ -232,11 +235,12 @@ public class HttpSecurityRequestMatchersTests {
|
|||
}
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain second(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain second(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requests) -> requests
|
||||
.mvcMatchers("/test-1")
|
||||
.securityMatchers((requests) -> requests
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/test-1"))
|
||||
)
|
||||
.authorizeRequests((authorize) -> authorize
|
||||
.anyRequest().permitAll()
|
||||
|
|
@ -264,13 +268,14 @@ public class HttpSecurityRequestMatchersTests {
|
|||
|
||||
@Bean
|
||||
@Order(Ordered.HIGHEST_PRECEDENCE)
|
||||
SecurityFilterChain first(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain first(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers()
|
||||
.mvcMatchers("/test-1")
|
||||
.mvcMatchers("/test-2")
|
||||
.mvcMatchers("/test-3")
|
||||
.securityMatchers()
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/test-1"))
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/test-2"))
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/test-3"))
|
||||
.and()
|
||||
.authorizeRequests()
|
||||
.anyRequest().denyAll()
|
||||
|
|
@ -281,11 +286,12 @@ public class HttpSecurityRequestMatchersTests {
|
|||
}
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain second(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain second(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers()
|
||||
.mvcMatchers("/test-1")
|
||||
.securityMatchers()
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/test-1"))
|
||||
.and()
|
||||
.authorizeRequests()
|
||||
.anyRequest().permitAll();
|
||||
|
|
@ -311,10 +317,10 @@ public class HttpSecurityRequestMatchersTests {
|
|||
static class MvcMatcherConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.mvcMatcher("/path")
|
||||
.securityMatcher(new MvcRequestMatcher(introspector, "/path"))
|
||||
.httpBasic().and()
|
||||
.authorizeRequests()
|
||||
.anyRequest().denyAll();
|
||||
|
|
@ -345,11 +351,11 @@ public class HttpSecurityRequestMatchersTests {
|
|||
static class RequestMatchersMvcMatcherConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers()
|
||||
.mvcMatchers("/path")
|
||||
.securityMatchers()
|
||||
.requestMatchers(new MvcRequestMatcher(introspector, "/path"))
|
||||
.and()
|
||||
.httpBasic().and()
|
||||
.authorizeRequests()
|
||||
|
|
@ -381,12 +387,12 @@ public class HttpSecurityRequestMatchersTests {
|
|||
static class RequestMatchersMvcMatcherInLambdaConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requestMatchers) ->
|
||||
requestMatchers
|
||||
.mvcMatchers("/path")
|
||||
.securityMatchers((matchers) ->
|
||||
matchers
|
||||
.requestMatchers(new MvcRequestMatcher(introspector, "/path"))
|
||||
)
|
||||
.httpBasic(withDefaults())
|
||||
.authorizeRequests((authorizeRequests) ->
|
||||
|
|
@ -415,12 +421,14 @@ public class HttpSecurityRequestMatchersTests {
|
|||
static class RequestMatchersMvcMatcherServeltPathConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
|
||||
mvcMatcherBuilder.servletPath("/spring");
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers()
|
||||
.mvcMatchers("/path").servletPath("/spring")
|
||||
.mvcMatchers("/never-match")
|
||||
.securityMatchers()
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/path"))
|
||||
.requestMatchers("/never-match")
|
||||
.and()
|
||||
.httpBasic().and()
|
||||
.authorizeRequests()
|
||||
|
|
@ -452,13 +460,15 @@ public class HttpSecurityRequestMatchersTests {
|
|||
static class RequestMatchersMvcMatcherServletPathInLambdaConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
|
||||
mvcMatcherBuilder.servletPath("/spring");
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requestMatchers) ->
|
||||
requestMatchers
|
||||
.mvcMatchers("/path").servletPath("/spring")
|
||||
.mvcMatchers("/never-match")
|
||||
.securityMatchers((matchers) ->
|
||||
matchers
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/path"))
|
||||
.requestMatchers("/never-match")
|
||||
)
|
||||
.httpBasic(withDefaults())
|
||||
.authorizeRequests((authorizeRequests) ->
|
||||
|
|
|
|||
|
|
@ -38,6 +38,7 @@ import org.springframework.security.web.SecurityFilterChain;
|
|||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
|
||||
|
|
@ -91,6 +92,7 @@ public class NamespaceHttpAnonymousTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class AnonymousConfig {
|
||||
|
||||
@Bean
|
||||
|
|
@ -98,7 +100,7 @@ public class NamespaceHttpAnonymousTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/type").anonymous()
|
||||
.requestMatchers("/type").anonymous()
|
||||
.anyRequest().denyAll();
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
|
|
@ -131,6 +133,7 @@ public class NamespaceHttpAnonymousTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class AnonymousGrantedAuthorityConfig {
|
||||
|
||||
@Bean
|
||||
|
|
@ -138,7 +141,7 @@ public class NamespaceHttpAnonymousTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/type").hasRole("ANON")
|
||||
.requestMatchers("/type").hasRole("ANON")
|
||||
.anyRequest().denyAll()
|
||||
.and()
|
||||
.anonymous()
|
||||
|
|
@ -151,6 +154,7 @@ public class NamespaceHttpAnonymousTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class AnonymousKeyConfig {
|
||||
|
||||
@Bean
|
||||
|
|
@ -158,7 +162,7 @@ public class NamespaceHttpAnonymousTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/key").anonymous()
|
||||
.requestMatchers("/key").anonymous()
|
||||
.anyRequest().denyAll()
|
||||
.and()
|
||||
.anonymous().key("AnonymousKeyConfig");
|
||||
|
|
@ -170,6 +174,7 @@ public class NamespaceHttpAnonymousTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class AnonymousUsernameConfig {
|
||||
|
||||
@Bean
|
||||
|
|
@ -177,7 +182,7 @@ public class NamespaceHttpAnonymousTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/principal").anonymous()
|
||||
.requestMatchers("/principal").anonymous()
|
||||
.anyRequest().denyAll()
|
||||
.and()
|
||||
.anonymous().principal("AnonymousUsernameConfig");
|
||||
|
|
|
|||
|
|
@ -37,6 +37,7 @@ import org.springframework.security.web.authentication.SimpleUrlAuthenticationFa
|
|||
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.Mockito.spy;
|
||||
|
|
@ -111,11 +112,12 @@ public class NamespaceHttpFormLoginTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class FormLoginConfig {
|
||||
|
||||
@Bean
|
||||
WebSecurityCustomizer webSecurityCustomizer() {
|
||||
return (web) -> web.ignoring().antMatchers("/resources/**");
|
||||
return (web) -> web.ignoring().requestMatchers("/resources/**");
|
||||
}
|
||||
|
||||
@Bean
|
||||
|
|
|
|||
|
|
@ -39,6 +39,7 @@ import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilde
|
|||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication;
|
||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
|
||||
|
|
@ -110,25 +111,26 @@ public class NamespaceHttpInterceptUrlTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class HttpInterceptUrlConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests().antMatchers(
|
||||
.authorizeRequests().requestMatchers(
|
||||
// the line below is similar to intercept-url@pattern:
|
||||
// <intercept-url pattern="/users**" access="hasRole('ROLE_ADMIN')"/>
|
||||
//" access="hasRole('ROLE_ADMIN')"/>
|
||||
"/users**", "/sessions/**").hasRole("ADMIN").antMatchers(
|
||||
"/users**", "/sessions/**").hasRole("ADMIN").requestMatchers(
|
||||
// the line below is similar to intercept-url@method:
|
||||
// <intercept-url pattern="/admin/post" access="hasRole('ROLE_ADMIN')" method="POST"/>
|
||||
//" access="hasRole('ROLE_ADMIN')" method="POST"/>
|
||||
HttpMethod.POST, "/admin/post", "/admin/another-post/**").hasRole("ADMIN")
|
||||
.antMatchers("/signup").permitAll()
|
||||
.requestMatchers("/signup").permitAll()
|
||||
.anyRequest().hasRole("USER")
|
||||
.and()
|
||||
.requiresChannel().antMatchers("/login", "/secured/**")
|
||||
.requiresChannel().requestMatchers("/login", "/secured/**")
|
||||
// NOTE: channel security is configured separately of authorization (i.e. intercept-url@access
|
||||
// the line below is similar to intercept-url@requires-channel="https":
|
||||
// <intercept-url pattern="/login" requires-channel="https"/>
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@ import org.springframework.security.core.userdetails.UserDetailsService;
|
|||
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
|
||||
|
|
@ -62,6 +63,7 @@ public class NamespaceHttpPortMappingsTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class HttpInterceptUrlWithPortMapperConfig {
|
||||
|
||||
@Bean
|
||||
|
|
@ -75,7 +77,7 @@ public class NamespaceHttpPortMappingsTests {
|
|||
.http(9080).mapsTo(9443)
|
||||
.and()
|
||||
.requiresChannel()
|
||||
.antMatchers("/login", "/secured/**").requiresSecure()
|
||||
.requestMatchers("/login", "/secured/**").requiresSecure()
|
||||
.anyRequest().requiresInsecure();
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
|
|
|
|||
|
|
@ -43,6 +43,7 @@ import org.springframework.security.web.authentication.RememberMeServices;
|
|||
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
|
||||
import org.springframework.security.web.authentication.rememberme.PersistentRememberMeToken;
|
||||
import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.MvcResult;
|
||||
import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
|
||||
|
|
@ -351,7 +352,7 @@ public class NamespaceRememberMeTests {
|
|||
SecurityFilterChain withoutKeyFilterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.antMatcher("/without-key/**")
|
||||
.securityMatcher(new AntPathRequestMatcher("/without-key/**"))
|
||||
.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated())
|
||||
.formLogin()
|
||||
.loginProcessingUrl("/without-key/login")
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
|
|||
import org.springframework.security.config.test.SpringTestContext;
|
||||
import org.springframework.security.config.test.SpringTestContextExtension;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||
|
|
@ -77,11 +78,11 @@ public class RequestMatcherConfigurerTests {
|
|||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers()
|
||||
.antMatchers("/api/**")
|
||||
.securityMatchers()
|
||||
.requestMatchers(new AntPathRequestMatcher("/api/**"))
|
||||
.and()
|
||||
.requestMatchers()
|
||||
.antMatchers("/oauth/**")
|
||||
.securityMatchers()
|
||||
.requestMatchers(new AntPathRequestMatcher("/oauth/**"))
|
||||
.and()
|
||||
.authorizeRequests()
|
||||
.anyRequest().denyAll();
|
||||
|
|
@ -99,13 +100,13 @@ public class RequestMatcherConfigurerTests {
|
|||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requestMatchers) ->
|
||||
requestMatchers
|
||||
.antMatchers("/api/**")
|
||||
.securityMatchers((matchers) ->
|
||||
matchers
|
||||
.requestMatchers(new AntPathRequestMatcher("/api/**"))
|
||||
)
|
||||
.requestMatchers((requestMatchers) ->
|
||||
requestMatchers
|
||||
.antMatchers("/oauth/**")
|
||||
.securityMatchers((matchers) ->
|
||||
matchers
|
||||
.requestMatchers(new AntPathRequestMatcher("/oauth/**"))
|
||||
)
|
||||
.authorizeRequests((authorizeRequests) ->
|
||||
authorizeRequests
|
||||
|
|
|
|||
|
|
@ -41,12 +41,14 @@ import org.springframework.security.core.userdetails.UserDetailsService;
|
|||
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
||||
import org.springframework.security.web.FilterChainProxy;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
|
||||
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
|
||||
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
|
|
@ -176,12 +178,13 @@ public class UrlAuthorizationConfigurerTests {
|
|||
static class MvcMatcherConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context,
|
||||
HandlerMappingIntrospector introspector) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.httpBasic().and()
|
||||
.apply(new UrlAuthorizationConfigurer(context)).getRegistry()
|
||||
.mvcMatchers("/path").hasRole("ADMIN");
|
||||
.requestMatchers(new MvcRequestMatcher(introspector, "/path")).hasRole("ADMIN");
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
}
|
||||
|
|
@ -209,12 +212,15 @@ public class UrlAuthorizationConfigurerTests {
|
|||
static class MvcMatcherServletPathConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context,
|
||||
HandlerMappingIntrospector introspector) throws Exception {
|
||||
MvcRequestMatcher mvcRequestMatcher = new MvcRequestMatcher(introspector, "/path");
|
||||
mvcRequestMatcher.setServletPath("/spring");
|
||||
// @formatter:off
|
||||
http
|
||||
.httpBasic().and()
|
||||
.apply(new UrlAuthorizationConfigurer(context)).getRegistry()
|
||||
.mvcMatchers("/path").servletPath("/spring").hasRole("ADMIN");
|
||||
.requestMatchers(mvcRequestMatcher).hasRole("ADMIN");
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
}
|
||||
|
|
@ -274,9 +280,9 @@ public class UrlAuthorizationConfigurerTests {
|
|||
http
|
||||
.httpBasic(Customizer.withDefaults())
|
||||
.apply(new UrlAuthorizationConfigurer<>(context)).getRegistry()
|
||||
.mvcMatchers("/test-1").hasRole("ADMIN")
|
||||
.mvcMatchers("/test-2").hasRole("ADMIN")
|
||||
.mvcMatchers("/test-3").hasRole("ADMIN")
|
||||
.requestMatchers("/test-1").hasRole("ADMIN")
|
||||
.requestMatchers("/test-2").hasRole("ADMIN")
|
||||
.requestMatchers("/test-3").hasRole("ADMIN")
|
||||
.anyRequest().hasRole("USER");
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
|
|
|
|||
|
|
@ -38,6 +38,7 @@ import org.springframework.security.web.SecurityFilterChain;
|
|||
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
|
||||
import org.springframework.test.context.junit.jupiter.SpringExtension;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||
|
|
@ -133,6 +134,7 @@ public class UrlAuthorizationsTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class RoleConfig {
|
||||
|
||||
@Bean
|
||||
|
|
@ -140,12 +142,12 @@ public class UrlAuthorizationsTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/role-user-authority").hasAnyAuthority("ROLE_USER")
|
||||
.antMatchers("/role-admin-authority").hasAnyAuthority("ROLE_ADMIN")
|
||||
.antMatchers("/role-user-admin-authority").hasAnyAuthority("ROLE_USER", "ROLE_ADMIN")
|
||||
.antMatchers("/role-user").hasAnyRole("USER")
|
||||
.antMatchers("/role-admin").hasAnyRole("ADMIN")
|
||||
.antMatchers("/role-user-admin").hasAnyRole("USER", "ADMIN");
|
||||
.requestMatchers("/role-user-authority").hasAnyAuthority("ROLE_USER")
|
||||
.requestMatchers("/role-admin-authority").hasAnyAuthority("ROLE_ADMIN")
|
||||
.requestMatchers("/role-user-admin-authority").hasAnyAuthority("ROLE_USER", "ROLE_ADMIN")
|
||||
.requestMatchers("/role-user").hasAnyRole("USER")
|
||||
.requestMatchers("/role-admin").hasAnyRole("ADMIN")
|
||||
.requestMatchers("/role-user-admin").hasAnyRole("USER", "ADMIN");
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
}
|
||||
|
|
@ -154,6 +156,7 @@ public class UrlAuthorizationsTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class NoSpecificAccessDecisionManagerConfig {
|
||||
|
||||
@Bean
|
||||
|
|
@ -162,7 +165,7 @@ public class UrlAuthorizationsTests {
|
|||
.apply(new UrlAuthorizationConfigurer(context)).getRegistry();
|
||||
// @formatter:off
|
||||
registry
|
||||
.antMatchers("/a").hasRole("ADMIN")
|
||||
.requestMatchers("/a").hasRole("ADMIN")
|
||||
.anyRequest().hasRole("USER");
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
|
|
|
|||
|
|
@ -147,6 +147,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
|
|||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.client.RestOperations;
|
||||
import org.springframework.web.context.support.GenericWebApplicationContext;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
|
|
@ -1494,6 +1495,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class DefaultConfig {
|
||||
|
||||
@Bean
|
||||
|
|
@ -1501,7 +1503,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
|
||||
.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
|
|
@ -1514,6 +1516,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class DefaultInLambdaConfig {
|
||||
|
||||
@Bean
|
||||
|
|
@ -1522,7 +1525,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
|||
http
|
||||
.authorizeRequests((authorizeRequests) ->
|
||||
authorizeRequests
|
||||
.antMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
|
||||
.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer((oauth2ResourceServer) ->
|
||||
|
|
@ -1537,6 +1540,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class JwkSetUriConfig {
|
||||
|
||||
@Value("${mockwebserver.url:https://example.org}")
|
||||
|
|
@ -1547,7 +1551,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
|
||||
.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
|
|
@ -1561,6 +1565,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class JwkSetUriInLambdaConfig {
|
||||
|
||||
@Value("${mockwebserver.url:https://example.org}")
|
||||
|
|
@ -1572,7 +1577,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
|||
http
|
||||
.authorizeRequests((authorizeRequests) ->
|
||||
authorizeRequests
|
||||
.antMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
|
||||
.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer((oauth2ResourceServer) ->
|
||||
|
|
@ -1590,6 +1595,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class CsrfDisabledConfig {
|
||||
|
||||
@Value("${mockwebserver.url:https://example.org}")
|
||||
|
|
@ -1600,7 +1606,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
|
||||
.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.csrf().disable()
|
||||
|
|
@ -1787,6 +1793,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class CustomAuthorityMappingConfig {
|
||||
|
||||
@Bean
|
||||
|
|
@ -1794,7 +1801,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/requires-read-scope").access("hasAuthority('message:read')")
|
||||
.requestMatchers("/requires-read-scope").access("hasAuthority('message:read')")
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.jwt()
|
||||
|
|
@ -2326,6 +2333,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class OpaqueTokenConfig {
|
||||
|
||||
@Bean
|
||||
|
|
@ -2333,7 +2341,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
|
||||
.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
|
|
@ -2346,6 +2354,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class OpaqueTokenInLambdaConfig {
|
||||
|
||||
@Bean
|
||||
|
|
@ -2354,7 +2363,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
|||
http
|
||||
.authorizeRequests((authorizeRequests) ->
|
||||
authorizeRequests
|
||||
.antMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
|
||||
.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer((oauth2ResourceServer) ->
|
||||
|
|
@ -2540,6 +2549,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
|||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class OpaqueTokenAuthenticationConverterConfig {
|
||||
|
||||
@Bean
|
||||
|
|
@ -2547,7 +2557,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
|
||||
.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@ import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
|
|||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configurers.FormLoginConfigurer;
|
||||
import org.springframework.security.web.DefaultSecurityFilterChain;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
|
|
@ -43,7 +44,7 @@ public class CustomConfigurer extends SecurityConfigurerAdapter<DefaultSecurityF
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers(this.permitAllPattern).permitAll()
|
||||
.requestMatchers(new AntPathRequestMatcher(this.permitAllPattern)).permitAll()
|
||||
.anyRequest().authenticated();
|
||||
// @formatter:on
|
||||
if (http.getConfigurer(FormLoginConfigurer.class) == null) {
|
||||
|
|
|
|||
|
|
@ -255,36 +255,6 @@ class CsrfDslTests {
|
|||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
fun `CSRF when ignoring ant matchers then CSRF disabled on matching requests`() {
|
||||
this.spring.register(IgnoringAntMatchersConfig::class.java, BasicController::class.java).autowire()
|
||||
|
||||
this.mockMvc.post("/test1")
|
||||
.andExpect {
|
||||
status { isForbidden() }
|
||||
}
|
||||
|
||||
this.mockMvc.post("/test2")
|
||||
.andExpect {
|
||||
status { isOk() }
|
||||
}
|
||||
}
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
open class IgnoringAntMatchersConfig {
|
||||
@Bean
|
||||
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
|
||||
http {
|
||||
csrf {
|
||||
requireCsrfProtectionMatcher = AntPathRequestMatcher("/**")
|
||||
ignoringAntMatchers("/test2")
|
||||
}
|
||||
}
|
||||
return http.build()
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
fun `CSRF when ignoring request matchers pattern then CSRF disabled on matching requests`() {
|
||||
this.spring.register(IgnoringRequestMatchersPatternConfig::class.java, BasicController::class.java).autowire()
|
||||
|
|
|
|||
|
|
@ -85,9 +85,9 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
|||
http
|
||||
// ...
|
||||
.authorizeRequests(authorize -> authorize // <1>
|
||||
.mvcMatchers("/resources/**", "/signup", "/about").permitAll() // <2>
|
||||
.mvcMatchers("/admin/**").hasRole("ADMIN") // <3>
|
||||
.mvcMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") // <4>
|
||||
.requestMatchers("/resources/**", "/signup", "/about").permitAll() // <2>
|
||||
.requestMatchers("/admin/**").hasRole("ADMIN") // <3>
|
||||
.requestMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") // <4>
|
||||
.anyRequest().denyAll() // <5>
|
||||
);
|
||||
return http.build();
|
||||
|
|
|
|||
|
|
@ -26,3 +26,5 @@ You can configure a different `RequestMatcher` by using the https://docs.spring.
|
|||
If the application uses `use-expressions="true"` or `access-decision-manager-ref` switch to `use-expressions="false"` or `authorization-manager-ref`, respectively.
|
||||
If application relies on the implicit `<intercept-url pattern="/**" access="permitAll"/>`, this is no longer implicit and needs to be specified.
|
||||
Or use `use-authorization-manager="false"`
|
||||
* https://github.com/spring-projects/spring-security/issues/11939[gh-11939] - Remove deprecated `antMatchers`, `mvcMatchers`, `regexMatchers` helper methods from Java Configuration.
|
||||
Instead, use `requestMatchers` or `HttpSecurity#securityMatchers`.
|
||||
|
|
|
|||
|
|
@ -35,6 +35,7 @@ import org.springframework.test.context.web.WebAppConfiguration;
|
|||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
|
||||
import org.springframework.web.context.WebApplicationContext;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
|
||||
import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated;
|
||||
|
|
@ -111,6 +112,7 @@ public class Sec2935Tests {
|
|||
|
||||
@EnableWebSecurity
|
||||
@Configuration
|
||||
@EnableWebMvc
|
||||
static class Config {
|
||||
|
||||
@Bean
|
||||
|
|
@ -118,7 +120,7 @@ public class Sec2935Tests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/admin/**").hasRole("ADMIN")
|
||||
.requestMatchers("/admin/**").hasRole("ADMIN")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.httpBasic();
|
||||
|
|
|
|||
|
|
@ -153,7 +153,7 @@ public class SecurityMockMvcRequestPostProcessorsOAuth2LoginTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests((authorize) -> authorize
|
||||
.mvcMatchers("/admin/**").hasAuthority("SCOPE_admin")
|
||||
.requestMatchers("/admin/**").hasAuthority("SCOPE_admin")
|
||||
.anyRequest().hasAuthority("SCOPE_read")
|
||||
).oauth2Login();
|
||||
return http.build();
|
||||
|
|
|
|||
|
|
@ -155,7 +155,7 @@ public class SecurityMockMvcRequestPostProcessorsOidcLoginTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.mvcMatchers("/admin/**").hasAuthority("SCOPE_admin")
|
||||
.requestMatchers("/admin/**").hasAuthority("SCOPE_admin")
|
||||
.anyRequest().hasAuthority("SCOPE_read")
|
||||
.and()
|
||||
.oauth2Login();
|
||||
|
|
|
|||
|
|
@ -127,7 +127,7 @@ public class SecurityMockMvcRequestPostProcessorsOpaqueTokenTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.mvcMatchers("/admin/**").hasAuthority("SCOPE_admin")
|
||||
.requestMatchers("/admin/**").hasAuthority("SCOPE_admin")
|
||||
.anyRequest().hasAuthority("SCOPE_read")
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
|
|
|
|||
|
|
@ -99,7 +99,7 @@ public class Gh3409Tests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/public/**").permitAll()
|
||||
.requestMatchers("/public/**").permitAll()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.formLogin().and()
|
||||
|
|
|
|||
|
|
@ -96,7 +96,7 @@ public class DefaultfSecurityRequestsTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/admin/**").hasRole("ADMIN")
|
||||
.requestMatchers("/admin/**").hasRole("ADMIN")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.httpBasic();
|
||||
|
|
|
|||
|
|
@ -113,7 +113,7 @@ public class SecurityRequestsTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/admin/**").hasRole("ADMIN")
|
||||
.requestMatchers("/admin/**").hasRole("ADMIN")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.formLogin();
|
||||
|
|
|
|||
|
|
@ -97,7 +97,7 @@ public class WithUserAuthenticationTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/admin/**").hasRole("ADMIN")
|
||||
.requestMatchers("/admin/**").hasRole("ADMIN")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.formLogin();
|
||||
|
|
|
|||
|
|
@ -97,7 +97,7 @@ public class WithUserClassLevelAuthenticationTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/admin/**").hasRole("ADMIN")
|
||||
.requestMatchers("/admin/**").hasRole("ADMIN")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.httpBasic();
|
||||
|
|
|
|||
|
|
@ -88,7 +88,7 @@ public class WithUserDetailsAuthenticationTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/admin/**").hasRole("ADMIN")
|
||||
.requestMatchers("/admin/**").hasRole("ADMIN")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.formLogin();
|
||||
|
|
|
|||
|
|
@ -87,7 +87,7 @@ public class WithUserDetailsClassLevelAuthenticationTests {
|
|||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/admin/**").hasRole("ADMIN")
|
||||
.requestMatchers("/admin/**").hasRole("ADMIN")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.formLogin();
|
||||
|
|
|
|||
|
|
@ -40,6 +40,7 @@ import org.springframework.security.web.context.SecurityContextRepository;
|
|||
import org.springframework.security.web.csrf.CsrfFilter;
|
||||
import org.springframework.security.web.csrf.CsrfTokenRepository;
|
||||
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
|
||||
import org.springframework.web.context.WebApplicationContext;
|
||||
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
|
||||
|
|
@ -225,7 +226,7 @@ public class WebTestUtilsTests {
|
|||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.antMatcher("/willnotmatchthis");
|
||||
.securityMatcher(new AntPathRequestMatcher("/willnotmatchthis"));
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue