Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-28 14:52:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

Implemented AuthorizeHttpRequestsConfigurer to consider GrantedAuthorityDefaults for custom rolePrefix

Browse Source 
Closes gh-13215
This commit is contained in:
kandaguru17 2023-05-30 16:12:42 +12:00 committed by Marcus Da Coregio
parent c5461b17de
commit 401058d5ff
2 changed files with 42 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java
View File

@ -35,6 +35,7 @@ import org.springframework.security.authorization.SpringAuthorizationEventPublis
import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry; import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry;
import org.springframework.security.config.annotation.web.HttpSecurityBuilder; import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
import org.springframework.security.config.core.GrantedAuthorityDefaults;
import org.springframework.security.web.access.intercept.AuthorizationFilter; import org.springframework.security.web.access.intercept.AuthorizationFilter;
import org.springframework.security.web.access.intercept.RequestAuthorizationContext; import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
import org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager; import org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager;
@ -62,11 +63,22 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
private final Supplier<RoleHierarchy> roleHierarchy; private final Supplier<RoleHierarchy> roleHierarchy;
private final String rolePrefix;
/** /**
* Creates an instance. * Creates an instance.
* @param context the {@link ApplicationContext} to use * @param context the {@link ApplicationContext} to use
*/ */
public AuthorizeHttpRequestsConfigurer(ApplicationContext context) { public AuthorizeHttpRequestsConfigurer(ApplicationContext context) {
String[] grantedAuthorityDefaultsBeanNames = context.getBeanNamesForType(GrantedAuthorityDefaults.class);
if (grantedAuthorityDefaultsBeanNames.length == 1) {
GrantedAuthorityDefaults grantedAuthorityDefaults = context.getBean(grantedAuthorityDefaultsBeanNames[0],
GrantedAuthorityDefaults.class);
this.rolePrefix = grantedAuthorityDefaults.getRolePrefix();
}
else {
this.rolePrefix = "ROLE_";
}
this.registry = new AuthorizationManagerRequestMatcherRegistry(context); this.registry = new AuthorizationManagerRequestMatcherRegistry(context);
if (context.getBeanNamesForType(AuthorizationEventPublisher.class).length > 0) { if (context.getBeanNamesForType(AuthorizationEventPublisher.class).length > 0) {
this.publisher = context.getBean(AuthorizationEventPublisher.class); this.publisher = context.getBean(AuthorizationEventPublisher.class);
@ -279,7 +291,8 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
* customizations * customizations
*/ */
public AuthorizationManagerRequestMatcherRegistry hasRole(String role) { public AuthorizationManagerRequestMatcherRegistry hasRole(String role) {
return access(withRoleHierarchy(AuthorityAuthorizationManager.hasRole(role))); return access(withRoleHierarchy(AuthorityAuthorizationManager
.hasAuthority(AuthorizeHttpRequestsConfigurer.this.rolePrefix + role)));
} }
/** /**

28
config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java
View File

@ -37,6 +37,7 @@ import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry; import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.core.GrantedAuthorityDefaults;
import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContext;
import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.config.test.SpringTestContextExtension;
import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.authority.AuthorityUtils;
@ -475,6 +476,17 @@ public class AuthorizeHttpRequestsConfigurerTests {
this.mvc.perform(requestWithRoleOther).andExpect(status().isForbidden()); this.mvc.perform(requestWithRoleOther).andExpect(status().isForbidden());
} }
@Test
public void getWhenRoleUserConfiguredAsGrantedAuthorityDefaultThenRespondsWithOk() throws Exception {
this.spring.register(GrantedAuthorityDefaultConfig.class, BasicController.class).autowire();
// @formatter:off
MockHttpServletRequestBuilder requestWithUser = get("/")
.with(user("user")
.authorities(new SimpleGrantedAuthority("CUSTOM_PREFIX_USER")));
// @formatter:on
this.mvc.perform(requestWithUser).andExpect(status().isOk());
}
@Test @Test
public void getWhenExpressionHasIpAddressLocalhostConfiguredIpAddressIsLocalhostThenRespondsWithOk() public void getWhenExpressionHasIpAddressLocalhostConfiguredIpAddressIsLocalhostThenRespondsWithOk()
throws Exception { throws Exception {
@ -557,6 +569,22 @@ public class AuthorizeHttpRequestsConfigurerTests {
this.mvc.perform(requestWithUser).andExpect(status().isForbidden()); this.mvc.perform(requestWithUser).andExpect(status().isForbidden());
} }
@Configuration
@EnableWebSecurity
static class GrantedAuthorityDefaultConfig {
@Bean
GrantedAuthorityDefaults grantedAuthorityDefaults() {
return new GrantedAuthorityDefaults("CUSTOM_PREFIX_");
}
@Bean
SecurityFilterChain myFilterChain(HttpSecurity http) throws Exception {
return http.authorizeHttpRequests((c) -> c.anyRequest().hasRole("USER")).build();
}
}
@Configuration @Configuration
@EnableWebSecurity @EnableWebSecurity
static class NoRequestsConfig { static class NoRequestsConfig {