Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-05-31 01:02:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Change the default of shouldFilterAllDispatchTypes to true

Browse Source 
Closes gh-11107
This commit is contained in:
Marcus Da Coregio 2022-04-14 16:30:42 -03:00
parent 84b5c76a7b
commit 5367524030
4 changed files with 24 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java
View File

@ -118,7 +118,7 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
private int mappingCount; private int mappingCount;
private boolean shouldFilterAllDispatcherTypes = false; private boolean shouldFilterAllDispatcherTypes = true;
private AuthorizationManagerRequestMatcherRegistry(ApplicationContext context) { private AuthorizationManagerRequestMatcherRegistry(ApplicationContext context) {
setApplicationContext(context); setApplicationContext(context);
@ -175,8 +175,7 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
/** /**
* Sets whether all dispatcher types should be filtered. * Sets whether all dispatcher types should be filtered.
* @param shouldFilter should filter all dispatcher types. Default is * @param shouldFilter should filter all dispatcher types. Default is {@code true}
* {@code false}
* @return the {@link AuthorizationManagerRequestMatcherRegistry} for further * @return the {@link AuthorizationManagerRequestMatcherRegistry} for further
* customizations * customizations
* @since 5.7 * @since 5.7

8
docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc
View File

@ -170,10 +170,10 @@ SecurityFilterChain web(HttpSecurity http) throws Exception {
---- ----
==== ====
By default, the `AuthorizationFilter` does not apply to `DispatcherType.ERROR` and `DispatcherType.ASYNC`. By default, the `AuthorizationFilter` applies to all dispatcher types.
We can configure Spring Security to apply the authorization rules to all dispatcher types by using the `shouldFilterAllDispatcherTypes` method: We can configure Spring Security to not apply the authorization rules to all dispatcher types by using the `shouldFilterAllDispatcherTypes` method:
.Set shouldFilterAllDispatcherTypes to true .Set shouldFilterAllDispatcherTypes to false
==== ====
.Java .Java
[source,java,role="primary"] [source,java,role="primary"]
@ -182,7 +182,7 @@ We can configure Spring Security to apply the authorization rules to all dispatc
SecurityFilterChain web(HttpSecurity http) throws Exception { SecurityFilterChain web(HttpSecurity http) throws Exception {
http http
.authorizeHttpRequests((authorize) -> authorize .authorizeHttpRequests((authorize) -> authorize
.shouldFilterAllDispatcherTypes(true) .shouldFilterAllDispatcherTypes(false)
.anyRequest.authenticated() .anyRequest.authenticated()
) )
// ... // ...

4
web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java
View File

@ -50,7 +50,7 @@ public class AuthorizationFilter extends OncePerRequestFilter {
private AuthorizationEventPublisher eventPublisher = AuthorizationFilter::noPublish; private AuthorizationEventPublisher eventPublisher = AuthorizationFilter::noPublish;
private boolean shouldFilterAllDispatcherTypes = false; private boolean shouldFilterAllDispatcherTypes = true;
/** /**
* Creates an instance. * Creates an instance.
@ -120,7 +120,7 @@ public class AuthorizationFilter extends OncePerRequestFilter {
/** /**
* Sets whether to filter all dispatcher types. * Sets whether to filter all dispatcher types.
* @param shouldFilterAllDispatcherTypes should filter all dispatcher types. Default * @param shouldFilterAllDispatcherTypes should filter all dispatcher types. Default
* is {@code false} * is {@code true}
* @since 5.7 * @since 5.7
*/ */
public void setShouldFilterAllDispatcherTypes(boolean shouldFilterAllDispatcherTypes) { public void setShouldFilterAllDispatcherTypes(boolean shouldFilterAllDispatcherTypes) {

32
web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java
View File

@ -167,7 +167,7 @@ public class AuthorizationFilterTests {
} }
@Test @Test
public void doFilterWhenErrorThenDoNotFilter() throws Exception { public void doFilterWhenErrorThenDoFilter() throws Exception {
AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class); AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);
AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager); AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path"); MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
@ -176,25 +176,25 @@ public class AuthorizationFilterTests {
MockHttpServletResponse mockResponse = new MockHttpServletResponse(); MockHttpServletResponse mockResponse = new MockHttpServletResponse();
FilterChain mockFilterChain = mock(FilterChain.class); FilterChain mockFilterChain = mock(FilterChain.class);
authorizationFilter.doFilter(mockRequest, mockResponse, mockFilterChain);
verify(authorizationManager).check(any(Supplier.class), eq(mockRequest));
}
@Test
public void doFilterWhenErrorAndShouldFilterAllDispatcherTypesFalseThenDoNotFilter() throws Exception {
AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);
AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
authorizationFilter.setShouldFilterAllDispatcherTypes(false);
MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
mockRequest.setDispatcherType(DispatcherType.ERROR);
mockRequest.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error");
MockHttpServletResponse mockResponse = new MockHttpServletResponse();
FilterChain mockFilterChain = mock(FilterChain.class);
authorizationFilter.doFilter(mockRequest, mockResponse, mockFilterChain); authorizationFilter.doFilter(mockRequest, mockResponse, mockFilterChain);
verifyNoInteractions(authorizationManager); verifyNoInteractions(authorizationManager);
} }
@Test
public void doFilterWhenErrorAndShouldFilterAllDispatcherTypesThenFilter() throws Exception {
AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);
AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
authorizationFilter.setShouldFilterAllDispatcherTypes(true);
MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
mockRequest.setDispatcherType(DispatcherType.ERROR);
mockRequest.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error");
MockHttpServletResponse mockResponse = new MockHttpServletResponse();
FilterChain mockFilterChain = mock(FilterChain.class);
authorizationFilter.doFilter(mockRequest, mockResponse, mockFilterChain);
verify(authorizationManager).check(any(Supplier.class), any(HttpServletRequest.class));
}
@Test @Test
public void doFilterNestedErrorDispatchWhenAuthorizationManagerThenUses() throws Exception { public void doFilterNestedErrorDispatchWhenAuthorizationManagerThenUses() throws Exception {
AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class); AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);