From 6455e987456a806b2fe84dcc747e824ed971631f Mon Sep 17 00:00:00 2001 From: Marcus Da Coregio Date: Tue, 12 Jul 2022 09:04:39 -0300 Subject: [PATCH] FilterSecurityInterceptor applies to every request by default Closes gh-11466 --- .../security/config/spring-security-6.0.rnc | 2 +- .../security/config/spring-security-6.0.xsd | 4 ++-- .../security/config/http/MiscHttpConfigTests.java | 4 ++-- ...ConfigTests-WithSecurityContextHolderStrategy.xml | 7 ++++++- .../ROOT/pages/servlet/appendix/namespace/http.adoc | 2 +- .../access/intercept/FilterSecurityInterceptor.java | 2 +- .../intercept/FilterSecurityInterceptorTests.java | 12 ++++++++++++ 7 files changed, 25 insertions(+), 8 deletions(-) diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc index 8b70128c5f..8ba76147ea 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc +++ b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc @@ -375,7 +375,7 @@ http.attlist &= ## Allows a customized AuthenticationEntryPoint to be set on the ExceptionTranslationFilter. attribute entry-point-ref {xsd:token}? http.attlist &= - ## Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults to "true" + ## Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults to "false" attribute once-per-request {xsd:boolean}? http.attlist &= ## Prevents the jsessionid parameter from being added to rendered URLs. Defaults to "true" (rewriting is disabled). diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd index b8211479bc..cb2adffba3 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd @@ -1335,7 +1335,7 @@ Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults - to "true" + to "false" @@ -3729,4 +3729,4 @@ - \ No newline at end of file + diff --git a/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java b/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java index f2254a90f3..9e7dacc051 100644 --- a/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java +++ b/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -853,7 +853,7 @@ public class MiscHttpConfigTests { assertThat(filters.next()).isInstanceOf(SessionManagementFilter.class); assertThat(filters.next()).isInstanceOf(ExceptionTranslationFilter.class); assertThat(filters.next()).isInstanceOf(FilterSecurityInterceptor.class) - .hasFieldOrPropertyWithValue("observeOncePerRequest", true); + .hasFieldOrPropertyWithValue("observeOncePerRequest", false); } private T getFilter(Class filterClass) { diff --git a/config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-WithSecurityContextHolderStrategy.xml b/config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-WithSecurityContextHolderStrategy.xml index b89d3b380b..ccbedeb90b 100644 --- a/config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-WithSecurityContextHolderStrategy.xml +++ b/config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-WithSecurityContextHolderStrategy.xml @@ -1,6 +1,6 @@