Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FilterSecurityInterceptor applies to every request by default 

Closes gh-11466
This commit is contained in:
Marcus Da Coregio 2022-07-12 09:04:39 -03:00
parent 2c0a4337a8
commit 6455e98745
7 changed files with 25 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc
View File

@ -375,7 +375,7 @@ http.attlist &=
## Allows a customized AuthenticationEntryPoint to be set on the ExceptionTranslationFilter. ## Allows a customized AuthenticationEntryPoint to be set on the ExceptionTranslationFilter.
attribute entry-point-ref {xsd:token}? attribute entry-point-ref {xsd:token}?
http.attlist &= http.attlist &=
## Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults to "true" ## Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults to "false"
attribute once-per-request {xsd:boolean}? attribute once-per-request {xsd:boolean}?
http.attlist &= http.attlist &=
## Prevents the jsessionid parameter from being added to rendered URLs. Defaults to "true" (rewriting is disabled). ## Prevents the jsessionid parameter from being added to rendered URLs. Defaults to "true" (rewriting is disabled).

4
config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd
View File

@ -1335,7 +1335,7 @@
<xs:attribute name="once-per-request" type="xs:boolean"> <xs:attribute name="once-per-request" type="xs:boolean">
<xs:annotation> <xs:annotation>
<xs:documentation>Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults <xs:documentation>Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults
to "true" to "false"
</xs:documentation> </xs:documentation>
</xs:annotation> </xs:annotation>
</xs:attribute> </xs:attribute>
@ -3729,4 +3729,4 @@
<xs:enumeration value="LAST"/> <xs:enumeration value="LAST"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:schema> </xs:schema>

4
config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2018 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -853,7 +853,7 @@ public class MiscHttpConfigTests {
assertThat(filters.next()).isInstanceOf(SessionManagementFilter.class); assertThat(filters.next()).isInstanceOf(SessionManagementFilter.class);
assertThat(filters.next()).isInstanceOf(ExceptionTranslationFilter.class); assertThat(filters.next()).isInstanceOf(ExceptionTranslationFilter.class);
assertThat(filters.next()).isInstanceOf(FilterSecurityInterceptor.class) assertThat(filters.next()).isInstanceOf(FilterSecurityInterceptor.class)
.hasFieldOrPropertyWithValue("observeOncePerRequest", true); .hasFieldOrPropertyWithValue("observeOncePerRequest", false);
} }
private <T extends Filter> T getFilter(Class<T> filterClass) { private <T extends Filter> T getFilter(Class<T> filterClass) {

7
config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-WithSecurityContextHolderStrategy.xml
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!-- <!--
~ Copyright 2002-2018 the original author or authors. ~ Copyright 2002-2022 the original author or authors.
~ ~
~ Licensed under the Apache License, Version 2.0 (the "License"); ~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License. ~ you may not use this file except in compliance with the License.
@ -28,6 +28,7 @@
https://www.springframework.org/schema/mvc/spring-mvc.xsd"> https://www.springframework.org/schema/mvc/spring-mvc.xsd">
<http auto-config="true" security-context-holder-strategy-ref="ref"> <http auto-config="true" security-context-holder-strategy-ref="ref">
<intercept-url request-matcher-ref="dispatcherTypeMatcher" access="permitAll" />
<intercept-url pattern="/**" access="authenticated"/> <intercept-url pattern="/**" access="authenticated"/>
</http> </http>
@ -37,6 +38,10 @@
</b:constructor-arg> </b:constructor-arg>
</b:bean> </b:bean>
<b:bean id="dispatcherTypeMatcher" class="org.springframework.security.web.util.matcher.DispatcherTypeRequestMatcher">
<b:constructor-arg value="ASYNC"/>
</b:bean>
<mvc:annotation-driven> <mvc:annotation-driven>
<mvc:argument-resolvers> <mvc:argument-resolvers>
<b:bean class="org.springframework.security.web.method.annotation.AuthenticationPrincipalArgumentResolver"> <b:bean class="org.springframework.security.web.method.annotation.AuthenticationPrincipalArgumentResolver">

2
docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc
View File

@ -94,7 +94,7 @@ A bean identifier, used for referring to the bean elsewhere in the context.
[[nsa-http-once-per-request]] [[nsa-http-once-per-request]]
* **once-per-request** * **once-per-request**
Corresponds to the `observeOncePerRequest` property of `FilterSecurityInterceptor`. Corresponds to the `observeOncePerRequest` property of `FilterSecurityInterceptor`.
Defaults to `true`. Defaults to `false`.
[[nsa-http-pattern]] [[nsa-http-pattern]]

2
web/src/main/java/org/springframework/security/web/access/intercept/FilterSecurityInterceptor.java
View File

@ -48,7 +48,7 @@ public class FilterSecurityInterceptor extends AbstractSecurityInterceptor imple
private FilterInvocationSecurityMetadataSource securityMetadataSource; private FilterInvocationSecurityMetadataSource securityMetadataSource;
private boolean observeOncePerRequest = true; private boolean observeOncePerRequest = false;
/** /**
* Not used (we rely on IoC container lifecycle services instead) * Not used (we rely on IoC container lifecycle services instead)

12
web/src/test/java/org/springframework/security/web/access/intercept/FilterSecurityInterceptorTests.java
View File

@ -50,6 +50,7 @@ import static org.mockito.BDDMockito.given;
import static org.mockito.BDDMockito.willThrow; import static org.mockito.BDDMockito.willThrow;
import static org.mockito.Mockito.mock; import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.never; import static org.mockito.Mockito.never;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyZeroInteractions; import static org.mockito.Mockito.verifyZeroInteractions;
@ -174,6 +175,17 @@ public class FilterSecurityInterceptorTests {
assertThat(request.getAttributeNames().hasMoreElements()).isFalse(); assertThat(request.getAttributeNames().hasMoreElements()).isFalse();
} }
@Test
public void doFilterWhenObserveOncePerRequestFalseAndInvokedTwiceThenObserveTwice() throws Throwable {
Authentication token = new TestingAuthenticationToken("Test", "Password", "NOT_USED");
SecurityContextHolder.getContext().setAuthentication(token);
FilterInvocation fi = createinvocation();
given(this.ods.getAttributes(fi)).willReturn(SecurityConfig.createList("MOCK_OK"));
this.interceptor.invoke(fi);
this.interceptor.invoke(fi);
verify(this.adm, times(2)).decide(any(), any(), any());
}
private FilterInvocation createinvocation() { private FilterInvocation createinvocation() {
MockHttpServletResponse response = new MockHttpServletResponse(); MockHttpServletResponse response = new MockHttpServletResponse();
MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletRequest request = new MockHttpServletRequest();