Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Defer Anonymous Filter Construction 

By delaying when the AnonymousAuthenticationFilter is constructed,
it's now possible to call the principal and filter methods inside
of a custom DSL implementation.

This does not extend to setting the key or the authentication provider
though, as these must be set during the init phase.

Closes gh-14941
This commit is contained in:
Josh Cummings 2024-04-24 16:34:08 -06:00
parent 82ea0850ff
commit 664dfd9b45
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
2 changed files with 50 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
config/src/main/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurer.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2022 the original author or authors. * Copyright 2002-2024 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -53,6 +53,8 @@ public final class AnonymousConfigurer<H extends HttpSecurityBuilder<H>>
private List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"); private List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS");
private String computedKey;
/** /**
* Creates a new instance * Creates a new instance
* @see HttpSecurity#anonymous() * @see HttpSecurity#anonymous()
@ -144,26 +146,31 @@ public final class AnonymousConfigurer<H extends HttpSecurityBuilder<H>>
if (this.authenticationProvider == null) { if (this.authenticationProvider == null) {
this.authenticationProvider = new AnonymousAuthenticationProvider(getKey()); this.authenticationProvider = new AnonymousAuthenticationProvider(getKey());
} }
if (this.authenticationFilter == null) {
this.authenticationFilter = new AnonymousAuthenticationFilter(getKey(), this.principal, this.authorities);
this.authenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
}
this.authenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
this.authenticationProvider = postProcess(this.authenticationProvider); this.authenticationProvider = postProcess(this.authenticationProvider);
http.authenticationProvider(this.authenticationProvider); http.authenticationProvider(this.authenticationProvider);
} }
@Override @Override
public void configure(H http) { public void configure(H http) {
if (this.authenticationFilter == null) {
this.authenticationFilter = new AnonymousAuthenticationFilter(getKey(), this.principal, this.authorities);
}
this.authenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
this.authenticationFilter.afterPropertiesSet(); this.authenticationFilter.afterPropertiesSet();
http.addFilter(this.authenticationFilter); http.addFilter(this.authenticationFilter);
} }
private String getKey() { private String getKey() {
if (this.key == null) { if (this.computedKey != null) {
this.key = UUID.randomUUID().toString(); return this.computedKey;
} }
return this.key; if (this.key == null) {
this.computedKey = UUID.randomUUID().toString();
}
else {
this.computedKey = this.key;
}
return this.computedKey;
} }
} }

35
config/src/test/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurerTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2022 the original author or authors. * Copyright 2002-2024 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -94,6 +94,13 @@ public class AnonymousConfigurerTests {
this.mockMvc.perform(get("/")).andExpect(status().isOk()); this.mockMvc.perform(get("/")).andExpect(status().isOk());
} }
// gh-14941
@Test
public void shouldReturnMyCustomAnonymousConfig() throws Exception {
this.spring.register(AnonymousInCustomConfigurer.class, PrincipalController.class).autowire();
this.mockMvc.perform(get("/")).andExpect(status().isOk()).andExpect(content().string("myAnonymousUser"));
}
@Configuration @Configuration
@EnableWebSecurity @EnableWebSecurity
@EnableWebMvc @EnableWebMvc
@ -181,6 +188,32 @@ public class AnonymousConfigurerTests {
} }
@Configuration
@EnableWebMvc
@EnableWebSecurity
static class AnonymousInCustomConfigurer {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeHttpRequests((authorize) -> authorize.anyRequest().permitAll())
.with(new CustomDsl(), withDefaults());
// @formatter:on
return http.build();
}
static class CustomDsl extends AbstractHttpConfigurer<CustomDsl, HttpSecurity> {
@Override
public void init(HttpSecurity http) throws Exception {
http.anonymous((anonymous) -> anonymous.principal("myAnonymousUser"));
}
}
}
@RestController @RestController
static class PrincipalController { static class PrincipalController {