From 81d3cf1e7b814c2abe304fd5f8461768d8a8f044 Mon Sep 17 00:00:00 2001 From: Eleftheria Stein Date: Wed, 3 Jul 2019 12:20:32 -0400 Subject: [PATCH] Allow configuration of authorize requests through nested builder Issue: gh-5557 --- .../annotation/web/builders/HttpSecurity.java | 156 +++++++++--- .../configurers/AuthorizeRequestsTests.java | 227 +++++++++++++++++- .../web/configurers/CorsConfigurerTests.java | 21 +- ...ingConfigurerAccessDeniedHandlerTests.java | 7 +- .../configurers/FormLoginConfigurerTests.java | 21 +- .../configurers/HttpBasicConfigurerTests.java | 7 +- .../web/configurers/JeeConfigurerTests.java | 21 +- .../configurers/NamespaceHttpBasicTests.java | 21 +- ...aceHttpServerAccessDeniedHandlerTests.java | 14 +- .../RememberMeConfigurerTests.java | 14 +- .../RequestCacheConfigurerTests.java | 21 +- 11 files changed, 435 insertions(+), 95 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java index 7b1884b86b..e7397d9c04 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java @@ -548,9 +548,10 @@ public final class HttpSecurity extends * @Override * protected void configure(HttpSecurity http) throws Exception { * http - * .authorizeRequests() - * .anyRequest().hasRole("USER") - * .and() + * .authorizeRequests(authorizeRequests -> + * authorizeRequests + * .anyRequest().hasRole("USER") + * ) * .formLogin(formLogin -> * formLogin * .permitAll() @@ -769,9 +770,10 @@ public final class HttpSecurity extends * @Override * protected void configure(HttpSecurity http) throws Exception { * http - * .authorizeRequests() - * .antMatchers("/**").hasRole("USER") - * .and() + * .authorizeRequests(authorizeRequests -> + * authorizeRequests + * .antMatchers("/**").hasRole("USER") + * ) * .jee(jee -> * jee * .mappableRoles("USER", "ADMIN") @@ -878,10 +880,10 @@ public final class HttpSecurity extends * @Override * protected void configure(HttpSecurity http) throws Exception { * http - * .authorizeRequests() - * .antMatchers("/**") - * .hasRole("USER") - * .and() + * .authorizeRequests(authorizeRequests -> + * authorizeRequests + * .antMatchers("/**").hasRole("USER") + * ) * .x509(withDefaults()); * } * } @@ -952,9 +954,10 @@ public final class HttpSecurity extends * @Override * protected void configure(HttpSecurity http) throws Exception { * http - * .authorizeRequests() - * .antMatchers("/**").hasRole("USER") - * .and() + * .authorizeRequests(authorizeRequests -> + * authorizeRequests + * .antMatchers("/**").hasRole("USER") + * ) * .formLogin(withDefaults()) * .rememberMe(withDefaults()); * } @@ -1042,6 +1045,91 @@ public final class HttpSecurity extends .getRegistry(); } + /** + * Allows restricting access based upon the {@link HttpServletRequest} using + * {@link RequestMatcher} implementations (i.e. via URL patterns). + * + *

Example Configurations

+ * + * The most basic example is to configure all URLs to require the role "ROLE_USER". + * The configuration below requires authentication to every URL and will grant access + * to both the user "admin" and "user". + * + *
+	 * @Configuration
+	 * @EnableWebSecurity
+	 * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter {
+	 *
+	 * 	@Override
+	 * 	protected void configure(HttpSecurity http) throws Exception {
+	 * 		http
+	 * 			.authorizeRequests(authorizeRequests ->
+	 * 				authorizeRequests
+	 * 					.antMatchers("/**").hasRole("USER")
+	 * 			)
+	 * 			.formLogin(withDefaults());
+	 * 	}
+	 * }
+	 * 
+ * + * We can also configure multiple URLs. The configuration below requires + * authentication to every URL and will grant access to URLs starting with /admin/ to + * only the "admin" user. All other URLs either user can access. + * + *
+	 * @Configuration
+	 * @EnableWebSecurity
+	 * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter {
+	 *
+	 * 	@Override
+	 * 	protected void configure(HttpSecurity http) throws Exception {
+	 * 		http
+	 * 			.authorizeRequests(authorizeRequests ->
+	 * 				authorizeRequests
+	 * 					.antMatchers("/admin/**").hasRole("ADMIN")
+	 * 					.antMatchers("/**").hasRole("USER")
+	 * 			)
+	 * 			.formLogin(withDefaults());
+	 * 	}
+	 * }
+	 * 
+ * + * Note that the matchers are considered in order. Therefore, the following is invalid + * because the first matcher matches every request and will never get to the second + * mapping: + * + *
+	 * @Configuration
+	 * @EnableWebSecurity
+	 * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter {
+	 *
+	 * 	@Override
+	 * 	protected void configure(HttpSecurity http) throws Exception {
+	 * 		 http
+	 * 		 	.authorizeRequests(authorizeRequests ->
+	 * 		 		authorizeRequests
+	 * 			 		.antMatchers("/**").hasRole("USER")
+	 * 			 		.antMatchers("/admin/**").hasRole("ADMIN")
+	 * 		 	);
+	 * 	}
+	 * }
+	 * 
+ * + * @see #requestMatcher(RequestMatcher) + * + * @param authorizeRequestsCustomizer the {@link Customizer} to provide more options for + * the {@link ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry} + * @return the {@link HttpSecurity} for further customizations + * @throws Exception + */ + public HttpSecurity authorizeRequests(Customizer.ExpressionInterceptUrlRegistry> authorizeRequestsCustomizer) + throws Exception { + ApplicationContext context = getContext(); + authorizeRequestsCustomizer.customize(getOrApply(new ExpressionUrlAuthorizationConfigurer<>(context)) + .getRegistry()); + return HttpSecurity.this; + } + /** * Allows configuring the Request Cache. For example, a protected page (/protected) * may be requested prior to authentication. The application will redirect the user to @@ -1075,9 +1163,10 @@ public final class HttpSecurity extends * @Override * protected void configure(HttpSecurity http) throws Exception { * http - * .authorizeRequests() - * .antMatchers("/**").hasRole("USER") - * .and() + * .authorizeRequests(authorizeRequests -> + * authorizeRequests + * .antMatchers("/**").hasRole("USER") + * ) * .requestCache(requestCache -> * requestCache.disable() * ); @@ -1124,9 +1213,10 @@ public final class HttpSecurity extends * @Override * protected void configure(HttpSecurity http) throws Exception { * http - * .authorizeRequests() - * .antMatchers("/**").hasRole("USER") - * .and() + * .authorizeRequests(authorizeRequests -> + * authorizeRequests + * .antMatchers("/**").hasRole("USER") + * ) * // sample exception handling customization * .exceptionHandling(exceptionHandling -> * exceptionHandling @@ -1288,9 +1378,10 @@ public final class HttpSecurity extends * @Override * protected void configure(HttpSecurity http) throws Exception { * http - * .authorizeRequests() - * .antMatchers("/**").hasRole("USER") - * .and() + * .authorizeRequests(authorizeRequests -> + * authorizeRequests + * .antMatchers("/**").hasRole("USER") + * ) * .formLogin(withDefaults()) * // sample logout customization * .logout(logout -> @@ -1460,9 +1551,10 @@ public final class HttpSecurity extends * @Override * protected void configure(HttpSecurity http) throws Exception { * http - * .authorizeRequests() - * .antMatchers("/**").hasRole("USER") - * .and() + * .authorizeRequests(authorizeRequests -> + * authorizeRequests + * .antMatchers("/**").hasRole("USER") + * ) * .formLogin(withDefaults()); * } * } @@ -1478,9 +1570,10 @@ public final class HttpSecurity extends * @Override * protected void configure(HttpSecurity http) throws Exception { * http - * .authorizeRequests() - * .antMatchers("/**").hasRole("USER") - * .and() + * .authorizeRequests(authorizeRequests -> + * authorizeRequests + * .antMatchers("/**").hasRole("USER") + * ) * .formLogin(formLogin -> * formLogin * .usernameParameter("username") @@ -1717,9 +1810,10 @@ public final class HttpSecurity extends * @Override * protected void configure(HttpSecurity http) throws Exception { * http - * .authorizeRequests() - * .antMatchers("/**").hasRole("USER") - * .and() + * .authorizeRequests(authorizeRequests -> + * authorizeRequests + * .antMatchers("/**").hasRole("USER") + * ) * .httpBasic(withDefaults()); * } * } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java index 526f3b8657..b9fb86db21 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2015 the original author or authors. + * Copyright 2002-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -49,6 +49,7 @@ import org.springframework.web.servlet.config.annotation.EnableWebMvc; import static org.assertj.core.api.Assertions.assertThat; import static org.mockito.Mockito.spy; +import static org.springframework.security.config.Customizer.withDefaults; /** * @author Rob Winch @@ -113,6 +114,39 @@ public class AuthorizeRequestsTests { } } + @Test + public void postWhenPostDenyAllInLambdaThenRespondsWithForbidden() throws Exception { + loadConfig(AntMatchersNoPatternsInLambdaConfig.class); + this.request.setMethod("POST"); + + this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); + + assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN); + } + + @EnableWebSecurity + @Configuration + static class AntMatchersNoPatternsInLambdaConfig extends WebSecurityConfigurerAdapter { + @Override + protected void configure(HttpSecurity http) throws Exception { + // @formatter:off + http + .authorizeRequests(authorizeRequests -> + authorizeRequests + .antMatchers(HttpMethod.POST).denyAll() + ); + // @formatter:on + } + + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + // @formatter:off + auth + .inMemoryAuthentication(); + // @formatter:on + } + } + // SEC-2256 @Test public void antMatchersPathVariables() throws Exception { @@ -314,6 +348,66 @@ public class AuthorizeRequestsTests { } } + @Test + public void requestWhenMvcMatcherDenyAllThenRespondsWithUnauthorized() throws Exception { + loadConfig(MvcMatcherInLambdaConfig.class); + + this.request.setRequestURI("/path"); + this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); + + assertThat(this.response.getStatus()) + .isEqualTo(HttpServletResponse.SC_UNAUTHORIZED); + + setup(); + + this.request.setRequestURI("/path.html"); + this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); + + assertThat(this.response.getStatus()) + .isEqualTo(HttpServletResponse.SC_UNAUTHORIZED); + + setup(); + + this.request.setServletPath("/path/"); + this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); + + assertThat(this.response.getStatus()) + .isEqualTo(HttpServletResponse.SC_UNAUTHORIZED); + } + + @EnableWebSecurity + @Configuration + @EnableWebMvc + static class MvcMatcherInLambdaConfig extends WebSecurityConfigurerAdapter { + @Override + protected void configure(HttpSecurity http) throws Exception { + // @formatter:off + http + .httpBasic(withDefaults()) + .authorizeRequests(authorizeRequests -> + authorizeRequests + .mvcMatchers("/path").denyAll() + ); + // @formatter:on + } + + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + // @formatter:off + auth + .inMemoryAuthentication(); + // @formatter:on + } + + @RestController + static class PathController { + @RequestMapping("/path") + public String path() { + return "path"; + } + } + } + @Test public void mvcMatcherServletPath() throws Exception { loadConfig(MvcMatcherServletPathConfig.class); @@ -391,6 +485,85 @@ public class AuthorizeRequestsTests { } } + @Test + public void requestWhenMvcMatcherServletPathDenyAllThenMatchesOnServletPath() throws Exception { + loadConfig(MvcMatcherServletPathInLambdaConfig.class); + + this.request.setServletPath("/spring"); + this.request.setRequestURI("/spring/path"); + this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); + + assertThat(this.response.getStatus()) + .isEqualTo(HttpServletResponse.SC_UNAUTHORIZED); + + setup(); + + this.request.setServletPath("/spring"); + this.request.setRequestURI("/spring/path.html"); + this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); + + assertThat(this.response.getStatus()) + .isEqualTo(HttpServletResponse.SC_UNAUTHORIZED); + + setup(); + + this.request.setServletPath("/spring"); + this.request.setRequestURI("/spring/path/"); + this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); + + assertThat(this.response.getStatus()) + .isEqualTo(HttpServletResponse.SC_UNAUTHORIZED); + + setup(); + + this.request.setServletPath("/foo"); + this.request.setRequestURI("/foo/path"); + this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); + + assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK); + + setup(); + + this.request.setServletPath("/"); + this.request.setRequestURI("/path"); + this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); + + assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK); + } + + @EnableWebSecurity + @Configuration + @EnableWebMvc + static class MvcMatcherServletPathInLambdaConfig extends WebSecurityConfigurerAdapter { + @Override + protected void configure(HttpSecurity http) throws Exception { + // @formatter:off + http + .httpBasic(withDefaults()) + .authorizeRequests(authorizeRequests -> + authorizeRequests + .mvcMatchers("/path").servletPath("/spring").denyAll() + ); + // @formatter:on + } + + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + // @formatter:off + auth + .inMemoryAuthentication(); + // @formatter:on + } + + @RestController + static class PathController { + @RequestMapping("/path") + public String path() { + return "path"; + } + } + } + @Test public void mvcMatcherPathVariables() throws Exception { loadConfig(MvcMatcherPathVariablesConfig.class); @@ -441,6 +614,58 @@ public class AuthorizeRequestsTests { } } + @Test + public void requestWhenMvcMatcherPathVariablesThenMatchesOnPathVariables() throws Exception { + loadConfig(MvcMatcherPathVariablesInLambdaConfig.class); + + this.request.setRequestURI("/user/user"); + + this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); + + assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK); + + this.setup(); + this.request.setRequestURI("/user/deny"); + + this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); + + assertThat(this.response.getStatus()) + .isEqualTo(HttpServletResponse.SC_UNAUTHORIZED); + } + + @EnableWebSecurity + @Configuration + @EnableWebMvc + static class MvcMatcherPathVariablesInLambdaConfig extends WebSecurityConfigurerAdapter { + @Override + protected void configure(HttpSecurity http) throws Exception { + // @formatter:off + http + .httpBasic(withDefaults()) + .authorizeRequests(authorizeRequests -> + authorizeRequests + .mvcMatchers("/user/{userName}").access("#userName == 'user'") + ); + // @formatter:on + } + + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + // @formatter:off + auth + .inMemoryAuthentication(); + // @formatter:on + } + + @RestController + static class PathController { + @RequestMapping("/path") + public String path() { + return "path"; + } + } + } + @EnableWebSecurity @Configuration @EnableWebMvc diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurerTests.java index b6bb33e58f..b880b3ef5b 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurerTests.java @@ -162,9 +162,10 @@ public class CorsConfigurerTests { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests() - .anyRequest().authenticated() - .and() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) .cors(withDefaults()); // @formatter:on } @@ -261,9 +262,10 @@ public class CorsConfigurerTests { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests() - .anyRequest().authenticated() - .and() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) .cors(withDefaults()); // @formatter:on } @@ -359,9 +361,10 @@ public class CorsConfigurerTests { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests() - .anyRequest().authenticated() - .and() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) .cors(withDefaults()); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerAccessDeniedHandlerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerAccessDeniedHandlerTests.java index b2f92d4247..ef1084cdbd 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerAccessDeniedHandlerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerAccessDeniedHandlerTests.java @@ -109,9 +109,10 @@ public class ExceptionHandlingConfigurerAccessDeniedHandlerTests { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests() - .anyRequest().denyAll() - .and() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().denyAll() + ) .exceptionHandling(exceptionHandling -> exceptionHandling .defaultAccessDeniedHandlerFor( diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java index ae5a2379e4..f7b9c1635e 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java @@ -254,9 +254,10 @@ public class FormLoginConfigurerTests { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests() - .anyRequest().hasRole("USER") - .and() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().hasRole("USER") + ) .formLogin(withDefaults()); // @formatter:on } @@ -387,9 +388,10 @@ public class FormLoginConfigurerTests { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests() - .anyRequest().hasRole("USER") - .and() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().hasRole("USER") + ) .formLogin(formLogin -> formLogin .loginPage("/authenticate") @@ -458,9 +460,10 @@ public class FormLoginConfigurerTests { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests() - .anyRequest().authenticated() - .and() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) .formLogin(formLogin -> formLogin .loginProcessingUrl("/loginCheck") diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.java index a6445aa35b..43d956b3e5 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.java @@ -107,9 +107,10 @@ public class HttpBasicConfigurerTests { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests() - .anyRequest().authenticated() - .and() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) .httpBasic(withDefaults()); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/JeeConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/JeeConfigurerTests.java index c55ad59f47..57de13f087 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/JeeConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/JeeConfigurerTests.java @@ -151,9 +151,10 @@ public class JeeConfigurerTests { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests() - .anyRequest().hasRole("USER") - .and() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().hasRole("USER") + ) .jee(jee -> jee .mappableRoles("USER") @@ -185,9 +186,10 @@ public class JeeConfigurerTests { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests() - .anyRequest().hasRole("USER") - .and() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().hasRole("USER") + ) .jee(jee -> jee .mappableAuthorities("ROLE_USER") @@ -226,9 +228,10 @@ public class JeeConfigurerTests { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests() - .anyRequest().hasRole("USER") - .and() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().hasRole("USER") + ) .jee(jee -> jee .authenticatedUserDetailsService(authenticationUserDetailsService) diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpBasicTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpBasicTests.java index 83d0508057..9a66e356fd 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpBasicTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpBasicTests.java @@ -125,9 +125,10 @@ public class NamespaceHttpBasicTests { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests() - .anyRequest().hasRole("USER") - .and() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().hasRole("USER") + ) .httpBasic(withDefaults()); // @formatter:on } @@ -174,9 +175,10 @@ public class NamespaceHttpBasicTests { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests() - .anyRequest().hasRole("USER") - .and() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().hasRole("USER") + ) .httpBasic(httpBasicConfig -> httpBasicConfig.realmName("Custom Realm")); // @formatter:on } @@ -310,9 +312,10 @@ public class NamespaceHttpBasicTests { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests() - .anyRequest().hasRole("USER") - .and() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().hasRole("USER") + ) .httpBasic(httpBasicConfig -> httpBasicConfig.authenticationEntryPoint(this.authenticationEntryPoint)); // @formatter:on diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java index b6ddacb237..0aea788b3d 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java @@ -98,9 +98,10 @@ public class NamespaceHttpServerAccessDeniedHandlerTests { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests() - .anyRequest().denyAll() - .and() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().denyAll() + ) .exceptionHandling(exceptionHandling -> exceptionHandling.accessDeniedPage("/AccessDeniedPageConfig") ); @@ -152,9 +153,10 @@ public class NamespaceHttpServerAccessDeniedHandlerTests { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests() - .anyRequest().denyAll() - .and() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().denyAll() + ) .exceptionHandling(exceptionHandling -> exceptionHandling.accessDeniedHandler(accessDeniedHandler()) ); diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.java index 84c9ec8816..1e3ee6018d 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.java @@ -320,9 +320,10 @@ public class RememberMeConfigurerTests { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests() - .anyRequest().hasRole("USER") - .and() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().hasRole("USER") + ) .formLogin(withDefaults()) .rememberMe(withDefaults()); // @formatter:on @@ -394,9 +395,10 @@ public class RememberMeConfigurerTests { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests() - .anyRequest().hasRole("USER") - .and() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().hasRole("USER") + ) .formLogin(withDefaults()) .rememberMe(rememberMe -> rememberMe diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java index c21aca1162..7b16123165 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java @@ -291,9 +291,10 @@ public class RequestCacheConfigurerTests { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests() - .anyRequest().authenticated() - .and() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) .formLogin(withDefaults()) .requestCache(RequestCacheConfigurer::disable); // @formatter:on @@ -318,9 +319,10 @@ public class RequestCacheConfigurerTests { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests() - .anyRequest().authenticated() - .and() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) .formLogin(withDefaults()) .requestCache(withDefaults()); // @formatter:on @@ -345,9 +347,10 @@ public class RequestCacheConfigurerTests { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests() - .anyRequest().authenticated() - .and() + .authorizeRequests(authorizeRequests -> + authorizeRequests + .anyRequest().authenticated() + ) .formLogin(withDefaults()) .requestCache(requestCache -> requestCache