Add Option to Filter All Dispatcher Types
Closes gh-11092
This commit is contained in:
parent
da7db704eb
commit
84b5c76a7b
|
@ -85,6 +85,7 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
|
|||
AuthorizationManager<HttpServletRequest> authorizationManager = this.registry.createAuthorizationManager();
|
||||
AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
|
||||
authorizationFilter.setAuthorizationEventPublisher(this.publisher);
|
||||
authorizationFilter.setShouldFilterAllDispatcherTypes(this.registry.shouldFilterAllDispatcherTypes);
|
||||
http.addFilter(postProcess(authorizationFilter));
|
||||
}
|
||||
|
||||
|
@ -117,6 +118,8 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
|
|||
|
||||
private int mappingCount;
|
||||
|
||||
private boolean shouldFilterAllDispatcherTypes = false;
|
||||
|
||||
private AuthorizationManagerRequestMatcherRegistry(ApplicationContext context) {
|
||||
setApplicationContext(context);
|
||||
}
|
||||
|
@ -170,6 +173,19 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
|
|||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets whether all dispatcher types should be filtered.
|
||||
* @param shouldFilter should filter all dispatcher types. Default is
|
||||
* {@code false}
|
||||
* @return the {@link AuthorizationManagerRequestMatcherRegistry} for further
|
||||
* customizations
|
||||
* @since 5.7
|
||||
*/
|
||||
public AuthorizationManagerRequestMatcherRegistry shouldFilterAllDispatcherTypes(boolean shouldFilter) {
|
||||
this.shouldFilterAllDispatcherTypes = shouldFilter;
|
||||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the {@link HttpSecurityBuilder} when done using the
|
||||
* {@link AuthorizeHttpRequestsConfigurer}. This is useful for method chaining.
|
||||
|
|
|
@ -169,3 +169,25 @@ SecurityFilterChain web(HttpSecurity http) throws Exception {
|
|||
}
|
||||
----
|
||||
====
|
||||
|
||||
By default, the `AuthorizationFilter` does not apply to `DispatcherType.ERROR` and `DispatcherType.ASYNC`.
|
||||
We can configure Spring Security to apply the authorization rules to all dispatcher types by using the `shouldFilterAllDispatcherTypes` method:
|
||||
|
||||
.Set shouldFilterAllDispatcherTypes to true
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
SecurityFilterChain web(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeHttpRequests((authorize) -> authorize
|
||||
.shouldFilterAllDispatcherTypes(true)
|
||||
.anyRequest.authenticated()
|
||||
)
|
||||
// ...
|
||||
|
||||
return http.build();
|
||||
}
|
||||
----
|
||||
====
|
||||
|
|
|
@ -50,6 +50,8 @@ public class AuthorizationFilter extends OncePerRequestFilter {
|
|||
|
||||
private AuthorizationEventPublisher eventPublisher = AuthorizationFilter::noPublish;
|
||||
|
||||
private boolean shouldFilterAllDispatcherTypes = false;
|
||||
|
||||
/**
|
||||
* Creates an instance.
|
||||
* @param authorizationManager the {@link AuthorizationManager} to use
|
||||
|
@ -80,6 +82,22 @@ public class AuthorizationFilter extends OncePerRequestFilter {
|
|||
return authentication;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void doFilterNestedErrorDispatch(HttpServletRequest request, HttpServletResponse response,
|
||||
FilterChain filterChain) throws ServletException, IOException {
|
||||
doFilterInternal(request, response, filterChain);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean shouldNotFilterAsyncDispatch() {
|
||||
return !this.shouldFilterAllDispatcherTypes;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean shouldNotFilterErrorDispatch() {
|
||||
return !this.shouldFilterAllDispatcherTypes;
|
||||
}
|
||||
|
||||
/**
|
||||
* Use this {@link AuthorizationEventPublisher} to publish
|
||||
* {@link AuthorizationDeniedEvent}s and {@link AuthorizationGrantedEvent}s.
|
||||
|
@ -99,6 +117,16 @@ public class AuthorizationFilter extends OncePerRequestFilter {
|
|||
return this.authorizationManager;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets whether to filter all dispatcher types.
|
||||
* @param shouldFilterAllDispatcherTypes should filter all dispatcher types. Default
|
||||
* is {@code false}
|
||||
* @since 5.7
|
||||
*/
|
||||
public void setShouldFilterAllDispatcherTypes(boolean shouldFilterAllDispatcherTypes) {
|
||||
this.shouldFilterAllDispatcherTypes = shouldFilterAllDispatcherTypes;
|
||||
}
|
||||
|
||||
private static <T> void noPublish(Supplier<Authentication> authentication, T object,
|
||||
AuthorizationDecision decision) {
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
@ -18,6 +18,7 @@ package org.springframework.security.web.access.intercept;
|
|||
|
||||
import java.util.function.Supplier;
|
||||
|
||||
import jakarta.servlet.DispatcherType;
|
||||
import jakarta.servlet.FilterChain;
|
||||
import jakarta.servlet.http.HttpServletRequest;
|
||||
import org.junit.jupiter.api.AfterEach;
|
||||
|
@ -37,6 +38,7 @@ import org.springframework.security.core.Authentication;
|
|||
import org.springframework.security.core.context.SecurityContext;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.core.context.SecurityContextImpl;
|
||||
import org.springframework.web.util.WebUtils;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
|
@ -164,4 +166,67 @@ public class AuthorizationFilterTests {
|
|||
any(AuthorizationDecision.class));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterWhenErrorThenDoNotFilter() throws Exception {
|
||||
AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);
|
||||
AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
|
||||
MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
|
||||
mockRequest.setDispatcherType(DispatcherType.ERROR);
|
||||
mockRequest.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error");
|
||||
MockHttpServletResponse mockResponse = new MockHttpServletResponse();
|
||||
FilterChain mockFilterChain = mock(FilterChain.class);
|
||||
|
||||
authorizationFilter.doFilter(mockRequest, mockResponse, mockFilterChain);
|
||||
verifyNoInteractions(authorizationManager);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterWhenErrorAndShouldFilterAllDispatcherTypesThenFilter() throws Exception {
|
||||
AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);
|
||||
AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
|
||||
authorizationFilter.setShouldFilterAllDispatcherTypes(true);
|
||||
MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
|
||||
mockRequest.setDispatcherType(DispatcherType.ERROR);
|
||||
mockRequest.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error");
|
||||
MockHttpServletResponse mockResponse = new MockHttpServletResponse();
|
||||
FilterChain mockFilterChain = mock(FilterChain.class);
|
||||
|
||||
authorizationFilter.doFilter(mockRequest, mockResponse, mockFilterChain);
|
||||
verify(authorizationManager).check(any(Supplier.class), any(HttpServletRequest.class));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterNestedErrorDispatchWhenAuthorizationManagerThenUses() throws Exception {
|
||||
AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);
|
||||
AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
|
||||
authorizationFilter.setShouldFilterAllDispatcherTypes(true);
|
||||
MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
|
||||
mockRequest.setDispatcherType(DispatcherType.ERROR);
|
||||
mockRequest.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error");
|
||||
MockHttpServletResponse mockResponse = new MockHttpServletResponse();
|
||||
FilterChain mockFilterChain = mock(FilterChain.class);
|
||||
|
||||
authorizationFilter.doFilterNestedErrorDispatch(mockRequest, mockResponse, mockFilterChain);
|
||||
verify(authorizationManager).check(any(Supplier.class), any(HttpServletRequest.class));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterNestedErrorDispatchWhenAuthorizationEventPublisherThenUses() throws Exception {
|
||||
AuthorizationFilter authorizationFilter = new AuthorizationFilter(
|
||||
AuthenticatedAuthorizationManager.authenticated());
|
||||
MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
|
||||
MockHttpServletResponse mockResponse = new MockHttpServletResponse();
|
||||
FilterChain mockFilterChain = mock(FilterChain.class);
|
||||
|
||||
SecurityContext securityContext = new SecurityContextImpl();
|
||||
securityContext.setAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"));
|
||||
SecurityContextHolder.setContext(securityContext);
|
||||
|
||||
AuthorizationEventPublisher eventPublisher = mock(AuthorizationEventPublisher.class);
|
||||
authorizationFilter.setAuthorizationEventPublisher(eventPublisher);
|
||||
authorizationFilter.doFilterNestedErrorDispatch(mockRequest, mockResponse, mockFilterChain);
|
||||
verify(eventPublisher).publishAuthorizationEvent(any(Supplier.class), any(HttpServletRequest.class),
|
||||
any(AuthorizationDecision.class));
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue