Add Option to Filter All Dispatcher Types

Closes gh-11092
2022-04-11 15:16:16 -03:00 · 2022-04-11 15:16:16 -03:00 · 84b5c76a7b
parent da7db704eb
commit 84b5c76a7b
4 changed files with 132 additions and 1 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java
@ -85,6 +85,7 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
 		AuthorizationManager<HttpServletRequest> authorizationManager = this.registry.createAuthorizationManager();
 		AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
 		authorizationFilter.setAuthorizationEventPublisher(this.publisher);
+		authorizationFilter.setShouldFilterAllDispatcherTypes(this.registry.shouldFilterAllDispatcherTypes);
 		http.addFilter(postProcess(authorizationFilter));
 	}

@ -117,6 +118,8 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder

 		private int mappingCount;

+		private boolean shouldFilterAllDispatcherTypes = false;
+
 		private AuthorizationManagerRequestMatcherRegistry(ApplicationContext context) {
 			setApplicationContext(context);
 		}
@ -170,6 +173,19 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
 			return this;
 		}

+		/**
+		 * Sets whether all dispatcher types should be filtered.
+		 * @param shouldFilter should filter all dispatcher types. Default is
+		 * {@code false}
+		 * @return the {@link AuthorizationManagerRequestMatcherRegistry} for further
+		 * customizations
+		 * @since 5.7
+		 */
+		public AuthorizationManagerRequestMatcherRegistry shouldFilterAllDispatcherTypes(boolean shouldFilter) {
+			this.shouldFilterAllDispatcherTypes = shouldFilter;
+			return this;
+		}
+
 		/**
 		 * Return the {@link HttpSecurityBuilder} when done using the
 		 * {@link AuthorizeHttpRequestsConfigurer}. This is useful for method chaining.
--- a/docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc
+++ b/docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc
@ -169,3 +169,25 @@ SecurityFilterChain web(HttpSecurity http) throws Exception {
 }
 ----
 ====
+
+By default, the `AuthorizationFilter` does not apply to `DispatcherType.ERROR` and `DispatcherType.ASYNC`.
+We can configure Spring Security to apply the authorization rules to all dispatcher types by using the `shouldFilterAllDispatcherTypes` method:
+
+.Set shouldFilterAllDispatcherTypes to true
+====
+.Java
+[source,java,role="primary"]
+----
+@Bean
+SecurityFilterChain web(HttpSecurity http) throws Exception {
+    http
+        .authorizeHttpRequests((authorize) -> authorize
+            .shouldFilterAllDispatcherTypes(true)
+            .anyRequest.authenticated()
+        )
+        // ...
+
+    return http.build();
+}
+----
+====
--- a/web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java
+++ b/web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java
@ -50,6 +50,8 @@ public class AuthorizationFilter extends OncePerRequestFilter {

 	private AuthorizationEventPublisher eventPublisher = AuthorizationFilter::noPublish;

+	private boolean shouldFilterAllDispatcherTypes = false;
+
 	/**
 	 * Creates an instance.
 	 * @param authorizationManager the {@link AuthorizationManager} to use
@ -80,6 +82,22 @@ public class AuthorizationFilter extends OncePerRequestFilter {
 		return authentication;
 	}

+	@Override
+	protected void doFilterNestedErrorDispatch(HttpServletRequest request, HttpServletResponse response,
+			FilterChain filterChain) throws ServletException, IOException {
+		doFilterInternal(request, response, filterChain);
+	}
+
+	@Override
+	protected boolean shouldNotFilterAsyncDispatch() {
+		return !this.shouldFilterAllDispatcherTypes;
+	}
+
+	@Override
+	protected boolean shouldNotFilterErrorDispatch() {
+		return !this.shouldFilterAllDispatcherTypes;
+	}
+
 	/**
 	 * Use this {@link AuthorizationEventPublisher} to publish
 	 * {@link AuthorizationDeniedEvent}s and {@link AuthorizationGrantedEvent}s.
@ -99,6 +117,16 @@ public class AuthorizationFilter extends OncePerRequestFilter {
 		return this.authorizationManager;
 	}

+	/**
+	 * Sets whether to filter all dispatcher types.
+	 * @param shouldFilterAllDispatcherTypes should filter all dispatcher types. Default
+	 * is {@code false}
+	 * @since 5.7
+	 */
+	public void setShouldFilterAllDispatcherTypes(boolean shouldFilterAllDispatcherTypes) {
+		this.shouldFilterAllDispatcherTypes = shouldFilterAllDispatcherTypes;
+	}
+
 	private static <T> void noPublish(Supplier<Authentication> authentication, T object,
 			AuthorizationDecision decision) {

--- a/web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java
+++ b/web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,6 +18,7 @@ package org.springframework.security.web.access.intercept;

 import java.util.function.Supplier;

+import jakarta.servlet.DispatcherType;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.http.HttpServletRequest;
 import org.junit.jupiter.api.AfterEach;
@ -37,6 +38,7 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextImpl;
+import org.springframework.web.util.WebUtils;

 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@ -164,4 +166,67 @@ public class AuthorizationFilterTests {
 				any(AuthorizationDecision.class));
 	}

+	@Test
+	public void doFilterWhenErrorThenDoNotFilter() throws Exception {
+		AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);
+		AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
+		MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
+		mockRequest.setDispatcherType(DispatcherType.ERROR);
+		mockRequest.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error");
+		MockHttpServletResponse mockResponse = new MockHttpServletResponse();
+		FilterChain mockFilterChain = mock(FilterChain.class);
+
+		authorizationFilter.doFilter(mockRequest, mockResponse, mockFilterChain);
+		verifyNoInteractions(authorizationManager);
+	}
+
+	@Test
+	public void doFilterWhenErrorAndShouldFilterAllDispatcherTypesThenFilter() throws Exception {
+		AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);
+		AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
+		authorizationFilter.setShouldFilterAllDispatcherTypes(true);
+		MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
+		mockRequest.setDispatcherType(DispatcherType.ERROR);
+		mockRequest.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error");
+		MockHttpServletResponse mockResponse = new MockHttpServletResponse();
+		FilterChain mockFilterChain = mock(FilterChain.class);
+
+		authorizationFilter.doFilter(mockRequest, mockResponse, mockFilterChain);
+		verify(authorizationManager).check(any(Supplier.class), any(HttpServletRequest.class));
+	}
+
+	@Test
+	public void doFilterNestedErrorDispatchWhenAuthorizationManagerThenUses() throws Exception {
+		AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);
+		AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
+		authorizationFilter.setShouldFilterAllDispatcherTypes(true);
+		MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
+		mockRequest.setDispatcherType(DispatcherType.ERROR);
+		mockRequest.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error");
+		MockHttpServletResponse mockResponse = new MockHttpServletResponse();
+		FilterChain mockFilterChain = mock(FilterChain.class);
+
+		authorizationFilter.doFilterNestedErrorDispatch(mockRequest, mockResponse, mockFilterChain);
+		verify(authorizationManager).check(any(Supplier.class), any(HttpServletRequest.class));
+	}
+
+	@Test
+	public void doFilterNestedErrorDispatchWhenAuthorizationEventPublisherThenUses() throws Exception {
+		AuthorizationFilter authorizationFilter = new AuthorizationFilter(
+				AuthenticatedAuthorizationManager.authenticated());
+		MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
+		MockHttpServletResponse mockResponse = new MockHttpServletResponse();
+		FilterChain mockFilterChain = mock(FilterChain.class);
+
+		SecurityContext securityContext = new SecurityContextImpl();
+		securityContext.setAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"));
+		SecurityContextHolder.setContext(securityContext);
+
+		AuthorizationEventPublisher eventPublisher = mock(AuthorizationEventPublisher.class);
+		authorizationFilter.setAuthorizationEventPublisher(eventPublisher);
+		authorizationFilter.doFilterNestedErrorDispatch(mockRequest, mockResponse, mockFilterChain);
+		verify(eventPublisher).publishAuthorizationEvent(any(Supplier.class), any(HttpServletRequest.class),
+				any(AuthorizationDecision.class));
+	}
+
 }