Add shouldFilterAllDispatcherTypes to Kotlin DSL

Closes gh-11153
This commit is contained in:
Marcus Da Coregio 2022-04-25 14:20:56 -03:00
parent ac06057cf6
commit a0232ed135
3 changed files with 174 additions and 0 deletions

View File

@ -24,6 +24,7 @@ import org.springframework.security.authorization.AuthorizationManager
import org.springframework.security.config.annotation.web.builders.HttpSecurity import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer
import org.springframework.security.core.Authentication import org.springframework.security.core.Authentication
import org.springframework.security.web.access.intercept.AuthorizationFilter
import org.springframework.security.web.access.intercept.RequestAuthorizationContext import org.springframework.security.web.access.intercept.RequestAuthorizationContext
import org.springframework.security.web.util.matcher.AnyRequestMatcher import org.springframework.security.web.util.matcher.AnyRequestMatcher
import org.springframework.security.web.util.matcher.RequestMatcher import org.springframework.security.web.util.matcher.RequestMatcher
@ -35,8 +36,11 @@ import java.util.function.Supplier
* *
* @author Yuriy Savchenko * @author Yuriy Savchenko
* @since 5.7 * @since 5.7
* @property shouldFilterAllDispatcherTypes whether the [AuthorizationFilter] should filter all dispatcher types
*/ */
class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl() { class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl() {
var shouldFilterAllDispatcherTypes: Boolean? = null
private val authorizationRules = mutableListOf<AuthorizationManagerRule>() private val authorizationRules = mutableListOf<AuthorizationManagerRule>()
private val HANDLER_MAPPING_INTROSPECTOR = "org.springframework.web.servlet.handler.HandlerMappingIntrospector" private val HANDLER_MAPPING_INTROSPECTOR = "org.springframework.web.servlet.handler.HandlerMappingIntrospector"
@ -248,6 +252,9 @@ class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl() {
} }
} }
} }
shouldFilterAllDispatcherTypes?.also { shouldFilter ->
requests.shouldFilterAllDispatcherTypes(shouldFilter)
}
} }
} }
} }

View File

@ -53,7 +53,9 @@ import org.springframework.web.bind.annotation.RestController
import org.springframework.web.servlet.config.annotation.EnableWebMvc import org.springframework.web.servlet.config.annotation.EnableWebMvc
import org.springframework.web.servlet.config.annotation.PathMatchConfigurer import org.springframework.web.servlet.config.annotation.PathMatchConfigurer
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer import org.springframework.web.servlet.config.annotation.WebMvcConfigurer
import org.springframework.web.util.WebUtils
import java.util.function.Supplier import java.util.function.Supplier
import jakarta.servlet.DispatcherType
/** /**
* Tests for [AuthorizeHttpRequestsDsl] * Tests for [AuthorizeHttpRequestsDsl]
@ -641,4 +643,155 @@ class AuthorizeHttpRequestsDslTests {
return http.build() return http.build()
} }
} }
@Test
fun `request when shouldFilterAllDispatcherTypes and denyAll and ERROR then responds with forbidden`() {
this.spring.register(ShouldFilterAllDispatcherTypesTrueDenyAllConfig::class.java).autowire()
this.mockMvc.perform(get("/path")
.with { request ->
request.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error")
request.apply {
dispatcherType = DispatcherType.ERROR
}
})
.andExpect(status().isForbidden)
}
@EnableWebSecurity
@EnableWebMvc
open class ShouldFilterAllDispatcherTypesTrueDenyAllConfig {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
shouldFilterAllDispatcherTypes = true
authorize(anyRequest, denyAll)
}
}
return http.build()
}
@RestController
internal class PathController {
@RequestMapping("/path")
fun path() {
}
}
}
@Test
fun `request when shouldFilterAllDispatcherTypes and permitAll and ERROR then responds with ok`() {
this.spring.register(ShouldFilterAllDispatcherTypesTruePermitAllConfig::class.java).autowire()
this.mockMvc.perform(get("/path")
.with { request ->
request.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error")
request.apply {
dispatcherType = DispatcherType.ERROR
}
})
.andExpect(status().isOk)
}
@EnableWebSecurity
@EnableWebMvc
open class ShouldFilterAllDispatcherTypesTruePermitAllConfig {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
shouldFilterAllDispatcherTypes = true
authorize(anyRequest, permitAll)
}
}
return http.build()
}
@RestController
internal class PathController {
@RequestMapping("/path")
fun path() {
}
}
}
@Test
fun `request when shouldFilterAllDispatcherTypes false and ERROR dispatcher then responds with ok`() {
this.spring.register(ShouldFilterAllDispatcherTypesFalseAndDenyAllConfig::class.java).autowire()
this.mockMvc.perform(get("/path")
.with { request ->
request.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error")
request.apply {
dispatcherType = DispatcherType.ERROR
}
})
.andExpect(status().isOk)
}
@EnableWebSecurity
@EnableWebMvc
open class ShouldFilterAllDispatcherTypesFalseAndDenyAllConfig {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
shouldFilterAllDispatcherTypes = false
authorize(anyRequest, denyAll)
}
}
return http.build()
}
@RestController
internal class PathController {
@RequestMapping("/path")
fun path() {
}
}
}
@Test
fun `request when shouldFilterAllDispatcherTypes omitted and ERROR dispatcher then responds with forbidden`() {
this.spring.register(ShouldFilterAllDispatcherTypesOmittedAndDenyAllConfig::class.java).autowire()
this.mockMvc.perform(get("/path")
.with { request ->
request.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error")
request.apply {
dispatcherType = DispatcherType.ERROR
}
})
.andExpect(status().isForbidden)
}
@EnableWebSecurity
@EnableWebMvc
open class ShouldFilterAllDispatcherTypesOmittedAndDenyAllConfig {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
authorize(anyRequest, denyAll)
}
}
return http.build()
}
@RestController
internal class PathController {
@RequestMapping("/path")
fun path() {
}
}
}
} }

View File

@ -190,4 +190,18 @@ SecurityFilterChain web(HttpSecurity http) throws Exception {
return http.build(); return http.build();
} }
---- ----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
open fun web(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
shouldFilterAllDispatcherTypes = false
authorize(anyRequest, authenticated)
}
}
return http.build()
}
----
==== ====