From a512789a93dbb3d2173d830627ae1fc39375b99d Mon Sep 17 00:00:00 2001 From: Eleftheria Stein Date: Mon, 27 Jan 2020 16:11:44 +0100 Subject: [PATCH] Fix requiresAuthenticationMatcher not being used The custom server requiresAuthenticationMatcher was not always picked up Fixes: gh-7863 --- .../config/web/server/ServerHttpSecurity.java | 4 ++- .../config/web/server/FormLoginTests.java | 26 +++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java index 195555b0d2..04fd40d84f 100644 --- a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java +++ b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java @@ -3049,7 +3049,9 @@ public class ServerHttpSecurity { public FormLoginSpec loginPage(String loginPage) { this.defaultEntryPoint = new RedirectServerAuthenticationEntryPoint(loginPage); this.authenticationEntryPoint = this.defaultEntryPoint; - this.requiresAuthenticationMatcher = ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, loginPage); + if (this.requiresAuthenticationMatcher == null) { + this.requiresAuthenticationMatcher = ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, loginPage); + } if (this.authenticationFailureHandler == null) { this.authenticationFailureHandler = new RedirectServerAuthenticationFailureHandler(loginPage + "?error"); } diff --git a/config/src/test/java/org/springframework/security/config/web/server/FormLoginTests.java b/config/src/test/java/org/springframework/security/config/web/server/FormLoginTests.java index 5fcae75750..c0f1ff8938 100644 --- a/config/src/test/java/org/springframework/security/config/web/server/FormLoginTests.java +++ b/config/src/test/java/org/springframework/security/config/web/server/FormLoginTests.java @@ -37,6 +37,7 @@ import org.springframework.security.web.server.authentication.RedirectServerAuth import org.springframework.security.web.server.authentication.RedirectServerAuthenticationSuccessHandler; import org.springframework.security.web.server.context.ServerSecurityContextRepository; import org.springframework.security.web.server.csrf.CsrfToken; +import org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher; import org.springframework.stereotype.Controller; import org.springframework.test.web.reactive.server.WebTestClient; import org.springframework.web.bind.annotation.GetMapping; @@ -245,6 +246,31 @@ public class FormLoginTests { assertThat(driver.getCurrentUrl()).endsWith("/failure"); } + @Test + public void formLoginWhenCustomRequiresAuthenticationMatcherThenUsed() { + SecurityWebFilterChain securityWebFilter = this.http + .authorizeExchange() + .pathMatchers("/login", "/sign-in").permitAll() + .anyExchange().authenticated() + .and() + .formLogin() + .requiresAuthenticationMatcher(new PathPatternParserServerWebExchangeMatcher("/sign-in")) + .and() + .build(); + + WebTestClient webTestClient = WebTestClientBuilder + .bindToWebFilters(securityWebFilter) + .build(); + + WebDriver driver = WebTestClientHtmlUnitDriverBuilder + .webTestClientSetup(webTestClient) + .build(); + + driver.get("http://localhost/sign-in"); + + assertThat(driver.getCurrentUrl()).endsWith("/login?error"); + } + @Test public void authenticationSuccess() { SecurityWebFilterChain securityWebFilter = this.http