From c5c5cd5ed0a649f94d6228d06fc6360c1db5275c Mon Sep 17 00:00:00 2001 From: Daniel Garnier-Moiroux Date: Tue, 27 Aug 2024 17:10:27 +0200 Subject: [PATCH] Serve static content (css, js) for default UIs from DefaultResourcesFilter --- .../web/builders/FilterOrderRegistration.java | 2 + .../DefaultLoginPageConfigurer.java | 5 + .../DefaultLoginPageConfigurerTests.java | 29 +++- .../ui/DefaultResourcesFilter.java | 98 ++++++++++++ .../springframework/security/default-ui.css | 139 ++++++++++++++++++ .../ui/DefaultResourcesFilterTests.java | 59 ++++++++ .../org/springframework/security/test.css | 3 + 7 files changed, 334 insertions(+), 1 deletion(-) create mode 100644 web/src/main/java/org/springframework/security/web/authentication/ui/DefaultResourcesFilter.java create mode 100644 web/src/main/resources/org/springframework/security/default-ui.css create mode 100644 web/src/test/java/org/springframework/security/web/authentication/ui/DefaultResourcesFilterTests.java create mode 100644 web/src/test/resources/org/springframework/security/test.css diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterOrderRegistration.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterOrderRegistration.java index 7ba8cb1386..6f297cdb23 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterOrderRegistration.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterOrderRegistration.java @@ -38,6 +38,7 @@ import org.springframework.security.web.authentication.switchuser.SwitchUserFilt import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter; import org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter; import org.springframework.security.web.authentication.ui.DefaultOneTimeTokenSubmitPageGeneratingFilter; +import org.springframework.security.web.authentication.ui.DefaultResourcesFilter; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; import org.springframework.security.web.authentication.www.DigestAuthenticationFilter; import org.springframework.security.web.context.SecurityContextHolderFilter; @@ -101,6 +102,7 @@ final class FilterOrderRegistration { order.next()); put(UsernamePasswordAuthenticationFilter.class, order.next()); order.next(); // gh-8105 + put(DefaultResourcesFilter.class, order.next()); put(DefaultLoginPageGeneratingFilter.class, order.next()); put(DefaultLogoutPageGeneratingFilter.class, order.next()); put(DefaultOneTimeTokenSubmitPageGeneratingFilter.class, order.next()); diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurer.java index 4e955e3688..dd4a08b71a 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurer.java @@ -26,6 +26,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter; import org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter; +import org.springframework.security.web.authentication.ui.DefaultResourcesFilter; import org.springframework.security.web.csrf.CsrfToken; /** @@ -74,11 +75,14 @@ public final class DefaultLoginPageConfigurer> private DefaultLogoutPageGeneratingFilter logoutPageGeneratingFilter = new DefaultLogoutPageGeneratingFilter(); + private DefaultResourcesFilter defaultResourcesFilter = new DefaultResourcesFilter(); + @Override public void init(H http) { this.loginPageGeneratingFilter.setResolveHiddenInputs(DefaultLoginPageConfigurer.this::hiddenInputs); this.logoutPageGeneratingFilter.setResolveHiddenInputs(DefaultLoginPageConfigurer.this::hiddenInputs); http.setSharedObject(DefaultLoginPageGeneratingFilter.class, this.loginPageGeneratingFilter); + http.setSharedObject(DefaultResourcesFilter.class, this.defaultResourcesFilter); } private Map hiddenInputs(HttpServletRequest request) { @@ -98,6 +102,7 @@ public final class DefaultLoginPageConfigurer> if (this.loginPageGeneratingFilter.isEnabled() && authenticationEntryPoint == null) { this.loginPageGeneratingFilter = postProcess(this.loginPageGeneratingFilter); http.addFilter(this.loginPageGeneratingFilter); + http.addFilter(this.defaultResourcesFilter); LogoutConfigurer logoutConfigurer = http.getConfigurer(LogoutConfigurer.class); if (logoutConfigurer != null) { http.addFilter(this.logoutPageGeneratingFilter); diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurerTests.java index d49ade6696..e6d7eeff00 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurerTests.java @@ -38,6 +38,7 @@ import org.springframework.security.web.authentication.LoginUrlAuthenticationEnt import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler; import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter; +import org.springframework.security.web.authentication.ui.DefaultResourcesFilter; import org.springframework.security.web.csrf.CsrfToken; import org.springframework.security.web.csrf.DefaultCsrfToken; import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository; @@ -46,6 +47,7 @@ import org.springframework.test.web.servlet.MvcResult; import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder; import static org.assertj.core.api.Assertions.assertThat; +import static org.hamcrest.Matchers.containsString; import static org.mockito.ArgumentMatchers.any; import static org.mockito.Mockito.spy; import static org.mockito.Mockito.verify; @@ -55,6 +57,7 @@ import static org.springframework.security.test.web.servlet.request.SecurityMock import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; @@ -349,7 +352,15 @@ public class DefaultLoginPageConfigurerTests { """.formatted(token.getToken())); }); - // @formatter:on + } + + @Test + public void cssWhenFormLoginConfiguredThenServesCss() throws Exception { + this.spring.register(DefaultLoginPageConfig.class).autowire(); + this.mvc.perform(get("/spring-security/spring-security.css")) + .andExpect(status().isOk()) + .andExpect(header().string("content-type", "text/css;charset=utf-8")) + .andExpect(content().string(containsString("body {"))); } @Test @@ -444,6 +455,22 @@ public class DefaultLoginPageConfigurerTests { .count()).isZero(); } + @Test + public void configureWhenAuthenticationEntryPointThenDoesNotServeCss() throws Exception { + this.spring.register(DefaultLoginWithCustomAuthenticationEntryPointConfig.class).autowire(); + FilterChainProxy filterChain = this.spring.getContext().getBean(FilterChainProxy.class); + assertThat(filterChain.getFilterChains() + .get(0) + .getFilters() + .stream() + .filter((filter) -> filter.getClass().isAssignableFrom(DefaultResourcesFilter.class)) + .count()).isZero(); + //@formatter:off + this.mvc.perform(get("/spring-security/spring-security.css")) + .andExpect(status().is3xxRedirection()); + //@formatter:on + } + @Test public void formLoginWhenLogoutEnabledThenCreatesDefaultLogoutPage() throws Exception { this.spring.register(DefaultLogoutPageConfig.class).autowire(); diff --git a/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultResourcesFilter.java b/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultResourcesFilter.java new file mode 100644 index 0000000000..ebb567fb3b --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultResourcesFilter.java @@ -0,0 +1,98 @@ +/* + * Copyright 2002-2024 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.authentication.ui; + +import java.io.IOException; +import java.nio.charset.StandardCharsets; + +import jakarta.servlet.FilterChain; +import jakarta.servlet.ServletException; +import jakarta.servlet.ServletRequest; +import jakarta.servlet.ServletResponse; +import jakarta.servlet.http.HttpServletRequest; + +import org.springframework.core.io.ClassPathResource; +import org.springframework.http.HttpMethod; +import org.springframework.http.MediaType; +import org.springframework.security.web.util.matcher.AntPathRequestMatcher; +import org.springframework.security.web.util.matcher.RequestMatcher; +import org.springframework.util.Assert; +import org.springframework.web.filter.GenericFilterBean; + +/** + * Serve common static assets used in default UIs, such as CSS or Javascript files. For + * internal use only. + * + * @author Daniel Garnier-Moiroux + * @since 6.4 + */ +public final class DefaultResourcesFilter extends GenericFilterBean { + + private final RequestMatcher matcher; + + private final ClassPathResource resource; + + private final MediaType mediaType; + + private DefaultResourcesFilter(RequestMatcher matcher, ClassPathResource resource, MediaType mediaType) { + Assert.isTrue(resource.exists(), "classpath resource must exist"); + this.matcher = matcher; + this.resource = resource; + this.mediaType = mediaType; + } + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) + throws ServletException, IOException { + if (!(request instanceof HttpServletRequest servletRequest)) { + filterChain.doFilter(request, response); + return; + } + + if (this.matcher.matches(servletRequest)) { + response.setContentType(this.mediaType.toString()); + response.getWriter().write(this.resource.getContentAsString(StandardCharsets.UTF_8)); + return; + } + + filterChain.doFilter(request, response); + } + + @Override + public String toString() { + return "%s [matcher=%s, resource=%s]".formatted(getClass().getSimpleName(), this.matcher.toString(), + this.resource.getPath()); + } + + /** + * Create an instance of {@link DefaultResourcesFilter} serving Spring Security's + * default CSS stylesheet. + *

+ * The created {@link DefaultResourcesFilter} matches requests + * {@code HTTP GET /default-ui.css}, and returns the default + * stylesheet at {@code org/springframework/security/default-ui.css} with + * content-type {@code text/css;charset=UTF-8}. + * @return - + */ + public static DefaultResourcesFilter defaultCss() { + return new DefaultResourcesFilter( + AntPathRequestMatcher.antMatcher(HttpMethod.GET, "/default-ui.css"), + new ClassPathResource("org/springframework/security/default-ui.css"), + new MediaType("text", "css", StandardCharsets.UTF_8)); + } + +} diff --git a/web/src/main/resources/org/springframework/security/default-ui.css b/web/src/main/resources/org/springframework/security/default-ui.css new file mode 100644 index 0000000000..1156b30c70 --- /dev/null +++ b/web/src/main/resources/org/springframework/security/default-ui.css @@ -0,0 +1,139 @@ +/* + * Copyright 2002-2024 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* General layout */ +body { + font-family: system-ui, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif; + background-color: #eee; + padding: 40px 0; + margin: 0; + line-height: 1.5; +} + +h2 { + margin-top: 0; + margin-bottom: 0.5rem; + font-size: 2rem; + font-weight: 500; + line-height: 2rem; +} + +.content { + margin-right: auto; + margin-left: auto; + padding-right: 15px; + padding-left: 15px; + width: 100%; + box-sizing: border-box; +} + +@media (min-width: 800px) { + .content { + max-width: 760px; + } +} + +/* Components */ +a, +a:visited { + text-decoration: none; + color: #06f; +} + +a:hover { + text-decoration: underline; + color: #003c97; +} + +input[type="text"], +input[type="password"] { + height: auto; + width: 100%; + font-size: 1rem; + padding: 0.5rem; + box-sizing: border-box; +} + +button { + padding: 0.5rem 1rem; + font-size: 1.25rem; + line-height: 1.5; + border: none; + border-radius: 0.1rem; + width: 100%; +} + +button.primary { + color: #fff; + background-color: #06f; +} + +.alert { + padding: 0.75rem 1rem; + margin-bottom: 1rem; + line-height: 1.5; + border-radius: 0.1rem; + width: 100%; + box-sizing: border-box; + border-width: 1px; + border-style: solid; +} + +.alert.alert-danger { + color: #6b1922; + background-color: #f7d5d7; + border-color: #eab6bb; +} + +.alert.alert-success { + color: #145222; + background-color: #d1f0d9; + border-color: #c2ebcb; +} + +.screenreader { + position: absolute; + clip: rect(0 0 0 0); + height: 1px; + width: 1px; + padding: 0; + border: 0; + overflow: hidden; +} + +table { + width: 100%; + max-width: 100%; + margin-bottom: 2rem; +} + +.table-striped tr:nth-of-type(2n + 1) { + background-color: #e1e1e1; +} + +td { + padding: 0.75rem; + vertical-align: top; +} + +/* Login / logout layouts */ +.login-form, +.logout-form { + max-width: 340px; + padding: 0 15px 15px 15px; + margin: 0 auto 2rem auto; + box-sizing: border-box; +} diff --git a/web/src/test/java/org/springframework/security/web/authentication/ui/DefaultResourcesFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/ui/DefaultResourcesFilterTests.java new file mode 100644 index 0000000000..fb6d75c3a1 --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/authentication/ui/DefaultResourcesFilterTests.java @@ -0,0 +1,59 @@ +/* + * Copyright 2002-2024 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.authentication.ui; + +import org.junit.jupiter.api.Test; + +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.hamcrest.Matchers.containsString; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + +/** + * @author Daniel Garnier-Moiroux + * @since 6.4 + */ +public class DefaultResourcesFilterTests { + + private final DefaultResourcesFilter filter = DefaultResourcesFilter.css(); + + private final MockMvc mockMvc = MockMvcBuilders.standaloneSetup(new Object()).addFilters(this.filter).build(); + + @Test + public void doFilterThenRender() throws Exception { + this.mockMvc.perform(get("/default-ui.css")) + .andExpect(status().isOk()) + .andExpect(content().contentType("text/css;charset=UTF-8")) + .andExpect(content().string(containsString("body {"))); + } + + @Test + public void doFilterWhenPathDoesNotMatchThenCallsThrough() throws Exception { + this.mockMvc.perform(get("/does-not-match")).andExpect(status().isNotFound()); + } + + @Test + void toStringPrintsPathAndResource() { + assertThat(this.filter.toString()).isEqualTo( + "DefaultResourcesFilter [matcher=Ant [pattern='/default-ui.css', GET], resource=org/springframework/security/default-ui.css]"); + } + +} diff --git a/web/src/test/resources/org/springframework/security/test.css b/web/src/test/resources/org/springframework/security/test.css new file mode 100644 index 0000000000..a3c2769c0a --- /dev/null +++ b/web/src/test/resources/org/springframework/security/test.css @@ -0,0 +1,3 @@ +body { + color: #6db33f; +}