Serve static content (css, js) for default UIs from DefaultResourcesFilter

This commit is contained in:
Daniel Garnier-Moiroux 2024-08-27 17:10:27 +02:00 committed by Rob Winch
parent be6dc1d2bf
commit c5c5cd5ed0
7 changed files with 334 additions and 1 deletions

View File

@ -38,6 +38,7 @@ import org.springframework.security.web.authentication.switchuser.SwitchUserFilt
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter; import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter; import org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter;
import org.springframework.security.web.authentication.ui.DefaultOneTimeTokenSubmitPageGeneratingFilter; import org.springframework.security.web.authentication.ui.DefaultOneTimeTokenSubmitPageGeneratingFilter;
import org.springframework.security.web.authentication.ui.DefaultResourcesFilter;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.authentication.www.DigestAuthenticationFilter; import org.springframework.security.web.authentication.www.DigestAuthenticationFilter;
import org.springframework.security.web.context.SecurityContextHolderFilter; import org.springframework.security.web.context.SecurityContextHolderFilter;
@ -101,6 +102,7 @@ final class FilterOrderRegistration {
order.next()); order.next());
put(UsernamePasswordAuthenticationFilter.class, order.next()); put(UsernamePasswordAuthenticationFilter.class, order.next());
order.next(); // gh-8105 order.next(); // gh-8105
put(DefaultResourcesFilter.class, order.next());
put(DefaultLoginPageGeneratingFilter.class, order.next()); put(DefaultLoginPageGeneratingFilter.class, order.next());
put(DefaultLogoutPageGeneratingFilter.class, order.next()); put(DefaultLogoutPageGeneratingFilter.class, order.next());
put(DefaultOneTimeTokenSubmitPageGeneratingFilter.class, order.next()); put(DefaultOneTimeTokenSubmitPageGeneratingFilter.class, order.next());

View File

@ -26,6 +26,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter; import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter; import org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter;
import org.springframework.security.web.authentication.ui.DefaultResourcesFilter;
import org.springframework.security.web.csrf.CsrfToken; import org.springframework.security.web.csrf.CsrfToken;
/** /**
@ -74,11 +75,14 @@ public final class DefaultLoginPageConfigurer<H extends HttpSecurityBuilder<H>>
private DefaultLogoutPageGeneratingFilter logoutPageGeneratingFilter = new DefaultLogoutPageGeneratingFilter(); private DefaultLogoutPageGeneratingFilter logoutPageGeneratingFilter = new DefaultLogoutPageGeneratingFilter();
private DefaultResourcesFilter defaultResourcesFilter = new DefaultResourcesFilter();
@Override @Override
public void init(H http) { public void init(H http) {
this.loginPageGeneratingFilter.setResolveHiddenInputs(DefaultLoginPageConfigurer.this::hiddenInputs); this.loginPageGeneratingFilter.setResolveHiddenInputs(DefaultLoginPageConfigurer.this::hiddenInputs);
this.logoutPageGeneratingFilter.setResolveHiddenInputs(DefaultLoginPageConfigurer.this::hiddenInputs); this.logoutPageGeneratingFilter.setResolveHiddenInputs(DefaultLoginPageConfigurer.this::hiddenInputs);
http.setSharedObject(DefaultLoginPageGeneratingFilter.class, this.loginPageGeneratingFilter); http.setSharedObject(DefaultLoginPageGeneratingFilter.class, this.loginPageGeneratingFilter);
http.setSharedObject(DefaultResourcesFilter.class, this.defaultResourcesFilter);
} }
private Map<String, String> hiddenInputs(HttpServletRequest request) { private Map<String, String> hiddenInputs(HttpServletRequest request) {
@ -98,6 +102,7 @@ public final class DefaultLoginPageConfigurer<H extends HttpSecurityBuilder<H>>
if (this.loginPageGeneratingFilter.isEnabled() && authenticationEntryPoint == null) { if (this.loginPageGeneratingFilter.isEnabled() && authenticationEntryPoint == null) {
this.loginPageGeneratingFilter = postProcess(this.loginPageGeneratingFilter); this.loginPageGeneratingFilter = postProcess(this.loginPageGeneratingFilter);
http.addFilter(this.loginPageGeneratingFilter); http.addFilter(this.loginPageGeneratingFilter);
http.addFilter(this.defaultResourcesFilter);
LogoutConfigurer<H> logoutConfigurer = http.getConfigurer(LogoutConfigurer.class); LogoutConfigurer<H> logoutConfigurer = http.getConfigurer(LogoutConfigurer.class);
if (logoutConfigurer != null) { if (logoutConfigurer != null) {
http.addFilter(this.logoutPageGeneratingFilter); http.addFilter(this.logoutPageGeneratingFilter);

View File

@ -38,6 +38,7 @@ import org.springframework.security.web.authentication.LoginUrlAuthenticationEnt
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler; import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter; import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.security.web.authentication.ui.DefaultResourcesFilter;
import org.springframework.security.web.csrf.CsrfToken; import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.DefaultCsrfToken; import org.springframework.security.web.csrf.DefaultCsrfToken;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository; import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
@ -46,6 +47,7 @@ import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder; import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
import static org.hamcrest.Matchers.containsString;
import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.spy; import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verify;
@ -55,6 +57,7 @@ import static org.springframework.security.test.web.servlet.request.SecurityMock
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -349,7 +352,15 @@ public class DefaultLoginPageConfigurerTests {
</body> </body>
</html>""".formatted(token.getToken())); </html>""".formatted(token.getToken()));
}); });
// @formatter:on }
@Test
public void cssWhenFormLoginConfiguredThenServesCss() throws Exception {
this.spring.register(DefaultLoginPageConfig.class).autowire();
this.mvc.perform(get("/spring-security/spring-security.css"))
.andExpect(status().isOk())
.andExpect(header().string("content-type", "text/css;charset=utf-8"))
.andExpect(content().string(containsString("body {")));
} }
@Test @Test
@ -444,6 +455,22 @@ public class DefaultLoginPageConfigurerTests {
.count()).isZero(); .count()).isZero();
} }
@Test
public void configureWhenAuthenticationEntryPointThenDoesNotServeCss() throws Exception {
this.spring.register(DefaultLoginWithCustomAuthenticationEntryPointConfig.class).autowire();
FilterChainProxy filterChain = this.spring.getContext().getBean(FilterChainProxy.class);
assertThat(filterChain.getFilterChains()
.get(0)
.getFilters()
.stream()
.filter((filter) -> filter.getClass().isAssignableFrom(DefaultResourcesFilter.class))
.count()).isZero();
//@formatter:off
this.mvc.perform(get("/spring-security/spring-security.css"))
.andExpect(status().is3xxRedirection());
//@formatter:on
}
@Test @Test
public void formLoginWhenLogoutEnabledThenCreatesDefaultLogoutPage() throws Exception { public void formLoginWhenLogoutEnabledThenCreatesDefaultLogoutPage() throws Exception {
this.spring.register(DefaultLogoutPageConfig.class).autowire(); this.spring.register(DefaultLogoutPageConfig.class).autowire();

View File

@ -0,0 +1,98 @@
/*
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.authentication.ui;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import org.springframework.core.io.ClassPathResource;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import org.springframework.web.filter.GenericFilterBean;
/**
* Serve common static assets used in default UIs, such as CSS or Javascript files. For
* internal use only.
*
* @author Daniel Garnier-Moiroux
* @since 6.4
*/
public final class DefaultResourcesFilter extends GenericFilterBean {
private final RequestMatcher matcher;
private final ClassPathResource resource;
private final MediaType mediaType;
private DefaultResourcesFilter(RequestMatcher matcher, ClassPathResource resource, MediaType mediaType) {
Assert.isTrue(resource.exists(), "classpath resource must exist");
this.matcher = matcher;
this.resource = resource;
this.mediaType = mediaType;
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
if (!(request instanceof HttpServletRequest servletRequest)) {
filterChain.doFilter(request, response);
return;
}
if (this.matcher.matches(servletRequest)) {
response.setContentType(this.mediaType.toString());
response.getWriter().write(this.resource.getContentAsString(StandardCharsets.UTF_8));
return;
}
filterChain.doFilter(request, response);
}
@Override
public String toString() {
return "%s [matcher=%s, resource=%s]".formatted(getClass().getSimpleName(), this.matcher.toString(),
this.resource.getPath());
}
/**
* Create an instance of {@link DefaultResourcesFilter} serving Spring Security's
* default CSS stylesheet.
* <p>
* The created {@link DefaultResourcesFilter} matches requests
* {@code HTTP GET /default-ui.css}, and returns the default
* stylesheet at {@code org/springframework/security/default-ui.css} with
* content-type {@code text/css;charset=UTF-8}.
* @return -
*/
public static DefaultResourcesFilter defaultCss() {
return new DefaultResourcesFilter(
AntPathRequestMatcher.antMatcher(HttpMethod.GET, "/default-ui.css"),
new ClassPathResource("org/springframework/security/default-ui.css"),
new MediaType("text", "css", StandardCharsets.UTF_8));
}
}

View File

@ -0,0 +1,139 @@
/*
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/* General layout */
body {
font-family: system-ui, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
background-color: #eee;
padding: 40px 0;
margin: 0;
line-height: 1.5;
}
h2 {
margin-top: 0;
margin-bottom: 0.5rem;
font-size: 2rem;
font-weight: 500;
line-height: 2rem;
}
.content {
margin-right: auto;
margin-left: auto;
padding-right: 15px;
padding-left: 15px;
width: 100%;
box-sizing: border-box;
}
@media (min-width: 800px) {
.content {
max-width: 760px;
}
}
/* Components */
a,
a:visited {
text-decoration: none;
color: #06f;
}
a:hover {
text-decoration: underline;
color: #003c97;
}
input[type="text"],
input[type="password"] {
height: auto;
width: 100%;
font-size: 1rem;
padding: 0.5rem;
box-sizing: border-box;
}
button {
padding: 0.5rem 1rem;
font-size: 1.25rem;
line-height: 1.5;
border: none;
border-radius: 0.1rem;
width: 100%;
}
button.primary {
color: #fff;
background-color: #06f;
}
.alert {
padding: 0.75rem 1rem;
margin-bottom: 1rem;
line-height: 1.5;
border-radius: 0.1rem;
width: 100%;
box-sizing: border-box;
border-width: 1px;
border-style: solid;
}
.alert.alert-danger {
color: #6b1922;
background-color: #f7d5d7;
border-color: #eab6bb;
}
.alert.alert-success {
color: #145222;
background-color: #d1f0d9;
border-color: #c2ebcb;
}
.screenreader {
position: absolute;
clip: rect(0 0 0 0);
height: 1px;
width: 1px;
padding: 0;
border: 0;
overflow: hidden;
}
table {
width: 100%;
max-width: 100%;
margin-bottom: 2rem;
}
.table-striped tr:nth-of-type(2n + 1) {
background-color: #e1e1e1;
}
td {
padding: 0.75rem;
vertical-align: top;
}
/* Login / logout layouts */
.login-form,
.logout-form {
max-width: 340px;
padding: 0 15px 15px 15px;
margin: 0 auto 2rem auto;
box-sizing: border-box;
}

View File

@ -0,0 +1,59 @@
/*
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.authentication.ui;
import org.junit.jupiter.api.Test;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import static org.assertj.core.api.Assertions.assertThat;
import static org.hamcrest.Matchers.containsString;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/**
* @author Daniel Garnier-Moiroux
* @since 6.4
*/
public class DefaultResourcesFilterTests {
private final DefaultResourcesFilter filter = DefaultResourcesFilter.css();
private final MockMvc mockMvc = MockMvcBuilders.standaloneSetup(new Object()).addFilters(this.filter).build();
@Test
public void doFilterThenRender() throws Exception {
this.mockMvc.perform(get("/default-ui.css"))
.andExpect(status().isOk())
.andExpect(content().contentType("text/css;charset=UTF-8"))
.andExpect(content().string(containsString("body {")));
}
@Test
public void doFilterWhenPathDoesNotMatchThenCallsThrough() throws Exception {
this.mockMvc.perform(get("/does-not-match")).andExpect(status().isNotFound());
}
@Test
void toStringPrintsPathAndResource() {
assertThat(this.filter.toString()).isEqualTo(
"DefaultResourcesFilter [matcher=Ant [pattern='/default-ui.css', GET], resource=org/springframework/security/default-ui.css]");
}
}

View File

@ -0,0 +1,3 @@
body {
color: #6db33f;
}