Polish ignoring() log messaging

- Public API remains unchanged

Issue gh-9334
This commit is contained in:
Josh Cummings 2022-02-07 14:00:55 -07:00
parent 01ed617d5f
commit cbd87fac89
9 changed files with 13 additions and 7410 deletions

View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2019 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -54,7 +54,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
private ApplicationContext context;
protected boolean anyRequestConfigured = false;
private boolean anyRequestConfigured = false;
protected final void setApplicationContext(ApplicationContext context) {
this.context = context;
@ -165,8 +165,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
if (!this.context.containsBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME)) {
throw new NoSuchBeanDefinitionException("A Bean named " + HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME
+ " of type " + HandlerMappingIntrospector.class.getName()
+ " is required to use MvcRequestMatcher."
+ " Please ensure Spring Security & Spring MVC are configured in a shared ApplicationContext.");
+ " is required to use MvcRequestMatcher. Please ensure Spring Security & Spring MVC are configured in a shared ApplicationContext.");
}
HandlerMappingIntrospector introspector = this.context.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME,
HandlerMappingIntrospector.class);
@ -266,7 +265,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
* @author Rob Winch
* @since 3.2
*/
public static final class RequestMatchers {
private static final class RequestMatchers {
private RequestMatchers() {
}
@ -279,7 +278,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
* from
* @return a {@link List} of {@link AntPathRequestMatcher} instances
*/
public static List<RequestMatcher> antMatchers(HttpMethod httpMethod, String... antPatterns) {
static List<RequestMatcher> antMatchers(HttpMethod httpMethod, String... antPatterns) {
String method = (httpMethod != null) ? httpMethod.toString() : null;
List<RequestMatcher> matchers = new ArrayList<>();
for (String pattern : antPatterns) {
@ -295,7 +294,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
* from
* @return a {@link List} of {@link AntPathRequestMatcher} instances
*/
public static List<RequestMatcher> antMatchers(String... antPatterns) {
static List<RequestMatcher> antMatchers(String... antPatterns) {
return antMatchers(null, antPatterns);
}

View File

@ -17,7 +17,6 @@
package org.springframework.security.config.annotation.web.builders;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import javax.servlet.Filter;
@ -31,7 +30,6 @@ import org.springframework.beans.BeansException;
import org.springframework.beans.factory.NoSuchBeanDefinitionException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.core.log.LogMessage;
import org.springframework.http.HttpMethod;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.access.expression.SecurityExpressionHandler;
@ -62,7 +60,6 @@ import org.springframework.security.web.debug.DebugFilter;
import org.springframework.security.web.firewall.HttpFirewall;
import org.springframework.security.web.firewall.RequestRejectedHandler;
import org.springframework.security.web.firewall.StrictHttpFirewall;
import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcherEntry;
@ -111,7 +108,7 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
private WebInvocationPrivilegeEvaluator privilegeEvaluator;
private final DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
private DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
private SecurityExpressionHandler<FilterInvocation> expressionHandler = this.defaultWebSecurityExpressionHandler;
@ -307,6 +304,8 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
List<SecurityFilterChain> securityFilterChains = new ArrayList<>(chainSize);
List<RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>>> requestMatcherPrivilegeEvaluatorsEntries = new ArrayList<>();
for (RequestMatcher ignoredRequest : this.ignoredRequests) {
WebSecurity.this.logger.warn("You are asking Spring Security to ignore " + ignoredRequest
+ ". This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.");
SecurityFilterChain securityFilterChain = new DefaultSecurityFilterChain(ignoredRequest);
securityFilterChains.add(securityFilterChain);
requestMatcherPrivilegeEvaluatorsEntries
@ -436,8 +435,6 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
@Override
public MvcMatchersIgnoredRequestConfigurer mvcMatchers(HttpMethod method, String... mvcPatterns) {
List<MvcRequestMatcher> mvcMatchers = createMvcMatchers(method, mvcPatterns);
Arrays.asList(mvcPatterns).stream().forEach((t) -> printWarnSecurityMessage(method, t));
mvcMatchers.stream().forEach((t) -> t.ignore());
WebSecurity.this.ignoredRequests.addAll(mvcMatchers);
return new MvcMatchersIgnoredRequestConfigurer(getApplicationContext(), mvcMatchers);
}
@ -447,38 +444,6 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
return mvcMatchers(null, mvcPatterns);
}
/**
* @since 5.5
*/
@Override
public IgnoredRequestConfigurer antMatchers(HttpMethod method) {
return antMatchers(method, "/**");
}
/**
* @since 5.5
*/
@Override
public IgnoredRequestConfigurer antMatchers(HttpMethod method, String... antPatterns) {
Assert.state(!this.anyRequestConfigured, "Can't configure antMatchers after anyRequest");
List<RequestMatcher> antMatchers = RequestMatchers.antMatchers(method, antPatterns);
Arrays.asList(antPatterns).stream().forEach((t) -> printWarnSecurityMessage(method, t));
antMatchers.stream().forEach((t) -> ((IgnoreRequestMatcher) t).ignore());
return chainRequestMatchers(antMatchers);
}
/**
* @since 5.5
*/
@Override
public IgnoredRequestConfigurer antMatchers(String... antPatterns) {
Assert.state(!this.anyRequestConfigured, "Can't configure antMatchers after anyRequest");
List<RequestMatcher> antMatchers = RequestMatchers.antMatchers(antPatterns);
Arrays.asList(antPatterns).stream().forEach((t) -> printWarnSecurityMessage(null, t));
antMatchers.stream().forEach((t) -> ((IgnoreRequestMatcher) t).ignore());
return chainRequestMatchers(RequestMatchers.antMatchers(antPatterns));
}
@Override
protected IgnoredRequestConfigurer chainRequestMatchers(List<RequestMatcher> requestMatchers) {
WebSecurity.this.ignoredRequests.addAll(requestMatchers);
@ -492,33 +457,6 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
return WebSecurity.this;
}
/**
* @param method the HttpMethod, it could be null too.
* @param pathPattern the path pattern to be ignored
* @since 5.5
*/
private void printWarnSecurityMessage(HttpMethod method, String pathPattern) {
if (pathPattern.equals("/**")) {
WebSecurity.this.logger
.warn("**********************************************************************************");
if (method != null) {
WebSecurity.this.logger.warn(LogMessage.format(
"Applying explicit instruction to ignore the '/**' path for the HttpMethod: %s", method));
WebSecurity.this.logger.warn("You're disabling practically all the paths for that HttpMethod");
WebSecurity.this.logger
.warn("Therefore any path for that HttpMethod is completely ignored by Spring Security");
}
else {
WebSecurity.this.logger.warn("Applying explicit instruction to ignore the '/**' path");
WebSecurity.this.logger.warn("You're disabling practically all the paths");
WebSecurity.this.logger.warn("Therefore any path is completely ignored by Spring Security");
}
WebSecurity.this.logger.warn("It is not recomended for production");
WebSecurity.this.logger
.warn("**********************************************************************************");
}
}
}
}

View File

@ -1,50 +0,0 @@
/*
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* Test package for path patterns that must be ignored by Spring Security and must be
* indicated/notified through the output, it thanks to the
* <code>DefaultSecurityFilterChain</code>'s constructor.
*
* <p>
* <b>NOTE:</b> be advised that to test if a path(s) was really ignored or not, by
* simplicity, is checking the output shown in the test report, it based with the pattern
* <code>"Will not secure /ABC"</code>, where <code>ABC</code> was defined through the
* <code>web.ignoring()</code> approach. Is very important edit the
* <code>logback-test.xml</code> file (of this module) to change
* <code>level="${sec.log.level:-WARN}"</code> to
* <code>level="${sec.log.level:-INFO}"</code>
*
* <p>
* In the handler methods do not return the view name (i.e:
* <code>return "something"</code>) based on the path value (i.e:
* <code>@GetMapping(path = "/something")</code>), otherwise the tests fail with:
*
* <pre class="code">
* javax.servlet.ServletException:
* Circular view path [something]:
* would dispatch back to the current handler URL [/something] again.
* Check your ViewResolver setup!
* (Hint: This may be the result of an unspecified view, due to default view name generation.)
* </pre>
*
* That's why the all handler methods are based with the
* <code>return "something/something"</code> pattern.
*
* @author Manuel Jordan
* @since 5.5
*/
package org.springframework.security.config.annotation.web.configuration.ignore;

View File

@ -27,7 +27,6 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.log.LogMessage;
import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
/**
@ -49,14 +48,8 @@ public final class DefaultSecurityFilterChain implements SecurityFilterChain {
}
public DefaultSecurityFilterChain(RequestMatcher requestMatcher, List<Filter> filters) {
if (requestMatcher instanceof IgnoreRequestMatcher) {
IgnoreRequestMatcher ignoreRequestMatcher = (IgnoreRequestMatcher) requestMatcher;
if (ignoreRequestMatcher.isIgnore()) {
logger.info(LogMessage.format("Will not secure %s with %s", requestMatcher, filters));
}
else {
logger.info(LogMessage.format("Will secure %s with %s", requestMatcher, filters));
}
if (!filters.isEmpty()) {
logger.info(LogMessage.format("Will not secure %s", requestMatcher));
}
else {
logger.info(LogMessage.format("Will secure %s with %s", requestMatcher, filters));

View File

@ -1,37 +0,0 @@
/*
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.server.restriction;
/**
* Indicates if the path should be ignored or not by Spring Security.
*
* @author Manuel Jordan
* @since 5.5
*/
public interface IgnoreRequestMatcher {
/**
* Establishes the path must be ignored.
*/
void ignore();
/**
* If the path should be ignored or not.
*/
boolean isIgnore();
}

View File

@ -21,7 +21,6 @@ import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.springframework.http.HttpMethod;
import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.security.web.util.matcher.RequestVariablesExtractor;
import org.springframework.util.AntPathMatcher;
@ -45,10 +44,9 @@ import org.springframework.web.util.UrlPathHelper;
* @author Rob Winch
* @author Eddú Meléndez
* @author Evgeniy Cheban
* @author Manuel Jordan
* @since 4.1.1
*/
public class MvcRequestMatcher implements RequestMatcher, RequestVariablesExtractor, IgnoreRequestMatcher {
public class MvcRequestMatcher implements RequestMatcher, RequestVariablesExtractor {
private final DefaultMatcher defaultMatcher = new DefaultMatcher();
@ -60,12 +58,9 @@ public class MvcRequestMatcher implements RequestMatcher, RequestVariablesExtrac
private String servletPath;
private boolean ignore;
public MvcRequestMatcher(HandlerMappingIntrospector introspector, String pattern) {
this.introspector = introspector;
this.pattern = pattern;
this.ignore = false;
}
@Override
@ -134,16 +129,6 @@ public class MvcRequestMatcher implements RequestMatcher, RequestVariablesExtrac
return this.servletPath;
}
@Override
public void ignore() {
this.ignore = true;
}
@Override
public boolean isIgnore() {
return this.ignore;
}
@Override
public String toString() {
StringBuilder sb = new StringBuilder();

View File

@ -22,7 +22,6 @@ import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.springframework.http.HttpMethod;
import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
import org.springframework.util.AntPathMatcher;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
@ -54,7 +53,7 @@ import org.springframework.web.util.UrlPathHelper;
* @since 3.1
* @see org.springframework.util.AntPathMatcher
*/
public final class AntPathRequestMatcher implements RequestMatcher, RequestVariablesExtractor, IgnoreRequestMatcher {
public final class AntPathRequestMatcher implements RequestMatcher, RequestVariablesExtractor {
private static final String MATCH_ALL = "/**";
@ -68,8 +67,6 @@ public final class AntPathRequestMatcher implements RequestMatcher, RequestVaria
private final UrlPathHelper urlPathHelper;
private boolean ignore;
/**
* Creates a matcher with the specific pattern which will match all HTTP methods in a
* case sensitive manner.
@ -135,7 +132,6 @@ public final class AntPathRequestMatcher implements RequestMatcher, RequestVaria
this.pattern = pattern;
this.httpMethod = StringUtils.hasText(httpMethod) ? HttpMethod.valueOf(httpMethod) : null;
this.urlPathHelper = urlPathHelper;
this.ignore = false;
}
/**
@ -175,16 +171,6 @@ public final class AntPathRequestMatcher implements RequestMatcher, RequestVaria
return MatchResult.match(this.matcher.extractUriTemplateVariables(url));
}
@Override
public void ignore() {
this.ignore = true;
}
@Override
public boolean isIgnore() {
return this.ignore;
}
private String getRequestPath(HttpServletRequest request) {
if (this.urlPathHelper != null) {
return this.urlPathHelper.getPathWithinApplication(request);