Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Polish gh-9597

This commit is contained in:
Steve Riesenberg 2021-12-02 16:28:22 -06:00
parent 925d531cbe
commit df0f6f83af
5 changed files with 27 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
config/src/main/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurer.java
View File

@ -21,7 +21,6 @@ import java.util.List;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import org.springframework.context.ApplicationContext; import org.springframework.context.ApplicationContext;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationTrustResolver; import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.config.annotation.web.HttpSecurityBuilder; import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
@ -91,11 +90,6 @@ public final class ServletApiConfigurer<H extends HttpSecurityBuilder<H>>
if (trustResolver != null) { if (trustResolver != null) {
this.securityContextRequestFilter.setTrustResolver(trustResolver); this.securityContextRequestFilter.setTrustResolver(trustResolver);
} }
AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = http
.getSharedObject(AuthenticationDetailsSource.class);
if (authenticationDetailsSource != null) {
this.securityContextRequestFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
}
ApplicationContext context = http.getSharedObject(ApplicationContext.class); ApplicationContext context = http.getSharedObject(ApplicationContext.class);
if (context != null) { if (context != null) {
String[] grantedAuthorityDefaultsBeanNames = context.getBeanNamesForType(GrantedAuthorityDefaults.class); String[] grantedAuthorityDefaultsBeanNames = context.getBeanNamesForType(GrantedAuthorityDefaults.class);

26
config/src/test/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.java
View File

@ -30,7 +30,6 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.AccessDeniedException; import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationTrustResolver; import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.authentication.TestingAuthenticationToken;
@ -150,15 +149,6 @@ public class ServletApiConfigurerTests {
verify(SharedTrustResolverConfig.TR, atLeastOnce()).isAnonymous(any()); verify(SharedTrustResolverConfig.TR, atLeastOnce()).isAnonymous(any());
} }
@Test
public void configureWhenSharedObjectAuthenticationDetailsSourceThenAuthenticationDetailsSourceUsed() {
this.spring.register(SharedAuthenticationDetailsSourceConfig.class).autowire();
SecurityContextHolderAwareRequestFilter scaFilter = getFilter(SecurityContextHolderAwareRequestFilter.class);
AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = getFieldValue(scaFilter,
"authenticationDetailsSource");
assertThat(authenticationDetailsSource).isEqualTo(SharedAuthenticationDetailsSourceConfig.ADS);
}
@Test @Test
public void requestWhenServletApiWithDefaultsInLambdaThenUsesDefaultRolePrefix() throws Exception { public void requestWhenServletApiWithDefaultsInLambdaThenUsesDefaultRolePrefix() throws Exception {
this.spring.register(ServletApiWithDefaultsInLambdaConfig.class, AdminController.class).autowire(); this.spring.register(ServletApiWithDefaultsInLambdaConfig.class, AdminController.class).autowire();
@ -331,22 +321,6 @@ public class ServletApiConfigurerTests {
} }
@EnableWebSecurity
static class SharedAuthenticationDetailsSourceConfig extends WebSecurityConfigurerAdapter {
@SuppressWarnings("unchecked")
static AuthenticationDetailsSource<HttpServletRequest, ?> ADS = spy(AuthenticationDetailsSource.class);
@Override
protected void configure(HttpSecurity http) {
// @formatter:off
http
.setSharedObject(AuthenticationDetailsSource.class, ADS);
// @formatter:on
}
}
@EnableWebSecurity @EnableWebSecurity
static class ServletApiWithDefaultsInLambdaConfig extends WebSecurityConfigurerAdapter { static class ServletApiWithDefaultsInLambdaConfig extends WebSecurityConfigurerAdapter {

14
web/src/main/java/org/springframework/security/web/servletapi/HttpServlet3RequestFactory.java
View File

@ -81,7 +81,7 @@ final class HttpServlet3RequestFactory implements HttpServletRequestFactory {
private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl(); private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource(); private final AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
private AuthenticationEntryPoint authenticationEntryPoint; private AuthenticationEntryPoint authenticationEntryPoint;
@ -162,18 +162,6 @@ final class HttpServlet3RequestFactory implements HttpServletRequestFactory {
this.trustResolver = trustResolver; this.trustResolver = trustResolver;
} }
/**
* Sets the {@link AuthenticationDetailsSource} to be used. The default is
* {@link WebAuthenticationDetailsSource}.
* @param authenticationDetailsSource the {@link AuthenticationDetailsSource} to use.
* Cannot be null.
*/
void setAuthenticationDetailsSource(
AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
Assert.notNull(authenticationDetailsSource, "authenticationDetailsSource cannot be null");
this.authenticationDetailsSource = authenticationDetailsSource;
}
@Override @Override
public HttpServletRequest create(HttpServletRequest request, HttpServletResponse response) { public HttpServletRequest create(HttpServletRequest request, HttpServletResponse response) {
return new Servlet3SecurityContextHolderAwareRequestWrapper(request, this.rolePrefix, response); return new Servlet3SecurityContextHolderAwareRequestWrapper(request, this.rolePrefix, response);

18
web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilter.java
View File

@ -27,14 +27,12 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationTrustResolver; import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.authentication.AuthenticationTrustResolverImpl; import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.authentication.logout.LogoutHandler; import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.web.filter.GenericFilterBean; import org.springframework.web.filter.GenericFilterBean;
@ -82,8 +80,6 @@ public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean {
private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl(); private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
public void setRolePrefix(String rolePrefix) { public void setRolePrefix(String rolePrefix) {
Assert.notNull(rolePrefix, "Role prefix must not be null"); Assert.notNull(rolePrefix, "Role prefix must not be null");
this.rolePrefix = rolePrefix; this.rolePrefix = rolePrefix;
@ -176,23 +172,9 @@ public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean {
updateFactory(); updateFactory();
} }
/**
* Sets the {@link AuthenticationDetailsSource} to be used. The default is
* {@link WebAuthenticationDetailsSource}.
* @param authenticationDetailsSource the {@link AuthenticationDetailsSource} to use.
* Cannot be null.
*/
public void setAuthenticationDetailsSource(
AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
Assert.notNull(authenticationDetailsSource, "authenticationDetailsSource cannot be null");
this.authenticationDetailsSource = authenticationDetailsSource;
updateFactory();
}
private HttpServletRequestFactory createServlet3Factory(String rolePrefix) { private HttpServletRequestFactory createServlet3Factory(String rolePrefix) {
HttpServlet3RequestFactory factory = new HttpServlet3RequestFactory(rolePrefix); HttpServlet3RequestFactory factory = new HttpServlet3RequestFactory(rolePrefix);
factory.setTrustResolver(this.trustResolver); factory.setTrustResolver(this.trustResolver);
factory.setAuthenticationDetailsSource(this.authenticationDetailsSource);
factory.setAuthenticationEntryPoint(this.authenticationEntryPoint); factory.setAuthenticationEntryPoint(this.authenticationEntryPoint);
factory.setAuthenticationManager(this.authenticationManager); factory.setAuthenticationManager(this.authenticationManager);
factory.setLogoutHandlers(this.logoutHandlers); factory.setLogoutHandlers(this.logoutHandlers);

27
web/src/test/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilterTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited * Copyright 2004, 2005, 2006, 2021 Acegi Technology Pty Limited
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -36,6 +36,7 @@ import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.mock.web.MockHttpSession;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.authentication.TestingAuthenticationToken;
@ -45,12 +46,14 @@ import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.WebAuthenticationDetails;
import org.springframework.security.web.authentication.logout.LogoutHandler; import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.test.util.ReflectionTestUtils; import org.springframework.test.util.ReflectionTestUtils;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyBoolean;
import static org.mockito.ArgumentMatchers.anyString; import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.ArgumentMatchers.eq; import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.BDDMockito.given; import static org.mockito.BDDMockito.given;
@ -59,6 +62,7 @@ import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.times; import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyZeroInteractions; import static org.mockito.Mockito.verifyZeroInteractions;
import static org.mockito.Mockito.when;
/** /**
* Tests {@link SecurityContextHolderAwareRequestFilter}. * Tests {@link SecurityContextHolderAwareRequestFilter}.
@ -217,6 +221,27 @@ public class SecurityContextHolderAwareRequestFilterTests {
verifyZeroInteractions(this.authenticationEntryPoint, this.authenticationManager, this.logoutHandler); verifyZeroInteractions(this.authenticationEntryPoint, this.authenticationManager, this.logoutHandler);
} }
@Test
public void loginWhenHttpServletRequestHasAuthenticationDetailsThenAuthenticationRequestHasDetails()
throws Exception {
String ipAddress = "10.0.0.100";
String sessionId = "session-id";
when(this.request.getRemoteAddr()).thenReturn(ipAddress);
when(this.request.getSession(anyBoolean())).thenReturn(new MockHttpSession(null, sessionId));
wrappedRequest().login("username", "password");
ArgumentCaptor<UsernamePasswordAuthenticationToken> authenticationCaptor = ArgumentCaptor
.forClass(UsernamePasswordAuthenticationToken.class);
verify(this.authenticationManager).authenticate(authenticationCaptor.capture());
UsernamePasswordAuthenticationToken authenticationRequest = authenticationCaptor.getValue();
assertThat(authenticationRequest.getDetails()).isInstanceOf(WebAuthenticationDetails.class);
WebAuthenticationDetails details = (WebAuthenticationDetails) authenticationRequest.getDetails();
assertThat(details.getRemoteAddress()).isEqualTo(ipAddress);
assertThat(details.getSessionId()).isEqualTo(sessionId);
}
@Test @Test
public void logout() throws Exception { public void logout() throws Exception {
TestingAuthenticationToken expectedAuth = new TestingAuthenticationToken("user", "password", "ROLE_USER"); TestingAuthenticationToken expectedAuth = new TestingAuthenticationToken("user", "password", "ROLE_USER");