Consider Order on SecurityFilterChain bean definitions
Closes gh-9154
This commit is contained in:
parent
d192b3eb91
commit
e7ee70384d
|
@ -176,13 +176,11 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa
|
|||
|
||||
@Autowired(required = false)
|
||||
void setFilterChains(List<SecurityFilterChain> securityFilterChains) {
|
||||
securityFilterChains.sort(AnnotationAwareOrderComparator.INSTANCE);
|
||||
this.securityFilterChains = securityFilterChains;
|
||||
}
|
||||
|
||||
@Autowired(required = false)
|
||||
void setWebSecurityCustomizers(List<WebSecurityCustomizer> webSecurityCustomizers) {
|
||||
webSecurityCustomizers.sort(AnnotationAwareOrderComparator.INSTANCE);
|
||||
this.webSecurityCustomizers = webSecurityCustomizers;
|
||||
}
|
||||
|
||||
|
|
|
@ -19,8 +19,12 @@ package org.springframework.security.config.annotation.web.configuration;
|
|||
import java.io.Serializable;
|
||||
import java.lang.reflect.Method;
|
||||
import java.lang.reflect.Modifier;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
import javax.servlet.Filter;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.junit.Rule;
|
||||
import org.junit.Test;
|
||||
|
||||
|
@ -131,6 +135,19 @@ public class WebSecurityConfigurationTests {
|
|||
assertThat(filterChains.get(3).matches(request)).isTrue();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void loadConfigWhenSecurityFilterChainsHaveOrderOnBeanDefinitionsThenFilterChainsOrdered() {
|
||||
this.spring.register(OrderOnBeanDefinitionsSecurityFilterChainConfig.class).autowire();
|
||||
FilterChainProxy filterChainProxy = this.spring.getContext().getBean(FilterChainProxy.class);
|
||||
List<SecurityFilterChain> filterChains = filterChainProxy.getFilterChains();
|
||||
assertThat(filterChains).hasSize(2);
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
|
||||
request.setServletPath("/role1/**");
|
||||
assertThat(filterChains.get(0).matches(request)).isTrue();
|
||||
request.setServletPath("/role2/**");
|
||||
assertThat(filterChains.get(1).matches(request)).isTrue();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void loadConfigWhenWebSecurityConfigurersHaveSameOrderThenThrowBeanCreationException() {
|
||||
assertThatExceptionOfType(BeanCreationException.class)
|
||||
|
@ -472,6 +489,45 @@ public class WebSecurityConfigurationTests {
|
|||
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
@Import(AuthenticationTestConfiguration.class)
|
||||
static class OrderOnBeanDefinitionsSecurityFilterChainConfig {
|
||||
|
||||
@Bean
|
||||
@Order(1)
|
||||
SecurityFilterChain securityFilterChain1(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
return http
|
||||
.antMatcher("/role1/**")
|
||||
.authorizeRequests((authorize) -> authorize
|
||||
.anyRequest().hasRole("1")
|
||||
)
|
||||
.build();
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Bean
|
||||
TestSecurityFilterChain securityFilterChain2(HttpSecurity http) throws Exception {
|
||||
return new TestSecurityFilterChain();
|
||||
}
|
||||
|
||||
@Order(2)
|
||||
static class TestSecurityFilterChain implements SecurityFilterChain {
|
||||
|
||||
@Override
|
||||
public boolean matches(HttpServletRequest request) {
|
||||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<Filter> getFilters() {
|
||||
return new ArrayList<>();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
@Import(AuthenticationTestConfiguration.class)
|
||||
static class DuplicateOrderConfig {
|
||||
|
|
Loading…
Reference in New Issue