Polish no-parameter authorizeHttpRequests

- Cleaned up JavaDoc - Updated implementation to align with no-parameter authorizeRequests - Updated test names and content for clarity, specifically identified tests that target no-parameter authorizeHttpRequests with noParameter in the name - Switched order of methods to match others in HttpSecurity - Updated copyright year Issue gh-9498
2025-05-31 17:22:13 +00:00 · 2021-05-21 15:19:59 -06:00 · 2021-05-21 15:19:59 -06:00 · e91cacfdaf
commit e91cacfdaf
parent 3820f0f3a3
2 changed files with 88 additions and 70 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
@ -1281,11 +1281,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Override
 	 * 	protected void configure(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
-	 * 				authorizeHttpRequests
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
-	 * 			)
-	 * 			.formLogin(withDefaults());
+	 * 			.authorizeHttpRequests()
+	 * 				.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 				.and()
+	 * 			.formLogin();
 	 * 	}
 	 * }
 	 * </pre>
@ -1302,12 +1301,11 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Override
 	 * 	protected void configure(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 			.authorizeHttpRequests((authorizeHttpRequests) -&gt;
-	 * 				authorizeHttpRequests
-	 * 					.antMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
-	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
-	 * 			)
-	 * 			.formLogin(withDefaults());
+	 * 			.authorizeHttpRequests()
+	 * 				.antMatchers(&quot;/admin&quot;).hasRole(&quot;ADMIN&quot;)
+	 * 				.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 				.and()
+	 * 			.formLogin();
 	 * 	}
 	 * }
 	 * </pre>
@ -1320,32 +1318,27 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * &#064;Configuration
 	 * &#064;EnableWebSecurity
 	 * public class AuthorizeUrlsSecurityConfig extends WebSecurityConfigurerAdapter {
-	 *HttpSecurity.java
+	 *
 	 * 	&#064;Override
 	 * 	protected void configure(HttpSecurity http) throws Exception {
 	 * 		http
-	 * 		 	.authorizeHttpRequests((authorizeHttpRequests) -&gt;
-	 * 		 		authorizeHttpRequests
-	 * 			 		.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
-	 * 			 		.antMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
-	 * 		 	);
+	 * 			.authorizeHttpRequests()
+	 * 				.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 				.antMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
+	 * 				.and()
+	 * 			.formLogin();
 	 * 	}
 	 * }
 	 * </pre>
-	 * @param authorizeHttpRequestsCustomizer the {@link Customizer} to provide more
-	 * options for the {@link AuthorizationManagerRequestMatcherRegistry}
 	 * @return the {@link HttpSecurity} for further customizations
 	 * @throws Exception
-	 * @since 5.5
+	 * @since 5.6
 	 * @see #requestMatcher(RequestMatcher)
 	 */
-	public HttpSecurity authorizeHttpRequests(
-			Customizer<AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry> authorizeHttpRequestsCustomizer)
+	public AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizeHttpRequests()
 			throws Exception {
 		ApplicationContext context = getContext();
-		authorizeHttpRequestsCustomizer
-				.customize(getOrApply(new AuthorizeHttpRequestsConfigurer<>(context)).getRegistry());
-		return HttpSecurity.this;
+		return getOrApply(new AuthorizeHttpRequestsConfigurer<>(context)).getRegistry();
 	}

 	/**
@ -1366,10 +1359,11 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Override
 	 * 	protected void configure(HttpSecurity http) throws Exception {
 	 * 		http
-	 *     .authorizeHttpRequests()
-	 *         .antMatchers(&quot;/**&quot;).hasRoles(&quot;USER&quot;)
-	 *         .and()
-	 *     .formLogin();
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) ->
+	 * 				authorizeHttpRequests
+	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 			)
+	 * 			.formLogin(withDefaults());
 	 * 	}
 	 * }
 	 * </pre>
@ -1386,10 +1380,11 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Override
 	 * 	protected void configure(HttpSecurity http) throws Exception {
 	 * 		http
-	 *     .authorizeHttpRequests()
-	 *         .antMatchers(&quot;/**&quot;).hasRoles(&quot;USER&quot;)
-	 *         .and()
-	 *     .formLogin();
+	 * 			.authorizeHttpRequests((authorizeHttpRequests) ->
+	 * 				authorizeHttpRequests
+	 * 					.antMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
+	 * 					.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 			)
 	 * 			.formLogin(withDefaults());
 	 * 	}
 	 * }
@ -1407,24 +1402,27 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 	&#064;Override
 	 * 	protected void configure(HttpSecurity http) throws Exception {
 	 * 		http
-	 *     .authorizeHttpRequests()
-	 *         .antMatchers(&quot;/**&quot;).hasRoles(&quot;USER&quot;)
-	 *         .and()
-	 *     .formLogin();
+	 * 		 	.authorizeHttpRequests((authorizeHttpRequests) ->
+	 * 		 		authorizeHttpRequests
+	 * 			 		.antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;)
+	 * 			 		.antMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
+	 * 		 	);
 	 * 	}
 	 * }
 	 * </pre>
+	 * @param authorizeHttpRequestsCustomizer the {@link Customizer} to provide more
+	 * options for the {@link AuthorizationManagerRequestMatcherRegistry}
 	 * @return the {@link HttpSecurity} for further customizations
 	 * @throws Exception
 	 * @since 5.5
 	 * @see #requestMatcher(RequestMatcher)
 	 */
-	public HttpSecurity authorizeHttpRequests() throws Exception {
-		ApplicationContext applicationContext = getContext();
-		Customizer<AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry> authorizeHttpRequestsCustomizer = Customizer
-				.withDefaults();
+	public HttpSecurity authorizeHttpRequests(
+			Customizer<AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry> authorizeHttpRequestsCustomizer)
+			throws Exception {
+		ApplicationContext context = getContext();
 		authorizeHttpRequestsCustomizer
-				.customize(getOrApply(new AuthorizeHttpRequestsConfigurer<>(applicationContext)).getRegistry());
+				.customize(getOrApply(new AuthorizeHttpRequestsConfigurer<>(context)).getRegistry());
 		return HttpSecurity.this;
 	}

--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java
@ -73,9 +73,9 @@ public class AuthorizeHttpRequestsConfigurerTests {
 	}

 	@Test
-	public void configureWhenAuthorizedHttpRequestsAndNoRequestsThenExceptionWithDefaultConfig() {
+	public void configureNoParameterWhenAuthorizedHttpRequestsAndNoRequestsThenException() {
 		assertThatExceptionOfType(BeanCreationException.class)
-				.isThrownBy(() -> this.spring.register(NoRequestsConfigWithDefaultConfig.class).autowire())
+				.isThrownBy(() -> this.spring.register(NoRequestsNoParameterConfig.class).autowire())
 				.withMessageContaining(
 						"At least one mapping is required (for example, authorizeHttpRequests().anyRequest().authenticated())");
 	}
@ -88,11 +88,10 @@ public class AuthorizeHttpRequestsConfigurerTests {
 	}

 	@Test
-	public void configureWhenAnyRequestIncompleteMappingDefaultConfigThenException() {
+	public void configureNoParameterWhenAnyRequestIncompleteMappingThenException() {
 		assertThatExceptionOfType(BeanCreationException.class)
-		this.spring.register(IncompleteMappingConfigWithDefaultConfig.class, BasicController.class).autowire();
-		this.mvc.perform(get("/")).andExpect(status().isOk());
-		verify(CustomAuthorizationManagerConfig.authorizationManager).check(any(), any());
+				.isThrownBy(() -> this.spring.register(IncompleteMappingNoParameterConfig.class).autowire())
+				.withMessageContaining("An incomplete mapping was found for ");
 	}

 	@Test
@ -111,11 +110,11 @@ public class AuthorizeHttpRequestsConfigurerTests {
 	}

 	@Test
-	public void configureMvcMatcherAccessAuthorizationManagerOnDefault() throws Exception {
-		CustomAuthorizationManagerConfig.authorizationManager = mock(AuthorizationManager.class);
-		this.spring.register(IncompleteMappingConfigWithDefaultConfig.class).autowire();
-		this.mvc.perform(get("/")).andExpect(status().isUnauthorized());
-		verify(CustomAuthorizationManagerConfig.authorizationManager).check(any(), any());
+	public void configureNoParameterMvcMatcherAccessAuthorizationManagerWhenNotNullThenVerifyUse() throws Exception {
+		CustomAuthorizationManagerNoParameterConfig.authorizationManager = mock(AuthorizationManager.class);
+		this.spring.register(CustomAuthorizationManagerNoParameterConfig.class, BasicController.class).autowire();
+		this.mvc.perform(get("/")).andExpect(status().isOk());
+		verify(CustomAuthorizationManagerNoParameterConfig.authorizationManager).check(any(), any());
 	}

 	@Test
@ -395,29 +394,16 @@ public class AuthorizeHttpRequestsConfigurerTests {
 	}

 	@EnableWebSecurity
-	static class NoRequestsConfigWithDefaultConfig {
+	static class NoRequestsNoParameterConfig {

 		@Bean
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
-			return http
-					.authorizeHttpRequests()
-					.build();
+			http
+				.authorizeHttpRequests();
 			// @formatter:on
-		}

-	}
-
-	@EnableWebSecurity
-	static class IncompleteMappingConfigWithDefaultConfig {
-
-		@Bean
-		FormLoginConfigurer<HttpSecurity> filterChain(HttpSecurity http) throws Exception {
-			// @formatter:off
-			return http
-					.authorizeHttpRequests()
-					.formLogin();
-			// @formatter:on
+			return http.build();
 		}

 	}
@ -436,6 +422,22 @@ public class AuthorizeHttpRequestsConfigurerTests {

 	}

+	@EnableWebSecurity
+	static class IncompleteMappingNoParameterConfig {
+
+		@Bean
+		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+					.authorizeHttpRequests()
+					.anyRequest();
+			// @formatter:on
+
+			return http.build();
+		}
+
+	}
+
 	@EnableWebSecurity
 	static class AfterAnyRequestConfig {

@ -471,6 +473,24 @@ public class AuthorizeHttpRequestsConfigurerTests {

 	}

+	@EnableWebSecurity
+	static class CustomAuthorizationManagerNoParameterConfig {
+
+		static AuthorizationManager<RequestAuthorizationContext> authorizationManager;
+
+		@Bean
+		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.authorizeHttpRequests()
+					.anyRequest().access(authorizationManager);
+			// @formatter:on
+
+			return http.build();
+		}
+
+	}
+
 	@EnableWebSecurity
 	static class ObjectPostProcessorConfig {