Add shouldFilterAllDispatcherTypes to Kotlin DSL

Closes gh-11153
2022-04-25 14:20:56 -03:00 · 2022-04-25 14:20:56 -03:00 · e94adedb94
parent 8e34cedcfe
commit e94adedb94
3 changed files with 174 additions and 0 deletions
--- a/config/src/main/kotlin/org/springframework/security/config/web/servlet/AuthorizeHttpRequestsDsl.kt
+++ b/config/src/main/kotlin/org/springframework/security/config/web/servlet/AuthorizeHttpRequestsDsl.kt
@ -24,6 +24,7 @@ import org.springframework.security.authorization.AuthorizationManager
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer
 import org.springframework.security.core.Authentication
 import org.springframework.security.web.access.intercept.AuthorizationFilter
 import org.springframework.security.web.access.intercept.RequestAuthorizationContext
 import org.springframework.security.web.util.matcher.AnyRequestMatcher
 import org.springframework.security.web.util.matcher.RequestMatcher
@ -35,8 +36,11 @@ import java.util.function.Supplier
 *
 * @author Yuriy Savchenko
 * @since 5.7
 * @property shouldFilterAllDispatcherTypes whether the [AuthorizationFilter] should filter all dispatcher types
 */
 class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl() {
    var shouldFilterAllDispatcherTypes: Boolean? = null
    private val authorizationRules = mutableListOf<AuthorizationManagerRule>()
    private val HANDLER_MAPPING_INTROSPECTOR = "org.springframework.web.servlet.handler.HandlerMappingIntrospector"
@ -248,6 +252,9 @@ class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl() {
                    }
                }
            }
            shouldFilterAllDispatcherTypes?.also { shouldFilter ->
                requests.shouldFilterAllDispatcherTypes(shouldFilter)
            }
        }
    }
 }
--- a/config/src/test/kotlin/org/springframework/security/config/web/servlet/AuthorizeHttpRequestsDslTests.kt
+++ b/config/src/test/kotlin/org/springframework/security/config/web/servlet/AuthorizeHttpRequestsDslTests.kt
@ -53,7 +53,9 @@ import org.springframework.web.bind.annotation.RestController
 import org.springframework.web.servlet.config.annotation.EnableWebMvc
 import org.springframework.web.servlet.config.annotation.PathMatchConfigurer
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer
 import org.springframework.web.util.WebUtils
 import java.util.function.Supplier
 import javax.servlet.DispatcherType
 /**
 * Tests for [AuthorizeHttpRequestsDsl]
@ -641,4 +643,155 @@ class AuthorizeHttpRequestsDslTests {
            return http.build()
        }
    }
    @Test
    fun `request when shouldFilterAllDispatcherTypes and denyAll and ERROR then responds with forbidden`() {
        this.spring.register(ShouldFilterAllDispatcherTypesTrueDenyAllConfig::class.java).autowire()
        this.mockMvc.perform(get("/path")
            .with { request ->
                request.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error")
                request.apply {
                    dispatcherType = DispatcherType.ERROR
                }
            })
            .andExpect(status().isForbidden)
    }
    @EnableWebSecurity
    @EnableWebMvc
    open class ShouldFilterAllDispatcherTypesTrueDenyAllConfig {
        @Bean
        open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
            http {
                authorizeHttpRequests {
                    shouldFilterAllDispatcherTypes = true
                    authorize(anyRequest, denyAll)
                }
            }
            return http.build()
        }
        @RestController
        internal class PathController {
            @RequestMapping("/path")
            fun path() {
            }
        }
    }
    @Test
    fun `request when shouldFilterAllDispatcherTypes and permitAll and ERROR then responds with ok`() {
        this.spring.register(ShouldFilterAllDispatcherTypesTruePermitAllConfig::class.java).autowire()
        this.mockMvc.perform(get("/path")
            .with { request ->
                request.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error")
                request.apply {
                    dispatcherType = DispatcherType.ERROR
                }
            })
            .andExpect(status().isOk)
    }
    @EnableWebSecurity
    @EnableWebMvc
    open class ShouldFilterAllDispatcherTypesTruePermitAllConfig {
        @Bean
        open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
            http {
                authorizeHttpRequests {
                    shouldFilterAllDispatcherTypes = true
                    authorize(anyRequest, permitAll)
                }
            }
            return http.build()
        }
        @RestController
        internal class PathController {
            @RequestMapping("/path")
            fun path() {
            }
        }
    }
    @Test
    fun `request when shouldFilterAllDispatcherTypes false and ERROR dispatcher then responds with ok`() {
        this.spring.register(ShouldFilterAllDispatcherTypesFalseAndDenyAllConfig::class.java).autowire()
        this.mockMvc.perform(get("/path")
            .with { request ->
                request.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error")
                request.apply {
                    dispatcherType = DispatcherType.ERROR
                }
            })
            .andExpect(status().isOk)
    }
    @EnableWebSecurity
    @EnableWebMvc
    open class ShouldFilterAllDispatcherTypesFalseAndDenyAllConfig {
        @Bean
        open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
            http {
                authorizeHttpRequests {
                    shouldFilterAllDispatcherTypes = false
                    authorize(anyRequest, denyAll)
                }
            }
            return http.build()
        }
        @RestController
        internal class PathController {
            @RequestMapping("/path")
            fun path() {
            }
        }
    }
    @Test
    fun `request when shouldFilterAllDispatcherTypes omitted and ERROR dispatcher then responds with ok`() {
        this.spring.register(ShouldFilterAllDispatcherTypesOmittedAndDenyAllConfig::class.java).autowire()
        this.mockMvc.perform(get("/path")
            .with { request ->
                request.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error")
                request.apply {
                    dispatcherType = DispatcherType.ERROR
                }
            })
            .andExpect(status().isOk)
    }
    @EnableWebSecurity
    @EnableWebMvc
    open class ShouldFilterAllDispatcherTypesOmittedAndDenyAllConfig {
        @Bean
        open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
            http {
                authorizeHttpRequests {
                    authorize(anyRequest, denyAll)
                }
            }
            return http.build()
        }
        @RestController
        internal class PathController {
            @RequestMapping("/path")
            fun path() {
            }
        }
    }
 }
--- a/docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc
+++ b/docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc
@ -190,4 +190,18 @@ SecurityFilterChain web(HttpSecurity http) throws Exception {
    return http.build();
 }
 ----
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
@Bean
 open fun web(http: HttpSecurity): SecurityFilterChain {
    http {
        authorizeHttpRequests {
            shouldFilterAllDispatcherTypes = true
            authorize(anyRequest, authenticated)
        }
    }
    return http.build()
 }
 ----
 ====