Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/5.8.x'

This commit is contained in:
Josh Cummings 2022-10-05 21:45:26 -06:00
parent ee9449dbfe 4ddec07d0e
commit eeb28e4f91
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
2 changed files with 40 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
web/src/main/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManager.java
View File

@ -48,6 +48,8 @@ public final class RequestMatcherDelegatingAuthorizationManager implements Autho
private final List<RequestMatcherEntry<AuthorizationManager<RequestAuthorizationContext>>> mappings; private final List<RequestMatcherEntry<AuthorizationManager<RequestAuthorizationContext>>> mappings;
private AuthorizationManager<RequestAuthorizationContext> defaultManager = (authentication, request) -> null;
private RequestMatcherDelegatingAuthorizationManager( private RequestMatcherDelegatingAuthorizationManager(
List<RequestMatcherEntry<AuthorizationManager<RequestAuthorizationContext>>> mappings) { List<RequestMatcherEntry<AuthorizationManager<RequestAuthorizationContext>>> mappings) {
Assert.notEmpty(mappings, "mappings cannot be empty"); Assert.notEmpty(mappings, "mappings cannot be empty");
@ -81,8 +83,10 @@ public final class RequestMatcherDelegatingAuthorizationManager implements Autho
new RequestAuthorizationContext(request, matchResult.getVariables())); new RequestAuthorizationContext(request, matchResult.getVariables()));
} }
} }
this.logger.trace("Abstaining since did not find matching RequestMatcher"); if (this.logger.isTraceEnabled()) {
return null; this.logger.trace(LogMessage.format("Checking authorization on %s using %s", request, this.defaultManager));
}
return this.defaultManager.check(authentication, new RequestAuthorizationContext(request));
} }
/** /**
@ -93,6 +97,21 @@ public final class RequestMatcherDelegatingAuthorizationManager implements Autho
return new Builder(); return new Builder();
} }
/**
* Use this {@link AuthorizationManager} if the request fails to match any other
* configured {@link AuthorizationManager}.
*
* <p>
* This is specifically handy when considering whether to accept or deny requests by
* default. The default is to abstain from deciding on requests that don't match
* configuration.
* @param authorizationManager the {@link AuthorizationManager} to use
* @since 5.8
*/
public void setDefaultAuthorizationManager(AuthorizationManager<RequestAuthorizationContext> authorizationManager) {
this.defaultManager = authorizationManager;
}
/** /**
* A builder for {@link RequestMatcherDelegatingAuthorizationManager}. * A builder for {@link RequestMatcherDelegatingAuthorizationManager}.
*/ */

19
web/src/test/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManagerTests.java
View File

@ -24,6 +24,7 @@ import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authorization.AuthorityAuthorizationManager; import org.springframework.security.authorization.AuthorityAuthorizationManager;
import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher; import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
import org.springframework.security.web.util.matcher.AnyRequestMatcher; import org.springframework.security.web.util.matcher.AnyRequestMatcher;
@ -31,6 +32,10 @@ import org.springframework.security.web.util.matcher.RequestMatcherEntry;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
/** /**
* Tests for {@link RequestMatcherDelegatingAuthorizationManager}. * Tests for {@link RequestMatcherDelegatingAuthorizationManager}.
@ -115,6 +120,20 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
assertThat(unmapped.isGranted()).isFalse(); assertThat(unmapped.isGranted()).isFalse();
} }
@Test
public void checkWhenNoMatchesThenUsesDefaultAuthorizationManager() {
RequestMatcherDelegatingAuthorizationManager manager = RequestMatcherDelegatingAuthorizationManager.builder()
.add((request) -> false, (authentication, context) -> new AuthorizationDecision(false)).build();
AuthorizationManager<RequestAuthorizationContext> defaultManager = mock(AuthorizationManager.class);
given(defaultManager.check(any(), any())).willReturn(new AuthorizationDecision(true));
manager.setDefaultAuthorizationManager(defaultManager);
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password");
AuthorizationDecision decision = manager.check(authentication, new MockHttpServletRequest(null, "/endpoint"));
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
verify(defaultManager).check(any(), any());
}
@Test @Test
public void addWhenMappingsConsumerNullThenException() { public void addWhenMappingsConsumerNullThenException() {
assertThatIllegalArgumentException() assertThatIllegalArgumentException()