Disable default logout page when logout disabled
Closes gh-9475
This commit is contained in:
parent
67a18f564a
commit
f91608dcba
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright 2002-2013 the original author or authors.
|
* Copyright 2002-2021 the original author or authors.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -100,8 +100,11 @@ public final class DefaultLoginPageConfigurer<H extends HttpSecurityBuilder<H>>
|
||||||
if (loginPageGeneratingFilter.isEnabled() && authenticationEntryPoint == null) {
|
if (loginPageGeneratingFilter.isEnabled() && authenticationEntryPoint == null) {
|
||||||
loginPageGeneratingFilter = postProcess(loginPageGeneratingFilter);
|
loginPageGeneratingFilter = postProcess(loginPageGeneratingFilter);
|
||||||
http.addFilter(loginPageGeneratingFilter);
|
http.addFilter(loginPageGeneratingFilter);
|
||||||
|
LogoutConfigurer<H> logoutConfigurer = http.getConfigurer(LogoutConfigurer.class);
|
||||||
|
if (logoutConfigurer != null) {
|
||||||
http.addFilter(this.logoutPageGeneratingFilter);
|
http.addFilter(this.logoutPageGeneratingFilter);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -3266,7 +3266,10 @@ public class ServerHttpSecurity {
|
||||||
}
|
}
|
||||||
if (loginPage != null) {
|
if (loginPage != null) {
|
||||||
http.addFilterAt(loginPage, SecurityWebFiltersOrder.LOGIN_PAGE_GENERATING);
|
http.addFilterAt(loginPage, SecurityWebFiltersOrder.LOGIN_PAGE_GENERATING);
|
||||||
http.addFilterAt(new LogoutPageGeneratingWebFilter(), SecurityWebFiltersOrder.LOGOUT_PAGE_GENERATING);
|
if (http.logout != null) {
|
||||||
|
http.addFilterAt(new LogoutPageGeneratingWebFilter(),
|
||||||
|
SecurityWebFiltersOrder.LOGOUT_PAGE_GENERATING);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright 2002-2019 the original author or authors.
|
* Copyright 2002-2021 the original author or authors.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -44,11 +44,14 @@ import static org.assertj.core.api.Assertions.assertThat;
|
||||||
import static org.mockito.ArgumentMatchers.any;
|
import static org.mockito.ArgumentMatchers.any;
|
||||||
import static org.mockito.Mockito.spy;
|
import static org.mockito.Mockito.spy;
|
||||||
import static org.mockito.Mockito.verify;
|
import static org.mockito.Mockito.verify;
|
||||||
|
import static org.springframework.security.config.Customizer.withDefaults;
|
||||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
|
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
|
||||||
|
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
|
||||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
|
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
|
||||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
|
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
|
||||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
|
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
|
||||||
|
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Tests for {@link DefaultLoginPageConfigurer}
|
* Tests for {@link DefaultLoginPageConfigurer}
|
||||||
|
@ -217,6 +220,18 @@ public class DefaultLoginPageConfigurerTests {
|
||||||
));
|
));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void formLoginWhenLogoutEnabledThenCreatesDefaultLogoutPage() throws Exception {
|
||||||
|
this.spring.register(DefaultLogoutPageConfig.class).autowire();
|
||||||
|
this.mvc.perform(get("/logout").with(user("user"))).andExpect(status().isOk());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void formLoginWhenLogoutDisabledThenDefaultLogoutPageDoesNotExist() throws Exception {
|
||||||
|
this.spring.register(LogoutDisabledConfig.class).autowire();
|
||||||
|
this.mvc.perform(get("/logout").with(user("user"))).andExpect(status().isNotFound());
|
||||||
|
}
|
||||||
|
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
static class DefaultLoginPageConfig extends WebSecurityConfigurerAdapter {
|
static class DefaultLoginPageConfig extends WebSecurityConfigurerAdapter {
|
||||||
@Override
|
@Override
|
||||||
|
@ -552,6 +567,41 @@ public class DefaultLoginPageConfigurerTests {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@EnableWebSecurity
|
||||||
|
static class DefaultLogoutPageConfig extends WebSecurityConfigurerAdapter {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected void configure(HttpSecurity http) throws Exception {
|
||||||
|
// @formatter:off
|
||||||
|
http
|
||||||
|
.authorizeRequests((authorize) -> authorize
|
||||||
|
.anyRequest().authenticated()
|
||||||
|
)
|
||||||
|
.formLogin(withDefaults());
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
@EnableWebSecurity
|
||||||
|
static class LogoutDisabledConfig extends WebSecurityConfigurerAdapter {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected void configure(HttpSecurity http) throws Exception {
|
||||||
|
// @formatter:off
|
||||||
|
http
|
||||||
|
.authorizeRequests((authorize) -> authorize
|
||||||
|
.anyRequest().authenticated()
|
||||||
|
)
|
||||||
|
.formLogin(withDefaults())
|
||||||
|
.logout((logout) -> logout
|
||||||
|
.disable()
|
||||||
|
);
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
static class ReflectingObjectPostProcessor implements ObjectPostProcessor<Object> {
|
static class ReflectingObjectPostProcessor implements ObjectPostProcessor<Object> {
|
||||||
@Override
|
@Override
|
||||||
public <O> O postProcess(O object) {
|
public <O> O postProcess(O object) {
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright 2002-2019 the original author or authors.
|
* Copyright 2002-2021 the original author or authors.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -25,7 +25,10 @@ import org.springframework.security.web.server.context.WebSessionServerSecurityC
|
||||||
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
|
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
|
||||||
import org.springframework.test.web.reactive.server.WebTestClient;
|
import org.springframework.test.web.reactive.server.WebTestClient;
|
||||||
import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
|
import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
|
||||||
|
import org.springframework.web.bind.annotation.GetMapping;
|
||||||
|
import org.springframework.web.bind.annotation.RestController;
|
||||||
|
|
||||||
|
import static org.assertj.core.api.Assertions.assertThat;
|
||||||
import static org.springframework.security.config.Customizer.withDefaults;
|
import static org.springframework.security.config.Customizer.withDefaults;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -167,7 +170,8 @@ public class LogoutSpecTests {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void logoutWhenDisabledThenPostToLogoutDoesNothing() {
|
public void logoutWhenDisabledThenDefaultLogoutPageDoesNotExist() {
|
||||||
|
// @formatter:off
|
||||||
SecurityWebFilterChain securityWebFilter = this.http
|
SecurityWebFilterChain securityWebFilter = this.http
|
||||||
.authorizeExchange()
|
.authorizeExchange()
|
||||||
.anyExchange().authenticated()
|
.anyExchange().authenticated()
|
||||||
|
@ -177,7 +181,7 @@ public class LogoutSpecTests {
|
||||||
.build();
|
.build();
|
||||||
|
|
||||||
WebTestClient webTestClient = WebTestClientBuilder
|
WebTestClient webTestClient = WebTestClientBuilder
|
||||||
.bindToWebFilters(securityWebFilter)
|
.bindToControllerAndWebFilters(HomeController.class, securityWebFilter)
|
||||||
.build();
|
.build();
|
||||||
|
|
||||||
WebDriver driver = WebTestClientHtmlUnitDriverBuilder
|
WebDriver driver = WebTestClientHtmlUnitDriverBuilder
|
||||||
|
@ -191,15 +195,10 @@ public class LogoutSpecTests {
|
||||||
.username("user")
|
.username("user")
|
||||||
.password("password")
|
.password("password")
|
||||||
.submit(FormLoginTests.HomePage.class);
|
.submit(FormLoginTests.HomePage.class);
|
||||||
|
// @formatter:on
|
||||||
homePage.assertAt();
|
homePage.assertAt();
|
||||||
|
FormLoginTests.DefaultLogoutPage.to(driver);
|
||||||
FormLoginTests.DefaultLogoutPage.to(driver)
|
assertThat(driver.getPageSource()).isEmpty();
|
||||||
.assertAt()
|
|
||||||
.logout();
|
|
||||||
|
|
||||||
homePage
|
|
||||||
.assertAt();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -243,4 +242,15 @@ public class LogoutSpecTests {
|
||||||
FormLoginTests.HomePage.to(driver, FormLoginTests.DefaultLoginPage.class)
|
FormLoginTests.HomePage.to(driver, FormLoginTests.DefaultLoginPage.class)
|
||||||
.assertAt();
|
.assertAt();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@RestController
|
||||||
|
public static class HomeController {
|
||||||
|
|
||||||
|
@GetMapping("/")
|
||||||
|
public String ok() {
|
||||||
|
return "ok";
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue