Polish 'Allow remote devtools access with Spring Security'
See gh-25868
This commit is contained in:
Phillip Webb
parent
9b2e13aace
commit
0699fdcc8a
|
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright 2012-2020 the original author or authors.
|
* Copyright 2012-2021 the original author or authors.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
|
@ -48,6 +48,7 @@ import org.springframework.security.web.SecurityFilterChain;
|
||||||
* of the custom security configuration.
|
* of the custom security configuration.
|
||||||
*
|
*
|
||||||
* @author Madhura Bhave
|
* @author Madhura Bhave
|
||||||
|
* @author Hatef Palizgar
|
||||||
* @since 2.1.0
|
* @since 2.1.0
|
||||||
*/
|
*/
|
||||||
@Configuration(proxyBeanMethods = false)
|
@Configuration(proxyBeanMethods = false)
|
||||||
|
|
|
||||||
|
|
@ -17,19 +17,11 @@
|
||||||
package org.springframework.boot.actuate.autoconfigure.security.servlet;
|
package org.springframework.boot.actuate.autoconfigure.security.servlet;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.util.Arrays;
|
|
||||||
import java.util.Comparator;
|
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
|
||||||
import java.util.Optional;
|
|
||||||
import java.util.concurrent.ConcurrentHashMap;
|
|
||||||
import java.util.stream.Collectors;
|
import java.util.stream.Collectors;
|
||||||
|
|
||||||
import org.jetbrains.annotations.NotNull;
|
|
||||||
import org.junit.jupiter.api.Test;
|
import org.junit.jupiter.api.Test;
|
||||||
|
|
||||||
import org.springframework.beans.factory.annotation.AnnotatedBeanDefinition;
|
|
||||||
import org.springframework.beans.factory.config.BeanDefinitionHolder;
|
|
||||||
import org.springframework.boot.actuate.autoconfigure.endpoint.EndpointAutoConfiguration;
|
import org.springframework.boot.actuate.autoconfigure.endpoint.EndpointAutoConfiguration;
|
||||||
import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointAutoConfiguration;
|
import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointAutoConfiguration;
|
||||||
import org.springframework.boot.actuate.autoconfigure.env.EnvironmentEndpointAutoConfiguration;
|
import org.springframework.boot.actuate.autoconfigure.env.EnvironmentEndpointAutoConfiguration;
|
||||||
|
|
@ -44,13 +36,8 @@ import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfi
|
||||||
import org.springframework.boot.test.context.FilteredClassLoader;
|
import org.springframework.boot.test.context.FilteredClassLoader;
|
||||||
import org.springframework.boot.test.context.assertj.AssertableWebApplicationContext;
|
import org.springframework.boot.test.context.assertj.AssertableWebApplicationContext;
|
||||||
import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
|
import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
|
||||||
import org.springframework.context.ConfigurableApplicationContext;
|
|
||||||
import org.springframework.context.annotation.Bean;
|
import org.springframework.context.annotation.Bean;
|
||||||
import org.springframework.context.annotation.Configuration;
|
import org.springframework.context.annotation.Configuration;
|
||||||
import org.springframework.core.Ordered;
|
|
||||||
import org.springframework.core.ResolvableType;
|
|
||||||
import org.springframework.core.annotation.AnnotationAttributes;
|
|
||||||
import org.springframework.core.annotation.AnnotationUtils;
|
|
||||||
import org.springframework.core.annotation.Order;
|
import org.springframework.core.annotation.Order;
|
||||||
import org.springframework.http.HttpStatus;
|
import org.springframework.http.HttpStatus;
|
||||||
import org.springframework.mock.web.MockFilterChain;
|
import org.springframework.mock.web.MockFilterChain;
|
||||||
|
|
@ -71,6 +58,7 @@ import static org.assertj.core.api.Assertions.assertThat;
|
||||||
* Tests for {@link ManagementWebSecurityAutoConfiguration}.
|
* Tests for {@link ManagementWebSecurityAutoConfiguration}.
|
||||||
*
|
*
|
||||||
* @author Madhura Bhave
|
* @author Madhura Bhave
|
||||||
|
* @author Hatef Palizgar
|
||||||
*/
|
*/
|
||||||
class ManagementWebSecurityAutoConfigurationTests {
|
class ManagementWebSecurityAutoConfigurationTests {
|
||||||
|
|
||||||
|
|
@ -139,7 +127,7 @@ class ManagementWebSecurityAutoConfigurationTests {
|
||||||
@Test
|
@Test
|
||||||
void backsOffIfSecurityFilterChainBeanIsPresent() {
|
void backsOffIfSecurityFilterChainBeanIsPresent() {
|
||||||
this.contextRunner.withUserConfiguration(TestSecurityFilterChainConfig.class).run((context) -> {
|
this.contextRunner.withUserConfiguration(TestSecurityFilterChainConfig.class).run((context) -> {
|
||||||
assertThat(context.getBeansOfType(SecurityFilterChain.class)).isNotEmpty();
|
assertThat(context.getBeansOfType(SecurityFilterChain.class)).hasSize(1);
|
||||||
assertThat(context.containsBean("testSecurityFilterChain")).isTrue();
|
assertThat(context.containsBean("testSecurityFilterChain")).isTrue();
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
@ -166,26 +154,19 @@ class ManagementWebSecurityAutoConfigurationTests {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
void backOffIfRemoteDevToolsSecurityFilterChainIsPresent() {
|
void backOffIfRemoteDevToolsSecurityFilterChainIsPresent() {
|
||||||
this.contextRunner.withUserConfiguration(TestSecurityFilterChainConfig.class).run((context) -> {
|
this.contextRunner.withUserConfiguration(TestRemoteDevToolsSecurityFilterChainConfig.class).run((context) -> {
|
||||||
List<String> beanNames = getOrderedBeanNames(context);
|
SecurityFilterChain testSecurityFilterChain = context.getBean("testSecurityFilterChain",
|
||||||
|
SecurityFilterChain.class);
|
||||||
assertThat(beanNames).containsExactly("testRemoteDevToolsSecurityFilterChain", "testSecurityFilterChain");
|
SecurityFilterChain testRemoteDevToolsSecurityFilterChain = context
|
||||||
assertThat(context.getBeansOfType(SecurityFilterChain.class).size()).isEqualTo(2);
|
.getBean("testRemoteDevToolsSecurityFilterChain", SecurityFilterChain.class);
|
||||||
|
List<SecurityFilterChain> orderedSecurityFilterChains = context.getBeanProvider(SecurityFilterChain.class)
|
||||||
|
.orderedStream().collect(Collectors.toList());
|
||||||
|
assertThat(orderedSecurityFilterChains).containsExactly(testRemoteDevToolsSecurityFilterChain,
|
||||||
|
testSecurityFilterChain);
|
||||||
assertThat(context).doesNotHaveBean(ManagementWebSecurityAutoConfiguration.class);
|
assertThat(context).doesNotHaveBean(ManagementWebSecurityAutoConfiguration.class);
|
||||||
assertThat(context.containsBean("testRemoteDevToolsSecurityFilterChain")).isTrue();
|
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
@NotNull
|
|
||||||
private List<String> getOrderedBeanNames(AssertableWebApplicationContext context) {
|
|
||||||
return Arrays.stream(context.getBeanNamesForType(SecurityFilterChain.class))
|
|
||||||
.map((beanName) -> Optional.of(context).map(ConfigurableApplicationContext::getBeanFactory)
|
|
||||||
.map((beanFactory) -> beanFactory.getBeanDefinition(beanName))
|
|
||||||
.map((beanDefinition) -> new BeanDefinitionHolder(beanDefinition, beanName)).orElse(null))
|
|
||||||
.sorted(OrderAnnotatedBeanDefinitionComparator.INSTANCE).map(BeanDefinitionHolder::getBeanName)
|
|
||||||
.collect(Collectors.toList());
|
|
||||||
}
|
|
||||||
|
|
||||||
private HttpStatus getResponseStatus(AssertableWebApplicationContext context, String path)
|
private HttpStatus getResponseStatus(AssertableWebApplicationContext context, String path)
|
||||||
throws IOException, javax.servlet.ServletException {
|
throws IOException, javax.servlet.ServletException {
|
||||||
FilterChainProxy filterChainProxy = context.getBean(FilterChainProxy.class);
|
FilterChainProxy filterChainProxy = context.getBean(FilterChainProxy.class);
|
||||||
|
|
@ -223,6 +204,11 @@ class ManagementWebSecurityAutoConfigurationTests {
|
||||||
.build();
|
.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
@Configuration(proxyBeanMethods = false)
|
||||||
|
static class TestRemoteDevToolsSecurityFilterChainConfig extends TestSecurityFilterChainConfig {
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
@Order(SecurityProperties.BASIC_AUTH_ORDER - 1)
|
@Order(SecurityProperties.BASIC_AUTH_ORDER - 1)
|
||||||
SecurityFilterChain testRemoteDevToolsSecurityFilterChain(HttpSecurity http) throws Exception {
|
SecurityFilterChain testRemoteDevToolsSecurityFilterChain(HttpSecurity http) throws Exception {
|
||||||
|
|
@ -232,48 +218,4 @@ class ManagementWebSecurityAutoConfigurationTests {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static class OrderAnnotatedBeanDefinitionComparator implements Comparator<BeanDefinitionHolder> {
|
|
||||||
|
|
||||||
static final OrderAnnotatedBeanDefinitionComparator INSTANCE = new OrderAnnotatedBeanDefinitionComparator();
|
|
||||||
|
|
||||||
private final Map<String, Integer> beanNameToOrder = new ConcurrentHashMap<>();
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public int compare(BeanDefinitionHolder beanOne, BeanDefinitionHolder beanTwo) {
|
|
||||||
return getOrder(beanOne).compareTo(getOrder(beanTwo));
|
|
||||||
}
|
|
||||||
|
|
||||||
private Integer getOrder(BeanDefinitionHolder bean) {
|
|
||||||
return this.beanNameToOrder.computeIfAbsent(bean.getBeanName(),
|
|
||||||
(beanName) -> Optional.of(bean).map(BeanDefinitionHolder::getBeanDefinition)
|
|
||||||
.filter(AnnotatedBeanDefinition.class::isInstance).map(AnnotatedBeanDefinition.class::cast)
|
|
||||||
.map(this::getOrderAnnotationAttributesFromFactoryMethod).map(this::getOrder)
|
|
||||||
.orElse(Ordered.LOWEST_PRECEDENCE));
|
|
||||||
}
|
|
||||||
|
|
||||||
private Integer getOrder(AnnotationAttributes annotationAttributes) {
|
|
||||||
return Optional.ofNullable(annotationAttributes)
|
|
||||||
.map((it) -> it.getOrDefault("value", Ordered.LOWEST_PRECEDENCE)).map(Integer.class::cast)
|
|
||||||
.orElse(Ordered.LOWEST_PRECEDENCE);
|
|
||||||
}
|
|
||||||
|
|
||||||
private AnnotationAttributes getOrderAnnotationAttributesFromFactoryMethod(
|
|
||||||
AnnotatedBeanDefinition beanDefinition) {
|
|
||||||
return Optional.of(beanDefinition).map(AnnotatedBeanDefinition::getFactoryMethodMetadata)
|
|
||||||
.filter((methodMetadata) -> methodMetadata.isAnnotated(Order.class.getName()))
|
|
||||||
.map((methodMetadata) -> methodMetadata.getAnnotationAttributes(Order.class.getName()))
|
|
||||||
.map(AnnotationAttributes::fromMap)
|
|
||||||
.orElseGet(() -> getOrderAnnotationAttributesFromBeanClass(beanDefinition));
|
|
||||||
}
|
|
||||||
|
|
||||||
private AnnotationAttributes getOrderAnnotationAttributesFromBeanClass(AnnotatedBeanDefinition beanDefinition) {
|
|
||||||
return Optional.of(beanDefinition).map(AnnotatedBeanDefinition::getResolvableType)
|
|
||||||
.map(ResolvableType::resolve).filter((beanType) -> beanType.isAnnotationPresent(Order.class))
|
|
||||||
.map((beanType) -> beanType.getAnnotation(Order.class))
|
|
||||||
.map(AnnotationUtils::getAnnotationAttributes).map(AnnotationAttributes::fromMap).orElse(null);
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue