Ensure that Spring Security Filter's order is configured
This commit ensures that even when a user specifies a WebSecurityConfiguration that the order of Spring Security's Filter is still configured. Closes gh-3824 See gh-3703
This commit is contained in:
Rob Winch
Andy Wilkinson
parent
9dec0971d6
commit
868589366e
|
|
@ -0,0 +1,52 @@
|
|||
/*
|
||||
* Copyright 2002-2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.boot.autoconfigure.security;
|
||||
|
||||
import javax.servlet.Filter;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Qualifier;
|
||||
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
|
||||
import org.springframework.boot.context.embedded.FilterRegistrationBean;
|
||||
import org.springframework.boot.context.properties.EnableConfigurationProperties;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
|
||||
|
||||
/**
|
||||
* Configures the ordering for Spring Security's Filter.
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @since 1.3
|
||||
*/
|
||||
@Configuration
|
||||
@ConditionalOnWebApplication
|
||||
@EnableConfigurationProperties
|
||||
@AutoConfigureAfter(SpringBootWebSecurityConfiguration.class)
|
||||
public class SecurityFilterRegistrationAutoConfiguration {
|
||||
@Bean
|
||||
@ConditionalOnBean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
|
||||
public FilterRegistrationBean securityFilterChainRegistration(
|
||||
@Qualifier(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME) Filter securityFilter,
|
||||
SecurityProperties securityProperties) {
|
||||
FilterRegistrationBean registration = new FilterRegistrationBean(securityFilter);
|
||||
registration.setOrder(securityProperties.getFilterOrder());
|
||||
registration
|
||||
.setName(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME);
|
||||
return registration;
|
||||
}
|
||||
}
|
||||
|
|
@ -20,13 +20,10 @@ import java.util.ArrayList;
|
|||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
|
||||
import javax.servlet.Filter;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.beans.factory.annotation.Qualifier;
|
||||
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
|
||||
|
|
@ -34,7 +31,6 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplicat
|
|||
import org.springframework.boot.autoconfigure.security.SecurityProperties.Headers;
|
||||
import org.springframework.boot.autoconfigure.web.ErrorController;
|
||||
import org.springframework.boot.autoconfigure.web.ServerProperties;
|
||||
import org.springframework.boot.context.embedded.FilterRegistrationBean;
|
||||
import org.springframework.boot.context.properties.EnableConfigurationProperties;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
|
|
@ -50,7 +46,6 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
|
|||
import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
|
||||
import org.springframework.security.web.AuthenticationEntryPoint;
|
||||
import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
|
||||
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
|
||||
import org.springframework.security.web.header.writers.HstsHeaderWriter;
|
||||
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
|
|
@ -98,18 +93,6 @@ public class SpringBootWebSecurityConfiguration {
|
|||
return new IgnoredPathsWebSecurityConfigurerAdapter();
|
||||
}
|
||||
|
||||
@Bean
|
||||
@ConditionalOnBean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
|
||||
public FilterRegistrationBean securityFilterChainRegistration(
|
||||
@Qualifier(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME) Filter securityFilter,
|
||||
SecurityProperties securityProperties) {
|
||||
FilterRegistrationBean registration = new FilterRegistrationBean(securityFilter);
|
||||
registration.setOrder(securityProperties.getFilterOrder());
|
||||
registration
|
||||
.setName(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME);
|
||||
return registration;
|
||||
}
|
||||
|
||||
public static void configureHeaders(HeadersConfigurer<?> configurer,
|
||||
SecurityProperties.Headers headers) throws Exception {
|
||||
if (headers.getHsts() != Headers.HSTS.NONE) {
|
||||
|
|
|
|||
|
|
@ -56,6 +56,7 @@ org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,\
|
|||
org.springframework.boot.autoconfigure.reactor.ReactorAutoConfiguration,\
|
||||
org.springframework.boot.autoconfigure.redis.RedisAutoConfiguration,\
|
||||
org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration,\
|
||||
org.springframework.boot.autoconfigure.security.SecurityFilterRegistrationAutoConfiguration,\
|
||||
org.springframework.boot.autoconfigure.security.FallbackWebSecurityAutoConfiguration,\
|
||||
org.springframework.boot.autoconfigure.security.oauth2.OAuth2AutoConfiguration,\
|
||||
org.springframework.boot.autoconfigure.sendgrid.SendGridAutoConfiguration,\
|
||||
|
|
|
|||
|
|
@ -21,6 +21,9 @@ import java.util.List;
|
|||
import org.junit.After;
|
||||
import org.junit.Test;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.beans.factory.support.DefaultListableBeanFactory;
|
||||
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
|
||||
import org.springframework.boot.autoconfigure.EnableAutoConfigurationImportSelector;
|
||||
import org.springframework.boot.autoconfigure.PropertyPlaceholderAutoConfiguration;
|
||||
import org.springframework.boot.autoconfigure.TestAutoConfigurationPackage;
|
||||
import org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration;
|
||||
|
|
@ -31,9 +34,13 @@ import org.springframework.boot.context.embedded.FilterRegistrationBean;
|
|||
import org.springframework.boot.test.EnvironmentTestUtils;
|
||||
import org.springframework.context.ApplicationEvent;
|
||||
import org.springframework.context.ApplicationListener;
|
||||
import org.springframework.context.annotation.AnnotationConfigApplicationContext;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.core.annotation.Order;
|
||||
import org.springframework.core.io.DefaultResourceLoader;
|
||||
import org.springframework.core.type.StandardAnnotationMetadata;
|
||||
import org.springframework.mock.env.MockEnvironment;
|
||||
import org.springframework.mock.web.MockServletContext;
|
||||
import org.springframework.orm.jpa.JpaTransactionManager;
|
||||
import org.springframework.security.authentication.AuthenticationManager;
|
||||
|
|
@ -45,6 +52,7 @@ import org.springframework.security.authentication.event.AuthenticationFailureBa
|
|||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||
import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.AuthenticationException;
|
||||
|
|
@ -52,9 +60,11 @@ import org.springframework.security.core.authority.AuthorityUtils;
|
|||
import org.springframework.security.core.userdetails.UserDetailsService;
|
||||
import org.springframework.security.web.FilterChainProxy;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.util.ObjectUtils;
|
||||
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertFalse;
|
||||
import static org.junit.Assert.assertNotNull;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import static org.junit.Assert.fail;
|
||||
|
|
@ -90,11 +100,57 @@ public class SecurityAutoConfigurationTests {
|
|||
assertEquals(5, filterChains.size());
|
||||
}
|
||||
|
||||
// gh-3703
|
||||
@Test
|
||||
public void testDefaultFilterOrderWithSecurityAdapter() throws Exception {
|
||||
this.context = new AnnotationConfigWebApplicationContext();
|
||||
this.context.setServletContext(new MockServletContext());
|
||||
this.context.register(WebSecurity.class,
|
||||
SecurityAutoConfiguration.class,
|
||||
SecurityFilterRegistrationAutoConfiguration.class,
|
||||
ServerPropertiesAutoConfiguration.class,
|
||||
PropertyPlaceholderAutoConfiguration.class);
|
||||
this.context.refresh();
|
||||
assertEquals(
|
||||
0,
|
||||
this.context.getBean("securityFilterChainRegistration",
|
||||
FilterRegistrationBean.class).getOrder());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSecurityFilterRegistrationAutoConfigurationRegisteredAutoConfiguration() throws Exception {
|
||||
EnableAutoConfigurationImportSelector selector = new EnableAutoConfigurationImportSelector();
|
||||
selector.setBeanFactory(new DefaultListableBeanFactory());
|
||||
selector.setEnvironment(new MockEnvironment());
|
||||
selector.setResourceLoader(new DefaultResourceLoader());
|
||||
String[] imports = selector.selectImports(new StandardAnnotationMetadata(AutoConfiguration.class));
|
||||
|
||||
assertTrue(ObjectUtils.containsElement(imports, "org.springframework.boot.autoconfigure.security.SecurityFilterRegistrationAutoConfiguration"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testDefaultFilterOrderNotWeb() throws Exception {
|
||||
AnnotationConfigApplicationContext context = new AnnotationConfigApplicationContext();
|
||||
context.register(SecurityAutoConfiguration.class,
|
||||
SecurityFilterRegistrationAutoConfiguration.class,
|
||||
ServerPropertiesAutoConfiguration.class,
|
||||
PropertyPlaceholderAutoConfiguration.class);
|
||||
|
||||
try {
|
||||
context.refresh();
|
||||
assertFalse(
|
||||
context.containsBean("securityFilterChainRegistration"));
|
||||
} finally {
|
||||
context.close();
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testDefaultFilterOrder() throws Exception {
|
||||
this.context = new AnnotationConfigWebApplicationContext();
|
||||
this.context.setServletContext(new MockServletContext());
|
||||
this.context.register(SecurityAutoConfiguration.class,
|
||||
SecurityFilterRegistrationAutoConfiguration.class,
|
||||
ServerPropertiesAutoConfiguration.class,
|
||||
PropertyPlaceholderAutoConfiguration.class);
|
||||
this.context.refresh();
|
||||
|
|
@ -110,6 +166,7 @@ public class SecurityAutoConfigurationTests {
|
|||
EnvironmentTestUtils.addEnvironment(this.context, "security.filter-order:12345");
|
||||
this.context.setServletContext(new MockServletContext());
|
||||
this.context.register(SecurityAutoConfiguration.class,
|
||||
SecurityFilterRegistrationAutoConfiguration.class,
|
||||
ServerPropertiesAutoConfiguration.class,
|
||||
PropertyPlaceholderAutoConfiguration.class);
|
||||
this.context.refresh();
|
||||
|
|
@ -411,4 +468,11 @@ public class SecurityAutoConfigurationTests {
|
|||
|
||||
}
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
static class WebSecurity extends WebSecurityConfigurerAdapter {}
|
||||
|
||||
@Configuration
|
||||
@EnableAutoConfiguration
|
||||
static class AutoConfiguration {}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue