diff --git a/config/src/main/java/org/springframework/security/config/http/AuthorizationFilterParser.java b/config/src/main/java/org/springframework/security/config/http/AuthorizationFilterParser.java
index 713e325393..b01054ffe7 100644
--- a/config/src/main/java/org/springframework/security/config/http/AuthorizationFilterParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/AuthorizationFilterParser.java
@@ -59,6 +59,8 @@ class AuthorizationFilterParser implements BeanDefinitionParser {
private static final String ATT_SERVLET_PATH = "servlet-path";
+ private static final String ATT_FILTER_ALL_DISPATCHER_TYPES = "filter-all-dispatcher-types";
+
private String authorizationManagerRef;
private final BeanMetadataElement securityContextHolderStrategy;
@@ -82,7 +84,11 @@ class AuthorizationFilterParser implements BeanDefinitionParser {
this.authorizationManagerRef = createAuthorizationManager(element, parserContext);
BeanDefinitionBuilder filterBuilder = BeanDefinitionBuilder.rootBeanDefinition(AuthorizationFilter.class);
filterBuilder.getRawBeanDefinition().setSource(parserContext.extractSource(element));
- BeanDefinition filter = filterBuilder.addConstructorArgReference(this.authorizationManagerRef)
+ filterBuilder.addConstructorArgReference(this.authorizationManagerRef);
+ if ("true".equals(element.getAttribute(ATT_FILTER_ALL_DISPATCHER_TYPES))) {
+ filterBuilder.addPropertyValue("shouldFilterAllDispatcherTypes", Boolean.TRUE);
+ }
+ BeanDefinition filter = filterBuilder
.addPropertyValue("securityContextHolderStrategy", this.securityContextHolderStrategy)
.getBeanDefinition();
String id = element.getAttribute(AbstractBeanDefinitionParser.ID_ATTRIBUTE);
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.8.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-5.8.rnc
index 32f8f4b584..253f8cb1a9 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-5.8.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.8.rnc
@@ -385,6 +385,9 @@ http.attlist &=
http.attlist &=
## Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults to "true"
attribute once-per-request {xsd:boolean}?
+http.attlist &=
+ ## Corresponds to the shouldFilterAllDispatcherTypes property of AuthorizationFilter. Only works when use-authorization-manager=true. Defauls to "false".
+ attribute filter-all-dispatcher-types {xsd:boolean}?
http.attlist &=
## Prevents the jsessionid parameter from being added to rendered URLs. Defaults to "true" (rewriting is disabled).
attribute disable-url-rewriting {xsd:boolean}?
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.8.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-5.8.xsd
index c616c29b82..516e78487f 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-5.8.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.8.xsd
@@ -1385,6 +1385,13 @@
+
+
+ Corresponds to the shouldFilterAllDispatcherTypes property of AuthorizationFilter. Only
+ works when use-authorization-manager=true. Defauls to "false".
+
+
+
Prevents the jsessionid parameter from being added to rendered URLs. Defaults to "true"
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc
index 627548111d..04af5c4189 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc
@@ -385,6 +385,9 @@ http.attlist &=
http.attlist &=
## Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults to "false"
attribute once-per-request {xsd:boolean}?
+http.attlist &=
+ ## Corresponds to the shouldFilterAllDispatcherTypes property of AuthorizationFilter. Do not work when use-authorization-manager=false. Defaults to "false".
+ attribute filter-all-dispatcher-types {xsd:boolean}?
http.attlist &=
## Prevents the jsessionid parameter from being added to rendered URLs. Defaults to "true" (rewriting is disabled).
attribute disable-url-rewriting {xsd:boolean}?
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd
index a7395f725a..d7f351fdc6 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd
@@ -1363,6 +1363,13 @@
+
+
+ Corresponds to the shouldFilterAllDispatcherTypes property of AuthorizationFilter. Do not
+ work when use-authorization-manager=false. Defaults to "false".
+
+
+
Prevents the jsessionid parameter from being added to rendered URLs. Defaults to "true"
diff --git a/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java b/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java
index 34c85563e7..9ab3bbae88 100644
--- a/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java
@@ -19,6 +19,7 @@ package org.springframework.security.config.http;
import java.util.Collections;
import java.util.Map;
+import jakarta.servlet.DispatcherType;
import jakarta.servlet.ServletRegistration;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
@@ -33,10 +34,12 @@ import org.springframework.security.config.test.SpringTestContext;
import org.springframework.security.config.test.SpringTestContextExtension;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.RequestPostProcessor;
+import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.context.ConfigurableWebApplicationContext;
+import org.springframework.web.util.WebUtils;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@@ -380,6 +383,29 @@ public class InterceptUrlConfigTests {
.configLocations(this.xml("DefaultMatcherServletPathAuthorizationManager")).autowire());
}
+ @Test
+ public void requestWhenUsingFilterAllDispatcherTypesAndAuthorizationManagerThenAuthorizesRequestsAccordingly()
+ throws Exception {
+ this.spring.configLocations(this.xml("AuthorizationManagerFilterAllDispatcherTypes")).autowire();
+ // @formatter:off
+ this.mvc.perform(get("/path").with(userCredentials()))
+ .andExpect(status().isOk());
+ this.mvc.perform(get("/path").with(adminCredentials()))
+ .andExpect(status().isForbidden());
+ this.mvc.perform(get("/error").with((request) -> {
+ request.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error");
+ request.setDispatcherType(DispatcherType.ERROR);
+ return request;
+ })).andExpect(status().isOk());
+ this.mvc.perform(get("/path").with((request) -> {
+ request.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/path");
+ request.setDispatcherType(DispatcherType.ERROR);
+ return request;
+ })).andExpect(status().isUnauthorized());
+ // @formatter:on
+ assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull();
+ }
+
private static RequestPostProcessor adminCredentials() {
return httpBasic("admin", "password");
}
@@ -417,6 +443,16 @@ public class InterceptUrlConfigTests {
}
+ @RestController
+ static class ErrorController {
+
+ @GetMapping("/error")
+ String error() {
+ return "error";
+ }
+
+ }
+
public static class Id {
public boolean isOne(int i) {
diff --git a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-AuthorizationManagerFilterAllDispatcherTypes.xml b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-AuthorizationManagerFilterAllDispatcherTypes.xml
new file mode 100644
index 0000000000..cbb7a514d5
--- /dev/null
+++ b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-AuthorizationManagerFilterAllDispatcherTypes.xml
@@ -0,0 +1,55 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc b/docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc
index 7547f55c14..fd15759dd5 100644
--- a/docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc
+++ b/docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc
@@ -97,6 +97,12 @@ Corresponds to the `observeOncePerRequest` property of `FilterSecurityIntercepto
Defaults to `false`.
+[[nsa-http-filter-all-dispatcher-types]]
+* **filter-all-dispatcher-types**
+Corresponds to the `shouldFilterAllDispatcherTypes` property of the `AuthorizationFilter`. Only works when `use-authorization-manager=true`.
+Defaults to `false`.
+
+
[[nsa-http-pattern]]
* **pattern**
Defining a pattern for the <> element controls the requests which will be filtered through the list of filters which it defines.