diff --git a/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java b/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java index 070e4bcf661..9e0e08250eb 100644 --- a/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java +++ b/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java @@ -27,8 +27,9 @@ import org.apereo.cas.client.validation.TicketValidator; import org.springframework.core.log.LogMessage; -import org.springframework.security.authentication.AnonymousAuthenticationToken; import org.springframework.security.authentication.AuthenticationDetailsSource; +import org.springframework.security.authentication.AuthenticationTrustResolver; +import org.springframework.security.authentication.AuthenticationTrustResolverImpl; import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent; import org.springframework.security.cas.ServiceProperties; import org.springframework.security.cas.authentication.CasServiceTicketAuthenticationToken; @@ -199,6 +200,8 @@ public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFil private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder .getContextHolderStrategy(); + private final AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl(); + public CasAuthenticationFilter() { super("/login/cas"); setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler()); @@ -348,8 +351,7 @@ private boolean proxyTicketRequest(boolean serviceTicketRequest, HttpServletRequ */ private boolean authenticated() { Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); - return authentication != null && authentication.isAuthenticated() - && !(authentication instanceof AnonymousAuthenticationToken); + return this.trustResolver.isAuthenticated(authentication); } /** diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java index 168564a8eeb..35e082e69fc 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java @@ -29,6 +29,7 @@ import jakarta.servlet.http.HttpSession; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.Answers; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; @@ -82,6 +83,7 @@ import static org.mockito.Mockito.spy; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verifyNoInteractions; +import static org.mockito.Mockito.withSettings; import static org.springframework.security.config.Customizer.withDefaults; import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf; import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic; @@ -304,7 +306,8 @@ public void configureWhenRegisteringObjectPostProcessorThenInvokedOnChangeSessio @Test public void getWhenAnonymousRequestAndTrustResolverSharedObjectReturnsAnonymousFalseThenSessionIsSaved() throws Exception { - SharedTrustResolverConfig.TR = mock(AuthenticationTrustResolver.class); + SharedTrustResolverConfig.TR = mock(AuthenticationTrustResolver.class, + withSettings().defaultAnswer(Answers.CALLS_REAL_METHODS)); given(SharedTrustResolverConfig.TR.isAnonymous(any())).willReturn(false); this.spring.register(SharedTrustResolverConfig.class).autowire(); MvcResult mvcResult = this.mvc.perform(get("/")).andReturn(); diff --git a/config/src/test/kotlin/org/springframework/security/config/annotation/web/SessionManagementDslTests.kt b/config/src/test/kotlin/org/springframework/security/config/annotation/web/SessionManagementDslTests.kt index 5fafd6223b2..7071bfabc9e 100644 --- a/config/src/test/kotlin/org/springframework/security/config/annotation/web/SessionManagementDslTests.kt +++ b/config/src/test/kotlin/org/springframework/security/config/annotation/web/SessionManagementDslTests.kt @@ -28,6 +28,7 @@ import org.springframework.beans.factory.annotation.Autowired import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Configuration import org.springframework.mock.web.MockHttpSession +import org.springframework.security.authentication.TestingAuthenticationToken import org.springframework.security.config.annotation.web.builders.HttpSecurity import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity import org.springframework.security.config.http.SessionCreationPolicy @@ -118,7 +119,7 @@ class SessionManagementDslTests { @Test fun `session management when session authentication error url then redirected to url`() { this.spring.register(SessionAuthenticationErrorUrlConfig::class.java).autowire() - val authentication: Authentication = mockk() + val authentication: Authentication = TestingAuthenticationToken("user", "password", "ROLE_USER") val session: MockHttpSession = mockk(relaxed = true) every { session.changeSessionId() } throws SessionAuthenticationException("any SessionAuthenticationException") every { session.getAttribute(any()) } returns null @@ -150,7 +151,7 @@ class SessionManagementDslTests { @Test fun `session management when session authentication failure handler then handler used`() { this.spring.register(SessionAuthenticationFailureHandlerConfig::class.java).autowire() - val authentication: Authentication = mockk() + val authentication: Authentication = TestingAuthenticationToken("user", "password", "ROLE_USER") val session: MockHttpSession = mockk(relaxed = true) every { session.changeSessionId() } throws SessionAuthenticationException("any SessionAuthenticationException") every { session.getAttribute(any()) } returns null @@ -210,7 +211,7 @@ class SessionManagementDslTests { fun `session management when session authentication strategy then strategy used`() { this.spring.register(SessionAuthenticationStrategyConfig::class.java).autowire() mockkObject(SessionAuthenticationStrategyConfig.STRATEGY) - val authentication: Authentication = mockk(relaxed = true) + val authentication: Authentication = TestingAuthenticationToken("user", "password", "ROLE_USER") val session: MockHttpSession = mockk(relaxed = true) every { session.changeSessionId() } throws SessionAuthenticationException("any SessionAuthenticationException") every { session.getAttribute(any()) } returns null diff --git a/core/src/main/java/org/springframework/security/access/expression/SecurityExpressionRoot.java b/core/src/main/java/org/springframework/security/access/expression/SecurityExpressionRoot.java index a4a2aff309e..df4eac2877d 100644 --- a/core/src/main/java/org/springframework/security/access/expression/SecurityExpressionRoot.java +++ b/core/src/main/java/org/springframework/security/access/expression/SecurityExpressionRoot.java @@ -147,7 +147,7 @@ public final boolean isAnonymous() { @Override public final boolean isAuthenticated() { - return !isAnonymous(); + return this.trustResolver.isAuthenticated(getAuthentication()); } @Override diff --git a/core/src/main/java/org/springframework/security/authentication/AuthenticationTrustResolver.java b/core/src/main/java/org/springframework/security/authentication/AuthenticationTrustResolver.java index 450f1603328..48d8ab17dae 100644 --- a/core/src/main/java/org/springframework/security/authentication/AuthenticationTrustResolver.java +++ b/core/src/main/java/org/springframework/security/authentication/AuthenticationTrustResolver.java @@ -61,13 +61,25 @@ public interface AuthenticationTrustResolver { *

* @param authentication to test (may be null in which case the method * will always return false) - * @return true the passed authentication token represented an anonymous - * principal and is authenticated using a remember-me token, false - * otherwise + * @return true the passed authentication token represented an + * authenticated user ({@link #isAuthenticated(Authentication)} and not + * {@link #isRememberMe(Authentication)}, false otherwise * @since 6.1 */ default boolean isFullyAuthenticated(Authentication authentication) { - return !isAnonymous(authentication) && !isRememberMe(authentication); + return isAuthenticated(authentication) && !isRememberMe(authentication); + } + + /** + * Checks if the {@link Authentication} is not null, authenticated, and not anonymous. + * @param authentication the {@link Authentication} to check. + * @return true if the {@link Authentication} is not null, + * {@link #isAnonymous(Authentication)} returns false, & + * {@link Authentication#isAuthenticated()} is true. + * @since 6.1.7 + */ + default boolean isAuthenticated(Authentication authentication) { + return authentication != null && authentication.isAuthenticated() && !isAnonymous(authentication); } } diff --git a/core/src/main/java/org/springframework/security/authorization/AuthenticatedAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/AuthenticatedAuthorizationManager.java index 88192e4d9e2..8e636df1727 100644 --- a/core/src/main/java/org/springframework/security/authorization/AuthenticatedAuthorizationManager.java +++ b/core/src/main/java/org/springframework/security/authorization/AuthenticatedAuthorizationManager.java @@ -133,8 +133,7 @@ private static class AuthenticatedAuthorizationStrategy extends AbstractAuthoriz @Override boolean isGranted(Authentication authentication) { - return authentication != null && !this.trustResolver.isAnonymous(authentication) - && authentication.isAuthenticated(); + return this.trustResolver.isAuthenticated(authentication); } } @@ -143,7 +142,7 @@ private static final class FullyAuthenticatedAuthorizationStrategy extends Authe @Override boolean isGranted(Authentication authentication) { - return authentication != null && this.trustResolver.isFullyAuthenticated(authentication); + return this.trustResolver.isFullyAuthenticated(authentication); } } diff --git a/core/src/test/java/org/springframework/security/access/expression/SecurityExpressionRootTests.java b/core/src/test/java/org/springframework/security/access/expression/SecurityExpressionRootTests.java index b4aea57d113..e522fb34611 100644 --- a/core/src/test/java/org/springframework/security/access/expression/SecurityExpressionRootTests.java +++ b/core/src/test/java/org/springframework/security/access/expression/SecurityExpressionRootTests.java @@ -25,6 +25,7 @@ import org.springframework.security.core.authority.AuthorityUtils; import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; import static org.mockito.BDDMockito.given; import static org.mockito.Mockito.mock; @@ -134,4 +135,27 @@ public void hasAuthorityDoesNotAddDefaultPrefix() { assertThat(this.root.hasAnyAuthority("ROLE_A", "NOT")).isTrue(); } + @Test + void isAuthenticatedWhenAuthenticatedNullThenException() { + this.root = new SecurityExpressionRoot((Authentication) null) { + }; + assertThatIllegalArgumentException().isThrownBy(() -> this.root.isAuthenticated()); + } + + @Test + void isAuthenticatedWhenTrustResolverFalseThenFalse() { + AuthenticationTrustResolver atr = mock(AuthenticationTrustResolver.class); + given(atr.isAuthenticated(JOE)).willReturn(false); + this.root.setTrustResolver(atr); + assertThat(this.root.isAuthenticated()).isFalse(); + } + + @Test + void isAuthenticatedWhenTrustResolverTrueThenTrue() { + AuthenticationTrustResolver atr = mock(AuthenticationTrustResolver.class); + given(atr.isAuthenticated(JOE)).willReturn(true); + this.root.setTrustResolver(atr); + assertThat(this.root.isAuthenticated()).isTrue(); + } + } diff --git a/core/src/test/java/org/springframework/security/authentication/AuthenticationTrustResolverImplTests.java b/core/src/test/java/org/springframework/security/authentication/AuthenticationTrustResolverImplTests.java index 74bdcb6653a..b52d6eacaa6 100644 --- a/core/src/test/java/org/springframework/security/authentication/AuthenticationTrustResolverImplTests.java +++ b/core/src/test/java/org/springframework/security/authentication/AuthenticationTrustResolverImplTests.java @@ -18,6 +18,7 @@ import org.junit.jupiter.api.Test; +import org.springframework.security.core.Authentication; import org.springframework.security.core.authority.AuthorityUtils; import static org.assertj.core.api.Assertions.assertThat; @@ -63,4 +64,56 @@ public void testGettersSetters() { assertThat(trustResolver.getRememberMeClass()).isEqualTo(TestingAuthenticationToken.class); } + @Test + void isAuthenticatedWhenAuthenticationNullThenFalse() { + AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl(); + Authentication authentication = null; + assertThat(trustResolver.isAuthenticated(authentication)).isFalse(); + } + + @Test + void isAuthenticatedWhenAuthenticationNotAuthenticatedThenFalse() { + AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl(); + TestingAuthenticationToken authentication = new TestingAuthenticationToken("user", "password"); + assertThat(trustResolver.isAuthenticated(authentication)).isFalse(); + } + + @Test + void isAuthenticatedWhenAnonymousThenFalse() { + AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl(); + AnonymousAuthenticationToken authentication = new AnonymousAuthenticationToken("key", "principal", + AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS")); + assertThat(trustResolver.isAuthenticated(authentication)).isFalse(); + } + + @Test + void isFullyAuthenticatedWhenAuthenticationNullThenFalse() { + AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl(); + Authentication authentication = null; + assertThat(trustResolver.isFullyAuthenticated(authentication)).isFalse(); + } + + @Test + void isFullyAuthenticatedWhenAuthenticationNotAuthenticatedThenFalse() { + AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl(); + TestingAuthenticationToken authentication = new TestingAuthenticationToken("user", "password"); + assertThat(trustResolver.isFullyAuthenticated(authentication)).isFalse(); + } + + @Test + void isFullyAuthenticatedWhenAnonymousThenFalse() { + AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl(); + AnonymousAuthenticationToken authentication = new AnonymousAuthenticationToken("key", "principal", + AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS")); + assertThat(trustResolver.isFullyAuthenticated(authentication)).isFalse(); + } + + @Test + void isFullyAuthenticatedWhenRememberMeThenFalse() { + AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl(); + RememberMeAuthenticationToken authentication = new RememberMeAuthenticationToken("key", "user", + AuthorityUtils.createAuthorityList("ROLE_USER")); + assertThat(trustResolver.isFullyAuthenticated(authentication)).isFalse(); + } + } diff --git a/messaging/src/test/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandlerTests.java b/messaging/src/test/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandlerTests.java index bd198b8bbfb..a247c6daf71 100644 --- a/messaging/src/test/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandlerTests.java +++ b/messaging/src/test/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandlerTests.java @@ -22,6 +22,7 @@ import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.Answers; import org.mockito.Mock; import org.mockito.junit.jupiter.MockitoExtension; @@ -50,7 +51,7 @@ @ExtendWith(MockitoExtension.class) public class DefaultMessageSecurityExpressionHandlerTests { - @Mock + @Mock(answer = Answers.CALLS_REAL_METHODS) AuthenticationTrustResolver trustResolver; @Mock diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/AuthenticatedPrincipalOAuth2AuthorizedClientRepository.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/AuthenticatedPrincipalOAuth2AuthorizedClientRepository.java index fb0e5d2889f..f0b33b99a9a 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/AuthenticatedPrincipalOAuth2AuthorizedClientRepository.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/AuthenticatedPrincipalOAuth2AuthorizedClientRepository.java @@ -107,8 +107,7 @@ public void removeAuthorizedClient(String clientRegistrationId, Authentication p } private boolean isPrincipalAuthenticated(Authentication authentication) { - return authentication != null && !this.authenticationTrustResolver.isAnonymous(authentication) - && authentication.isAuthenticated(); + return this.authenticationTrustResolver.isAuthenticated(authentication); } } diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository.java index 56c180e0f0c..854058711be 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository.java @@ -106,8 +106,7 @@ public Mono removeAuthorizedClient(String clientRegistrationId, Authentica } private boolean isPrincipalAuthenticated(Authentication authentication) { - return authentication != null && !this.authenticationTrustResolver.isAnonymous(authentication) - && authentication.isAuthenticated(); + return this.authenticationTrustResolver.isAuthenticated(authentication); } } diff --git a/web/src/main/java/org/springframework/security/web/server/authorization/ExceptionTranslationWebFilter.java b/web/src/main/java/org/springframework/security/web/server/authorization/ExceptionTranslationWebFilter.java index 0518a506b26..6be2a6258ea 100644 --- a/web/src/main/java/org/springframework/security/web/server/authorization/ExceptionTranslationWebFilter.java +++ b/web/src/main/java/org/springframework/security/web/server/authorization/ExceptionTranslationWebFilter.java @@ -52,7 +52,7 @@ public Mono filter(ServerWebExchange exchange, WebFilterChain chain) { return chain.filter(exchange) .onErrorResume(AccessDeniedException.class, (denied) -> exchange.getPrincipal() .filter((principal) -> (!(principal instanceof Authentication) || (principal instanceof Authentication - && !(this.authenticationTrustResolver.isAnonymous((Authentication) principal))))) + && (this.authenticationTrustResolver.isAuthenticated((Authentication) principal))))) .switchIfEmpty(commenceAuthentication(exchange, new InsufficientAuthenticationException( "Full authentication is required to access this resource"))) diff --git a/web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapper.java b/web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapper.java index 91bd3ccee8c..532e401dd22 100644 --- a/web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapper.java +++ b/web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapper.java @@ -93,7 +93,7 @@ public SecurityContextHolderAwareRequestWrapper(HttpServletRequest request, */ private Authentication getAuthentication() { Authentication auth = this.securityContextHolderStrategy.getContext().getAuthentication(); - return (!this.trustResolver.isAnonymous(auth)) ? auth : null; + return (this.trustResolver.isAuthenticated(auth)) ? auth : null; } /** diff --git a/web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java b/web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java index b2d3bfb5b21..8e95ed7d89b 100644 --- a/web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java +++ b/web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java @@ -94,7 +94,7 @@ private void doFilter(HttpServletRequest request, HttpServletResponse response, request.setAttribute(FILTER_APPLIED, Boolean.TRUE); if (!this.securityContextRepository.containsContext(request)) { Authentication authentication = this.securityContextHolderStrategy.getContext().getAuthentication(); - if (authentication != null && !this.trustResolver.isAnonymous(authentication)) { + if (this.trustResolver.isAuthenticated(authentication)) { // The user has been authenticated during the current request, so call the // session strategy try { diff --git a/web/src/test/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapperTests.java b/web/src/test/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapperTests.java index 7a0877844b8..ddbc83c74d5 100644 --- a/web/src/test/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapperTests.java +++ b/web/src/test/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapperTests.java @@ -140,7 +140,7 @@ public void testGetRemoteUserStringWithAuthenticatedPrincipal() { String username = "authPrincipalUsername"; AuthenticatedPrincipal principal = mock(AuthenticatedPrincipal.class); given(principal.getName()).willReturn(username); - Authentication auth = new TestingAuthenticationToken(principal, "user"); + Authentication auth = new TestingAuthenticationToken(principal, "user", "ROLE_USER"); SecurityContextHolder.getContext().setAuthentication(auth); MockHttpServletRequest request = new MockHttpServletRequest(); request.setRequestURI("/"); diff --git a/web/src/test/java/org/springframework/security/web/session/SessionManagementFilterTests.java b/web/src/test/java/org/springframework/security/web/session/SessionManagementFilterTests.java index bbd095631fb..554bcab195e 100644 --- a/web/src/test/java/org/springframework/security/web/session/SessionManagementFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/session/SessionManagementFilterTests.java @@ -22,6 +22,7 @@ import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; +import org.mockito.Answers; import org.springframework.http.HttpStatus; import org.springframework.mock.web.MockFilterChain; @@ -45,6 +46,7 @@ import static org.mockito.Mockito.mock; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verifyNoMoreInteractions; +import static org.mockito.Mockito.withSettings; /** * @author Luke Taylor @@ -244,7 +246,8 @@ public void responseIsRedirectedToRequestedUrlIfStatusCodeIsSetAndSessionIsInval @Test public void customAuthenticationTrustResolver() throws Exception { - AuthenticationTrustResolver trustResolver = mock(AuthenticationTrustResolver.class); + AuthenticationTrustResolver trustResolver = mock(AuthenticationTrustResolver.class, + withSettings().defaultAnswer(Answers.CALLS_REAL_METHODS)); SecurityContextRepository repo = mock(SecurityContextRepository.class); SessionManagementFilter filter = new SessionManagementFilter(repo); filter.setTrustResolver(trustResolver); @@ -262,7 +265,8 @@ public void setTrustResolverNull() { } private void authenticateUser() { - SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("user", "pass")); + SecurityContextHolder.getContext() + .setAuthentication(new TestingAuthenticationToken("user", "pass", "ROLE_USER")); } }