Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apply configurers from spring.factories to HttpSecurity bean #10815

Merged
merged 1 commit into from
Feb 9, 2022
Merged

Apply configurers from spring.factories to HttpSecurity bean #10815

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion ...ringframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2020 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -17,18 +17,21 @@
package org.springframework.security.config.annotation.web.configuration;

import java.util.HashMap;
import java.util.List;
import java.util.Map;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Scope;
import org.springframework.core.io.support.SpringFactoriesLoader;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.annotation.web.configurers.DefaultLoginPageConfigurer;
import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;

Expand Down Expand Up @@ -97,6 +100,7 @@ HttpSecurity httpSecurity() throws Exception {
.apply(new DefaultLoginPageConfigurer<>());
http.logout(withDefaults());
// @formatter:on
applyDefaultConfigurers(http);
return http;
}

Expand All @@ -105,6 +109,15 @@ private AuthenticationManager authenticationManager() throws Exception {
: this.authenticationConfiguration.getAuthenticationManager();
}

private void applyDefaultConfigurers(HttpSecurity http) throws Exception {
ClassLoader classLoader = this.context.getClassLoader();
List<AbstractHttpConfigurer> defaultHttpConfigurers = SpringFactoriesLoader
.loadFactories(AbstractHttpConfigurer.class, classLoader);
for (AbstractHttpConfigurer configurer : defaultHttpConfigurers) {
http.apply(configurer);
}
}

private Map<Class<?>, Object> createSharedObjects() {
Map<Class<?>, Object> sharedObjects = new HashMap<>();
sharedObjects.put(ApplicationContext.class, this.context);
Expand Down
42 changes: 40 additions & 2 deletions ...ramework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2020 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -16,22 +16,28 @@

package org.springframework.security.config.annotation.web.configuration;

import java.util.Arrays;
import java.util.concurrent.Callable;

import javax.servlet.http.HttpServletRequest;

import com.google.common.net.HttpHeaders;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.Mock;
import org.mockito.MockedStatic;
import org.mockito.junit.jupiter.MockitoExtension;

import org.springframework.beans.factory.BeanCreationException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.support.SpringFactoriesLoader;
import org.springframework.mock.web.MockHttpSession;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.test.SpringTestContext;
import org.springframework.security.config.test.SpringTestContextExtension;
import org.springframework.security.core.context.SecurityContextHolder;
Expand Down Expand Up @@ -67,14 +73,17 @@
*
* @author Eleftheria Stein
*/
@ExtendWith(SpringTestContextExtension.class)
@ExtendWith({ MockitoExtension.class, SpringTestContextExtension.class })
public class HttpSecurityConfigurationTests {

public final SpringTestContext spring = new SpringTestContext(this);

@Autowired
private MockMvc mockMvc;

@Mock
private MockedStatic<SpringFactoriesLoader> springFactoriesLoader;

@Test
public void postWhenDefaultFilterChainBeanThenRespondsWithForbidden() throws Exception {
this.spring.register(DefaultWithFilterChainConfig.class).autowire();
Expand Down Expand Up @@ -220,6 +229,17 @@ public void configureWhenAuthorizeHttpRequestsAfterAuthorizeRequestThenException
"authorizeHttpRequests cannot be used in conjunction with authorizeRequests. Please select just one.");
}

@Test
public void configureWhenDefaultConfigurerAsSpringFactoryThenDefaultConfigurerApplied() {
DefaultConfigurer configurer = new DefaultConfigurer();
this.springFactoriesLoader.when(
() -> SpringFactoriesLoader.loadFactories(AbstractHttpConfigurer.class, getClass().getClassLoader()))
.thenReturn(Arrays.asList(configurer));
this.spring.register(DefaultWithFilterChainConfig.class).autowire();
assertThat(configurer.init).isTrue();
assertThat(configurer.configure).isTrue();
}

@RestController
static class NameController {

Expand Down Expand Up @@ -349,4 +369,22 @@ void user(HttpServletRequest request) {

}

static class DefaultConfigurer extends AbstractHttpConfigurer<DefaultConfigurer, HttpSecurity> {

boolean init;

boolean configure;

@Override
public void init(HttpSecurity builder) {
this.init = true;
}

@Override
public void configure(HttpSecurity builder) {
this.configure = true;
}

}

}