Add with() method to apply SecurityConfigurerAdapter

This method is intended to replace .apply() because it will not be possible to chain configurations when .and() gets removed

Closes gh-13204
This commit is contained in:
Marcus Da Coregio
2023-06-26 10:52:05 -03:00
committed by Marcus Hert Da Coregio
parent 4855290a76
commit 1ff5eb6b57
7 changed files with 304 additions and 15 deletions

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2018 the original author or authors.
* Copyright 2002-2023 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -21,6 +21,7 @@ import java.util.List;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.config.annotation.SecurityConfigurer;
@@ -149,6 +150,19 @@ public class AbstractConfiguredSecurityBuilderTests {
assertThat(builder.getConfigurers(DelegateSecurityConfigurer.class)).hasSize(2);
}
@Test
public void withWhenConfigurerThenConfigurerAdded() throws Exception {
this.builder.with(new TestSecurityConfigurer(), Customizer.withDefaults());
assertThat(this.builder.getConfigurers(TestSecurityConfigurer.class)).hasSize(1);
}
@Test
public void withWhenDuplicateConfigurerAddedThenDuplicateConfigurerRemoved() throws Exception {
this.builder.with(new TestSecurityConfigurer(), Customizer.withDefaults());
this.builder.with(new TestSecurityConfigurer(), Customizer.withDefaults());
assertThat(this.builder.getConfigurers(TestSecurityConfigurer.class)).hasSize(1);
}
private static class ApplyAndRemoveSecurityConfigurer
extends SecurityConfigurerAdapter<Object, TestConfiguredSecurityBuilder> {

View File

@@ -47,6 +47,7 @@ import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authentication.event.AbstractAuthenticationEvent;
import org.springframework.security.authentication.event.AbstractAuthenticationFailureEvent;
import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
@@ -63,6 +64,7 @@ import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.test.web.servlet.RequestCacheResultMatcher;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter;
import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter;
@@ -90,6 +92,8 @@ import static org.springframework.security.test.web.servlet.request.SecurityMock
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated;
import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.asyncDispatch;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
@@ -365,6 +369,27 @@ public class HttpSecurityConfigurationTests {
assertThat(configSource).isInstanceOf(UrlBasedCorsConfigurationSource.class);
}
@Test
public void configureWhenAddingCustomDslUsingWithThenApplied() throws Exception {
this.spring.register(WithCustomDslConfig.class, UserDetailsConfig.class).autowire();
SecurityFilterChain filterChain = this.spring.getContext().getBean(SecurityFilterChain.class);
List<Filter> filters = filterChain.getFilters();
assertThat(filters).hasAtLeastOneElementOfType(UsernamePasswordAuthenticationFilter.class);
this.mockMvc.perform(formLogin()).andExpectAll(redirectedUrl("/"), authenticated());
}
@Test
public void configureWhenCustomDslAddedFromFactoriesAndDisablingUsingWithThenNotApplied() throws Exception {
this.springFactoriesLoader.when(
() -> SpringFactoriesLoader.loadFactories(AbstractHttpConfigurer.class, getClass().getClassLoader()))
.thenReturn(List.of(new WithCustomDsl()));
this.spring.register(WithCustomDslDisabledConfig.class, UserDetailsConfig.class).autowire();
SecurityFilterChain filterChain = this.spring.getContext().getBean(SecurityFilterChain.class);
List<Filter> filters = filterChain.getFilters();
assertThat(filters).doesNotHaveAnyElementsOfTypes(UsernamePasswordAuthenticationFilter.class);
this.mockMvc.perform(formLogin()).andExpectAll(status().isNotFound(), unauthenticated());
}
@RestController
static class NameController {
@@ -661,4 +686,45 @@ public class HttpSecurityConfigurationTests {
}
@Configuration
@EnableWebSecurity
static class WithCustomDslConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.with(new WithCustomDsl(), Customizer.withDefaults())
.httpBasic(Customizer.withDefaults());
// @formatter:on
return http.build();
}
}
@Configuration
@EnableWebSecurity
static class WithCustomDslDisabledConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.with(new WithCustomDsl(), (dsl) -> dsl.disable())
.httpBasic(Customizer.withDefaults());
// @formatter:on
return http.build();
}
}
static class WithCustomDsl extends AbstractHttpConfigurer<WithCustomDsl, HttpSecurity> {
@Override
public void init(HttpSecurity builder) throws Exception {
builder.formLogin(Customizer.withDefaults());
}
}
}