diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java index 8bd1c67d83..14970f2669 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java @@ -279,6 +279,19 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder requestRejectedhandlers; + + /** + * Creates a new instance. + * @param requestRejectedhandlers the {@link RequestRejectedHandler} instances to + * handle {@link org.springframework.security.web.firewall.RequestRejectedException} + */ + public CompositeRequestRejectedHandler(RequestRejectedHandler... requestRejectedhandlers) { + Assert.notEmpty(requestRejectedhandlers, "requestRejectedhandlers cannot be empty"); + this.requestRejectedhandlers = Arrays.asList(requestRejectedhandlers); + } + + @Override + public void handle(HttpServletRequest request, HttpServletResponse response, + RequestRejectedException requestRejectedException) throws IOException, ServletException { + for (RequestRejectedHandler requestRejectedhandler : requestRejectedhandlers) { + requestRejectedhandler.handle(request, response, requestRejectedException); + } + } + +} diff --git a/web/src/test/java/org/springframework/security/web/firewall/CompositeRequestRejectedHandlerTests.java b/web/src/test/java/org/springframework/security/web/firewall/CompositeRequestRejectedHandlerTests.java new file mode 100644 index 0000000000..063957b7c0 --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/firewall/CompositeRequestRejectedHandlerTests.java @@ -0,0 +1,44 @@ +/* + * Copyright 2002-2021 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.firewall; + +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; + +import org.junit.jupiter.api.Test; + +import static org.assertj.core.api.Assertions.assertThatExceptionOfType; +import static org.mockito.Mockito.mock; + +public class CompositeRequestRejectedHandlerTests { + + @Test + void compositeRequestRejectedHandlerRethrowsTheException() { + RequestRejectedException requestRejectedException = new RequestRejectedException("rejected"); + DefaultRequestRejectedHandler sut = new DefaultRequestRejectedHandler(); + CompositeRequestRejectedHandler crrh = new CompositeRequestRejectedHandler(sut); + assertThatExceptionOfType(RequestRejectedException.class).isThrownBy(() -> crrh + .handle(mock(HttpServletRequest.class), mock(HttpServletResponse.class), requestRejectedException)) + .withMessage("rejected"); + } + + @Test + void compositeRequestRejectedHandlerForbidsEmptyHandlers() { + assertThatExceptionOfType(IllegalArgumentException.class).isThrownBy(CompositeRequestRejectedHandler::new); + } + +}