Remove deprecated RequestMatcher methods from Java Configuration
Closes gh-11939
This commit is contained in:
@@ -32,6 +32,7 @@ import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.AuthenticationException;
|
||||
import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
@@ -51,7 +52,7 @@ public class SecurityConfig {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/*").permitAll()
|
||||
.requestMatchers(new AntPathRequestMatcher("/*")).permitAll()
|
||||
.and()
|
||||
.authenticationProvider(authenticationProvider());
|
||||
// @formatter:on
|
||||
|
||||
@@ -25,8 +25,11 @@ import org.springframework.mock.web.MockServletContext;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RegexRequestMatcher;
|
||||
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
|
||||
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
|
||||
@@ -85,7 +88,7 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.antMatchers("/demo/**").permitAll();
|
||||
.requestMatchers(new AntPathRequestMatcher("/demo/**")).permitAll();
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
}
|
||||
@@ -97,12 +100,12 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
|
||||
static class MvcMatchersAfterAnyRequestConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.mvcMatchers("/demo/**").permitAll();
|
||||
.requestMatchers(new MvcRequestMatcher(introspector, "/demo/**")).permitAll();
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
}
|
||||
@@ -119,7 +122,7 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.regexMatchers(".*").permitAll();
|
||||
.requestMatchers(new RegexRequestMatcher(".*", null)).permitAll();
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@@ -69,16 +69,6 @@ public class AbstractRequestMatcherRegistryNoMvcTests {
|
||||
|
||||
private static class TestRequestMatcherRegistry extends AbstractRequestMatcherRegistry<List<RequestMatcher>> {
|
||||
|
||||
@Override
|
||||
public List<RequestMatcher> mvcMatchers(String... mvcPatterns) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<RequestMatcher> mvcMatchers(HttpMethod method, String... mvcPatterns) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected List<RequestMatcher> chainRequestMatchers(List<RequestMatcher> requestMatchers) {
|
||||
return requestMatchers;
|
||||
|
||||
@@ -65,7 +65,8 @@ public class AbstractRequestMatcherRegistryTests {
|
||||
|
||||
@Test
|
||||
public void regexMatchersWhenHttpMethodAndPatternParamsThenReturnRegexRequestMatcherType() {
|
||||
List<RequestMatcher> requestMatchers = this.matcherRegistry.regexMatchers(HttpMethod.GET, "/a.*");
|
||||
List<RequestMatcher> requestMatchers = this.matcherRegistry
|
||||
.requestMatchers(new RegexRequestMatcher("/a.*", HttpMethod.GET.name()));
|
||||
assertThat(requestMatchers).isNotEmpty();
|
||||
assertThat(requestMatchers.size()).isEqualTo(1);
|
||||
assertThat(requestMatchers.get(0)).isExactlyInstanceOf(RegexRequestMatcher.class);
|
||||
@@ -73,7 +74,8 @@ public class AbstractRequestMatcherRegistryTests {
|
||||
|
||||
@Test
|
||||
public void regexMatchersWhenPatternParamThenReturnRegexRequestMatcherType() {
|
||||
List<RequestMatcher> requestMatchers = this.matcherRegistry.regexMatchers("/a.*");
|
||||
List<RequestMatcher> requestMatchers = this.matcherRegistry
|
||||
.requestMatchers(new RegexRequestMatcher("/a.*", null));
|
||||
assertThat(requestMatchers).isNotEmpty();
|
||||
assertThat(requestMatchers.size()).isEqualTo(1);
|
||||
assertThat(requestMatchers.get(0)).isExactlyInstanceOf(RegexRequestMatcher.class);
|
||||
@@ -81,7 +83,8 @@ public class AbstractRequestMatcherRegistryTests {
|
||||
|
||||
@Test
|
||||
public void antMatchersWhenHttpMethodAndPatternParamsThenReturnAntPathRequestMatcherType() {
|
||||
List<RequestMatcher> requestMatchers = this.matcherRegistry.antMatchers(HttpMethod.GET, "/a.*");
|
||||
List<RequestMatcher> requestMatchers = this.matcherRegistry
|
||||
.requestMatchers(new AntPathRequestMatcher("/a.*", HttpMethod.GET.name()));
|
||||
assertThat(requestMatchers).isNotEmpty();
|
||||
assertThat(requestMatchers.size()).isEqualTo(1);
|
||||
assertThat(requestMatchers.get(0)).isExactlyInstanceOf(AntPathRequestMatcher.class);
|
||||
@@ -89,7 +92,7 @@ public class AbstractRequestMatcherRegistryTests {
|
||||
|
||||
@Test
|
||||
public void antMatchersWhenPatternParamThenReturnAntPathRequestMatcherType() {
|
||||
List<RequestMatcher> requestMatchers = this.matcherRegistry.antMatchers("/a.*");
|
||||
List<RequestMatcher> requestMatchers = this.matcherRegistry.requestMatchers(new AntPathRequestMatcher("/a.*"));
|
||||
assertThat(requestMatchers).isNotEmpty();
|
||||
assertThat(requestMatchers.size()).isEqualTo(1);
|
||||
assertThat(requestMatchers.get(0)).isExactlyInstanceOf(AntPathRequestMatcher.class);
|
||||
@@ -151,16 +154,6 @@ public class AbstractRequestMatcherRegistryTests {
|
||||
|
||||
private static class TestRequestMatcherRegistry extends AbstractRequestMatcherRegistry<List<RequestMatcher>> {
|
||||
|
||||
@Override
|
||||
public List<RequestMatcher> mvcMatchers(String... mvcPatterns) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<RequestMatcher> mvcMatchers(HttpMethod method, String... mvcPatterns) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected List<RequestMatcher> chainRequestMatchers(List<RequestMatcher> requestMatchers) {
|
||||
return requestMatchers;
|
||||
|
||||
@@ -36,8 +36,10 @@ import org.springframework.security.core.userdetails.PasswordEncodedUser;
|
||||
import org.springframework.security.core.userdetails.UserDetailsService;
|
||||
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.web.filter.OncePerRequestFilter;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||
@@ -107,18 +109,19 @@ public class HttpConfigurationTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class RequestMatcherRegistryConfigs {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers()
|
||||
.antMatchers("/api/**")
|
||||
.antMatchers("/oauth/**")
|
||||
.securityMatchers()
|
||||
.requestMatchers(new AntPathRequestMatcher("/api/**"))
|
||||
.requestMatchers(new AntPathRequestMatcher("/oauth/**"))
|
||||
.and()
|
||||
.authorizeRequests()
|
||||
.antMatchers("/**").hasRole("USER")
|
||||
.anyRequest().hasRole("USER")
|
||||
.and()
|
||||
.httpBasic();
|
||||
return http.build();
|
||||
|
||||
@@ -62,6 +62,7 @@ import org.springframework.stereotype.Controller;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.MvcResult;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
@@ -302,6 +303,7 @@ public class NamespaceHttpTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class AccessDeniedPageConfig {
|
||||
|
||||
@Bean
|
||||
@@ -309,7 +311,7 @@ public class NamespaceHttpTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/admin").hasRole("ADMIN")
|
||||
.requestMatchers("/admin").hasRole("ADMIN")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.exceptionHandling()
|
||||
@@ -385,6 +387,7 @@ public class NamespaceHttpTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class IfRequiredConfig {
|
||||
|
||||
@Bean
|
||||
@@ -392,7 +395,7 @@ public class NamespaceHttpTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/unsecure").permitAll()
|
||||
.requestMatchers("/unsecure").permitAll()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.sessionManagement()
|
||||
@@ -487,7 +490,7 @@ public class NamespaceHttpTests {
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.antMatcher("/api/**");
|
||||
.securityMatcher(new AntPathRequestMatcher("/api/**"));
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
}
|
||||
@@ -502,7 +505,7 @@ public class NamespaceHttpTests {
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.regexMatcher("/regex/.*");
|
||||
.securityMatcher(new RegexRequestMatcher("/regex/.*", null));
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
}
|
||||
@@ -517,7 +520,7 @@ public class NamespaceHttpTests {
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatcher(new MyRequestMatcher());
|
||||
.securityMatcher(new MyRequestMatcher());
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
}
|
||||
@@ -539,7 +542,8 @@ public class NamespaceHttpTests {
|
||||
|
||||
@Bean
|
||||
WebSecurityCustomizer webSecurityCustomizer() {
|
||||
return (web) -> web.ignoring().antMatchers("/resources/**", "/public/**");
|
||||
return (web) -> web.ignoring().requestMatchers(new AntPathRequestMatcher("/resources/**"),
|
||||
new AntPathRequestMatcher("/public/**"));
|
||||
}
|
||||
|
||||
@Bean
|
||||
@@ -625,6 +629,7 @@ public class NamespaceHttpTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class UseExpressionsConfig {
|
||||
|
||||
private Class<? extends FilterInvocationSecurityMetadataSource> filterInvocationSecurityMetadataSourceType;
|
||||
@@ -636,8 +641,8 @@ public class NamespaceHttpTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/users**", "/sessions/**").hasRole("USER")
|
||||
.antMatchers("/signup").permitAll()
|
||||
.requestMatchers("/users**", "/sessions/**").hasRole("USER")
|
||||
.requestMatchers("/signup").permitAll()
|
||||
.anyRequest().hasRole("USER");
|
||||
this.httpSecurity = http;
|
||||
return http.build();
|
||||
@@ -659,6 +664,7 @@ public class NamespaceHttpTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class DisableUseExpressionsConfig {
|
||||
|
||||
private Class<? extends FilterInvocationSecurityMetadataSource> filterInvocationSecurityMetadataSourceType;
|
||||
@@ -670,8 +676,8 @@ public class NamespaceHttpTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.apply(new UrlAuthorizationConfigurer<>(context)).getRegistry()
|
||||
.antMatchers("/users**", "/sessions/**").hasRole("USER")
|
||||
.antMatchers("/signup").hasRole("ANONYMOUS")
|
||||
.requestMatchers("/users**", "/sessions/**").hasRole("USER")
|
||||
.requestMatchers("/signup").hasRole("ANONYMOUS")
|
||||
.anyRequest().hasRole("USER");
|
||||
this.httpSecurity = http;
|
||||
return http.build();
|
||||
|
||||
@@ -40,12 +40,14 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
||||
import org.springframework.security.web.FilterChainProxy;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.firewall.HttpStatusRequestRejectedHandler;
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
|
||||
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
|
||||
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
@@ -147,8 +149,8 @@ public class WebSecurityTests {
|
||||
static class MvcMatcherConfig {
|
||||
|
||||
@Bean
|
||||
WebSecurityCustomizer webSecurityCustomizer() {
|
||||
return (web) -> web.ignoring().mvcMatchers("/path");
|
||||
WebSecurityCustomizer webSecurityCustomizer(HandlerMappingIntrospector introspector) {
|
||||
return (web) -> web.ignoring().requestMatchers(new MvcRequestMatcher(introspector, "/path"));
|
||||
}
|
||||
|
||||
@Bean
|
||||
@@ -185,8 +187,9 @@ public class WebSecurityTests {
|
||||
static class MvcMatcherServletPathConfig {
|
||||
|
||||
@Bean
|
||||
WebSecurityCustomizer webSecurityCustomizer() {
|
||||
return (web) -> web.ignoring().mvcMatchers("/path").servletPath("/spring").mvcMatchers("/notused");
|
||||
WebSecurityCustomizer webSecurityCustomizer(HandlerMappingIntrospector introspector) {
|
||||
MvcRequestMatcher.Builder builder = new MvcRequestMatcher.Builder(introspector).servletPath("/spring");
|
||||
return (web) -> web.ignoring().requestMatchers(builder.pattern("/path")).requestMatchers("/notused");
|
||||
}
|
||||
|
||||
@Bean
|
||||
|
||||
@@ -58,10 +58,12 @@ import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.access.RequestMatcherDelegatingWebInvocationPrivilegeEvaluator;
|
||||
import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
|
||||
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.util.ClassUtils;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
@@ -346,7 +348,7 @@ public class WebSecurityConfigurationTests {
|
||||
SecurityFilterChain filterChain1(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
return http
|
||||
.antMatcher("/role1/**")
|
||||
.securityMatcher(new AntPathRequestMatcher("/role1/**"))
|
||||
.authorizeRequests((authorize) -> authorize
|
||||
.anyRequest().hasRole("1")
|
||||
)
|
||||
@@ -359,7 +361,7 @@ public class WebSecurityConfigurationTests {
|
||||
SecurityFilterChain filterChain2(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
return http
|
||||
.antMatcher("/role2/**")
|
||||
.securityMatcher(new AntPathRequestMatcher("/role2/**"))
|
||||
.authorizeRequests((authorize) -> authorize
|
||||
.anyRequest().hasRole("2")
|
||||
)
|
||||
@@ -372,7 +374,7 @@ public class WebSecurityConfigurationTests {
|
||||
SecurityFilterChain filterChain3(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
return http
|
||||
.antMatcher("/role3/**")
|
||||
.securityMatcher(new AntPathRequestMatcher("/role3/**"))
|
||||
.authorizeRequests((authorize) -> authorize
|
||||
.anyRequest().hasRole("3")
|
||||
)
|
||||
@@ -403,7 +405,7 @@ public class WebSecurityConfigurationTests {
|
||||
SecurityFilterChain securityFilterChain1(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
return http
|
||||
.antMatcher("/role1/**")
|
||||
.securityMatcher(new AntPathRequestMatcher("/role1/**"))
|
||||
.authorizeRequests((authorize) -> authorize
|
||||
.anyRequest().hasRole("1")
|
||||
)
|
||||
@@ -634,31 +636,33 @@ public class WebSecurityConfigurationTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
@Import(AuthenticationTestConfiguration.class)
|
||||
static class WebSecurityCustomizerConfig {
|
||||
|
||||
@Bean
|
||||
public WebSecurityCustomizer webSecurityCustomizer() {
|
||||
return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2");
|
||||
return (web) -> web.ignoring().requestMatchers("/ignore1", "/ignore2");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
@Import(AuthenticationTestConfiguration.class)
|
||||
static class CustomizerAndFilterChainConfig {
|
||||
|
||||
@Bean
|
||||
public WebSecurityCustomizer webSecurityCustomizer() {
|
||||
return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2");
|
||||
return (web) -> web.ignoring().requestMatchers("/ignore1", "/ignore2");
|
||||
}
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
return http
|
||||
.antMatcher("/role1/**")
|
||||
.securityMatcher(new AntPathRequestMatcher("/role1/**"))
|
||||
.authorizeRequests((authorize) -> authorize
|
||||
.anyRequest().hasRole("1")
|
||||
)
|
||||
@@ -670,19 +674,20 @@ public class WebSecurityConfigurationTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
@Import(AuthenticationTestConfiguration.class)
|
||||
static class OrderedCustomizerConfig {
|
||||
|
||||
@Order(1)
|
||||
@Bean
|
||||
public WebSecurityCustomizer webSecurityCustomizer1() {
|
||||
return (web) -> web.ignoring().antMatchers("/ignore1");
|
||||
return (web) -> web.ignoring().requestMatchers("/ignore1");
|
||||
}
|
||||
|
||||
@Order(2)
|
||||
@Bean
|
||||
public WebSecurityCustomizer webSecurityCustomizer2() {
|
||||
return (web) -> web.ignoring().antMatchers("/ignore2");
|
||||
return (web) -> web.ignoring().requestMatchers("/ignore2");
|
||||
}
|
||||
|
||||
}
|
||||
@@ -696,7 +701,7 @@ public class WebSecurityConfigurationTests {
|
||||
public SecurityFilterChain path1(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requests) -> requests.antMatchers("/path1/**"))
|
||||
.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/path1/**")))
|
||||
.authorizeRequests((requests) -> requests.anyRequest().authenticated());
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
@@ -720,7 +725,7 @@ public class WebSecurityConfigurationTests {
|
||||
public SecurityFilterChain path1(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requests) -> requests.antMatchers("/path1/**"))
|
||||
.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/path1/**")))
|
||||
.authorizeRequests((requests) -> requests.anyRequest().authenticated());
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
@@ -745,7 +750,7 @@ public class WebSecurityConfigurationTests {
|
||||
public SecurityFilterChain notAuthorized(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requests) -> requests.antMatchers("/user"))
|
||||
.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/user")))
|
||||
.authorizeRequests((requests) -> requests.anyRequest().hasRole("USER"));
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
@@ -756,7 +761,7 @@ public class WebSecurityConfigurationTests {
|
||||
public SecurityFilterChain path1(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requests) -> requests.antMatchers("/admin"))
|
||||
.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/admin")))
|
||||
.authorizeRequests((requests) -> requests.anyRequest().hasRole("ADMIN"));
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
@@ -773,12 +778,13 @@ public class WebSecurityConfigurationTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
@Import(AuthenticationTestConfiguration.class)
|
||||
static class MultipleSecurityFilterChainIgnoringConfig {
|
||||
|
||||
@Bean
|
||||
public WebSecurityCustomizer webSecurityCustomizer() {
|
||||
return (web) -> web.ignoring().antMatchers("/ignoring1/**");
|
||||
return (web) -> web.ignoring().requestMatchers("/ignoring1/**");
|
||||
}
|
||||
|
||||
@Bean
|
||||
@@ -786,7 +792,7 @@ public class WebSecurityConfigurationTests {
|
||||
public SecurityFilterChain notAuthorized(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requests) -> requests.antMatchers("/user"))
|
||||
.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/user")))
|
||||
.authorizeRequests((requests) -> requests.anyRequest().hasRole("USER"));
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
@@ -797,7 +803,7 @@ public class WebSecurityConfigurationTests {
|
||||
public SecurityFilterChain admin(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requests) -> requests.antMatchers("/admin"))
|
||||
.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/admin")))
|
||||
.authorizeRequests((requests) -> requests.anyRequest().hasRole("ADMIN"));
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
|
||||
@@ -22,7 +22,6 @@ import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.security.access.AccessDecisionVoter;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RegexRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
@@ -40,7 +39,8 @@ public class AbstractConfigAttributeRequestMatcherRegistryTests {
|
||||
|
||||
@Test
|
||||
public void testGetRequestMatcherIsTypeRegexMatcher() {
|
||||
List<RequestMatcher> requestMatchers = this.registry.regexMatchers(HttpMethod.GET, "/a.*");
|
||||
List<RequestMatcher> requestMatchers = this.registry
|
||||
.requestMatchers(new RegexRequestMatcher("/a.*", HttpMethod.GET.name()));
|
||||
for (RequestMatcher requestMatcher : requestMatchers) {
|
||||
assertThat(requestMatcher).isInstanceOf(RegexRequestMatcher.class);
|
||||
}
|
||||
@@ -48,7 +48,7 @@ public class AbstractConfigAttributeRequestMatcherRegistryTests {
|
||||
|
||||
@Test
|
||||
public void testRequestMatcherIsTypeRegexMatcher() {
|
||||
List<RequestMatcher> requestMatchers = this.registry.regexMatchers("/a.*");
|
||||
List<RequestMatcher> requestMatchers = this.registry.requestMatchers(new RegexRequestMatcher("/a.*", null));
|
||||
for (RequestMatcher requestMatcher : requestMatchers) {
|
||||
assertThat(requestMatcher).isInstanceOf(RegexRequestMatcher.class);
|
||||
}
|
||||
@@ -56,7 +56,8 @@ public class AbstractConfigAttributeRequestMatcherRegistryTests {
|
||||
|
||||
@Test
|
||||
public void testGetRequestMatcherIsTypeAntPathRequestMatcher() {
|
||||
List<RequestMatcher> requestMatchers = this.registry.antMatchers(HttpMethod.GET, "/a.*");
|
||||
List<RequestMatcher> requestMatchers = this.registry
|
||||
.requestMatchers(new AntPathRequestMatcher("/a.*", HttpMethod.GET.name()));
|
||||
for (RequestMatcher requestMatcher : requestMatchers) {
|
||||
assertThat(requestMatcher).isInstanceOf(AntPathRequestMatcher.class);
|
||||
}
|
||||
@@ -64,7 +65,7 @@ public class AbstractConfigAttributeRequestMatcherRegistryTests {
|
||||
|
||||
@Test
|
||||
public void testRequestMatcherIsTypeAntPathRequestMatcher() {
|
||||
List<RequestMatcher> requestMatchers = this.registry.antMatchers("/a.*");
|
||||
List<RequestMatcher> requestMatchers = this.registry.requestMatchers(new AntPathRequestMatcher("/a.*"));
|
||||
for (RequestMatcher requestMatcher : requestMatchers) {
|
||||
assertThat(requestMatcher).isInstanceOf(AntPathRequestMatcher.class);
|
||||
}
|
||||
@@ -73,25 +74,11 @@ public class AbstractConfigAttributeRequestMatcherRegistryTests {
|
||||
static class ConcreteAbstractRequestMatcherMappingConfigurer
|
||||
extends AbstractConfigAttributeRequestMatcherRegistry<List<RequestMatcher>> {
|
||||
|
||||
List<AccessDecisionVoter> decisionVoters() {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected List<RequestMatcher> chainRequestMatchersInternal(List<RequestMatcher> requestMatchers) {
|
||||
return requestMatchers;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<RequestMatcher> mvcMatchers(String... mvcPatterns) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<RequestMatcher> mvcMatchers(HttpMethod method, String... mvcPatterns) {
|
||||
return null;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -46,6 +46,7 @@ import org.springframework.security.web.access.expression.WebExpressionAuthoriza
|
||||
import org.springframework.security.web.access.intercept.AuthorizationFilter;
|
||||
import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
|
||||
import org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager;
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
|
||||
import org.springframework.test.web.servlet.request.RequestPostProcessor;
|
||||
@@ -55,6 +56,7 @@ import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
import static org.mockito.Mockito.any;
|
||||
@@ -615,7 +617,7 @@ public class AuthorizeHttpRequestsConfigurerTests {
|
||||
return http
|
||||
.authorizeHttpRequests((requests) -> requests
|
||||
.anyRequest().authenticated()
|
||||
.mvcMatchers("/path").hasRole("USER")
|
||||
.requestMatchers("/path").hasRole("USER")
|
||||
)
|
||||
.build();
|
||||
// @formatter:on
|
||||
@@ -847,11 +849,13 @@ public class AuthorizeHttpRequestsConfigurerTests {
|
||||
static class ServletPathConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector)
|
||||
.servletPath("/spring");
|
||||
// @formatter:off
|
||||
return http
|
||||
.authorizeHttpRequests((requests) -> requests
|
||||
.mvcMatchers("/").servletPath("/spring").hasRole("ADMIN")
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/")).hasRole("ADMIN")
|
||||
)
|
||||
.build();
|
||||
// @formatter:on
|
||||
@@ -940,7 +944,7 @@ public class AuthorizeHttpRequestsConfigurerTests {
|
||||
http
|
||||
.httpBasic(withDefaults())
|
||||
.authorizeHttpRequests((requests) -> requests
|
||||
.mvcMatchers("/user/{username}").access(new WebExpressionAuthorizationManager("#username == 'user'"))
|
||||
.requestMatchers("/user/{username}").access(new WebExpressionAuthorizationManager("#username == 'user'"))
|
||||
);
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
|
||||
@@ -42,6 +42,7 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
||||
import org.springframework.security.web.FilterChainProxy;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
@@ -49,6 +50,7 @@ import org.springframework.web.context.support.AnnotationConfigWebApplicationCon
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
|
||||
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
|
||||
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.mockito.Mockito.spy;
|
||||
@@ -289,7 +291,7 @@ public class AuthorizeRequestsTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers(HttpMethod.POST).denyAll();
|
||||
.requestMatchers(new AntPathRequestMatcher("/**", HttpMethod.POST.name())).denyAll();
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
}
|
||||
@@ -311,7 +313,7 @@ public class AuthorizeRequestsTests {
|
||||
http
|
||||
.authorizeRequests((authorizeRequests) ->
|
||||
authorizeRequests
|
||||
.antMatchers(HttpMethod.POST).denyAll()
|
||||
.requestMatchers(new AntPathRequestMatcher("/**", HttpMethod.POST.name())).denyAll()
|
||||
);
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
@@ -407,7 +409,7 @@ public class AuthorizeRequestsTests {
|
||||
http
|
||||
.httpBasic().and()
|
||||
.authorizeRequests()
|
||||
.mvcMatchers("/path").denyAll();
|
||||
.requestMatchers("/path").denyAll();
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
}
|
||||
@@ -441,7 +443,7 @@ public class AuthorizeRequestsTests {
|
||||
.httpBasic(withDefaults())
|
||||
.authorizeRequests((authorizeRequests) ->
|
||||
authorizeRequests
|
||||
.mvcMatchers("/path").denyAll()
|
||||
.requestMatchers("/path").denyAll()
|
||||
);
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
@@ -470,12 +472,14 @@ public class AuthorizeRequestsTests {
|
||||
static class MvcMatcherServletPathConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector)
|
||||
.servletPath("/spring");
|
||||
// @formatter:off
|
||||
http
|
||||
.httpBasic().and()
|
||||
.authorizeRequests()
|
||||
.mvcMatchers("/path").servletPath("/spring").denyAll();
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/path")).denyAll();
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
}
|
||||
@@ -503,13 +507,15 @@ public class AuthorizeRequestsTests {
|
||||
static class MvcMatcherServletPathInLambdaConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector)
|
||||
.servletPath("/spring");
|
||||
// @formatter:off
|
||||
http
|
||||
.httpBasic(withDefaults())
|
||||
.authorizeRequests((authorizeRequests) ->
|
||||
authorizeRequests
|
||||
.mvcMatchers("/path").servletPath("/spring").denyAll()
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/path")).denyAll()
|
||||
);
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
@@ -543,7 +549,7 @@ public class AuthorizeRequestsTests {
|
||||
http
|
||||
.httpBasic().and()
|
||||
.authorizeRequests()
|
||||
.mvcMatchers("/user/{userName}").access("#userName == 'user'");
|
||||
.requestMatchers("/user/{userName}").access("#userName == 'user'");
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
}
|
||||
@@ -577,7 +583,7 @@ public class AuthorizeRequestsTests {
|
||||
.httpBasic(withDefaults())
|
||||
.authorizeRequests((authorizeRequests) ->
|
||||
authorizeRequests
|
||||
.mvcMatchers("/user/{userName}").access("#userName == 'user'")
|
||||
.requestMatchers("/user/{userName}").access("#userName == 'user'")
|
||||
);
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
@@ -611,7 +617,7 @@ public class AuthorizeRequestsTests {
|
||||
http
|
||||
.httpBasic().and()
|
||||
.authorizeRequests()
|
||||
.mvcMatchers("/user").denyAll();
|
||||
.requestMatchers("/user").denyAll();
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
}
|
||||
|
||||
@@ -243,11 +243,11 @@ public class ChannelSecurityConfigurerTests {
|
||||
.portMapper(new PortMapperImpl())
|
||||
.and()
|
||||
.requiresChannel()
|
||||
.mvcMatchers("/test-1")
|
||||
.requestMatchers("/test-1")
|
||||
.requiresSecure()
|
||||
.mvcMatchers("/test-2")
|
||||
.requestMatchers("/test-2")
|
||||
.requiresSecure()
|
||||
.mvcMatchers("/test-3")
|
||||
.requestMatchers("/test-3")
|
||||
.requiresSecure()
|
||||
.anyRequest()
|
||||
.requiresInsecure();
|
||||
@@ -271,11 +271,11 @@ public class ChannelSecurityConfigurerTests {
|
||||
.portMapper(new PortMapperImpl())
|
||||
)
|
||||
.requiresChannel((channel) -> channel
|
||||
.mvcMatchers("/test-1")
|
||||
.requestMatchers("/test-1")
|
||||
.requiresSecure()
|
||||
.mvcMatchers("/test-2")
|
||||
.requestMatchers("/test-2")
|
||||
.requiresSecure()
|
||||
.mvcMatchers("/test-3")
|
||||
.requestMatchers("/test-3")
|
||||
.requiresSecure()
|
||||
.anyRequest()
|
||||
.requiresInsecure()
|
||||
|
||||
@@ -119,6 +119,7 @@ public class CsrfConfigurerIgnoringRequestMatchersTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class IgnoringRequestInLambdaMatchers {
|
||||
|
||||
RequestMatcher requestMatcher = (request) -> HttpMethod.POST.name().equals(request.getMethod());
|
||||
@@ -149,7 +150,7 @@ public class CsrfConfigurerIgnoringRequestMatchersTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.csrf()
|
||||
.ignoringAntMatchers("/no-csrf")
|
||||
.ignoringRequestMatchers(new AntPathRequestMatcher("/no-csrf"))
|
||||
.ignoringRequestMatchers(this.requestMatcher);
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
@@ -159,6 +160,7 @@ public class CsrfConfigurerIgnoringRequestMatchersTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class IgnoringPathsAndMatchersInLambdaConfig {
|
||||
|
||||
RequestMatcher requestMatcher = (request) -> HttpMethod.POST.name().equals(request.getMethod());
|
||||
@@ -169,7 +171,7 @@ public class CsrfConfigurerIgnoringRequestMatchersTests {
|
||||
http
|
||||
.csrf((csrf) ->
|
||||
csrf
|
||||
.ignoringAntMatchers("/no-csrf")
|
||||
.ignoringRequestMatchers(new AntPathRequestMatcher("/no-csrf"))
|
||||
.ignoringRequestMatchers(this.requestMatcher)
|
||||
);
|
||||
return http.build();
|
||||
|
||||
@@ -57,6 +57,7 @@ import org.springframework.security.web.header.HeaderWriterFilter;
|
||||
import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
|
||||
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
|
||||
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
@@ -163,11 +164,12 @@ public class DefaultFiltersTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class FilterChainProxyBuilderIgnoringConfig {
|
||||
|
||||
@Bean
|
||||
WebSecurityCustomizer webSecurityCustomizer() {
|
||||
return (web) -> web.ignoring().antMatchers("/resources/**");
|
||||
return (web) -> web.ignoring().requestMatchers("/resources/**");
|
||||
}
|
||||
|
||||
@Bean
|
||||
|
||||
@@ -63,6 +63,7 @@ import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.PathVariable;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
@@ -611,6 +612,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class IncompleteMappingConfig {
|
||||
|
||||
@Bean
|
||||
@@ -618,7 +620,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/a").authenticated()
|
||||
.requestMatchers("/a").authenticated()
|
||||
.anyRequest();
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
@@ -965,6 +967,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class AllPropertiesWorkConfig {
|
||||
|
||||
@Bean
|
||||
@@ -978,7 +981,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
||||
.expressionHandler(handler)
|
||||
.accessDecisionManager(adm)
|
||||
.filterSecurityInterceptorOncePerRequest(true)
|
||||
.antMatchers("/a", "/b").hasRole("ADMIN")
|
||||
.requestMatchers("/a", "/b").hasRole("ADMIN")
|
||||
.anyRequest().permitAll()
|
||||
.and()
|
||||
.formLogin();
|
||||
@@ -1034,6 +1037,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class UseBeansInExpressions {
|
||||
|
||||
@Bean
|
||||
@@ -1041,9 +1045,9 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/admin").hasRole("ADMIN")
|
||||
.antMatchers("/user").hasRole("USER")
|
||||
.antMatchers("/allow").access("@permission.check(authentication,'user')")
|
||||
.requestMatchers("/admin").hasRole("ADMIN")
|
||||
.requestMatchers("/user").hasRole("USER")
|
||||
.requestMatchers("/allow").access("@permission.check(authentication,'user')")
|
||||
.anyRequest().access("@permission.check(authentication,'admin')");
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
@@ -1066,6 +1070,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class CustomExpressionRootConfig {
|
||||
|
||||
@Bean
|
||||
@@ -1074,9 +1079,9 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.expressionHandler(expressionHandler())
|
||||
.antMatchers("/admin").hasRole("ADMIN")
|
||||
.antMatchers("/user").hasRole("USER")
|
||||
.antMatchers("/allow").access("check('user')")
|
||||
.requestMatchers("/admin").hasRole("ADMIN")
|
||||
.requestMatchers("/user").hasRole("USER")
|
||||
.requestMatchers("/allow").access("check('user')")
|
||||
.anyRequest().access("check('admin')");
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
@@ -1146,6 +1151,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class PermissionEvaluatorConfig {
|
||||
|
||||
@Bean
|
||||
@@ -1153,10 +1159,10 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/allow").access("hasPermission('ID', 'TYPE', 'PERMISSION')")
|
||||
.antMatchers("/allowObject").access("hasPermission('TESTOBJ', 'PERMISSION')")
|
||||
.antMatchers("/deny").access("hasPermission('ID', 'TYPE', 'NO PERMISSION')")
|
||||
.antMatchers("/denyObject").access("hasPermission('TESTOBJ', 'NO PERMISSION')")
|
||||
.requestMatchers("/allow").access("hasPermission('ID', 'TYPE', 'PERMISSION')")
|
||||
.requestMatchers("/allowObject").access("hasPermission('TESTOBJ', 'PERMISSION')")
|
||||
.requestMatchers("/deny").access("hasPermission('ID', 'TYPE', 'NO PERMISSION')")
|
||||
.requestMatchers("/denyObject").access("hasPermission('TESTOBJ', 'NO PERMISSION')")
|
||||
.anyRequest().permitAll();
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
@@ -1183,6 +1189,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class RoleHierarchyConfig {
|
||||
|
||||
@Bean
|
||||
@@ -1190,8 +1197,8 @@ public class ExpressionUrlAuthorizationConfigurerTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/allow").access("hasRole('MEMBER')")
|
||||
.antMatchers("/deny").access("hasRole('ADMIN')")
|
||||
.requestMatchers("/allow").access("hasRole('MEMBER')")
|
||||
.requestMatchers("/deny").access("hasRole('ADMIN')")
|
||||
.anyRequest().permitAll();
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
|
||||
@@ -45,6 +45,7 @@ import org.springframework.security.web.authentication.LoginUrlAuthenticationEnt
|
||||
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
|
||||
import org.springframework.security.web.savedrequest.RequestCache;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.BDDMockito.given;
|
||||
@@ -409,11 +410,12 @@ public class FormLoginConfigurerTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class FormLoginConfig {
|
||||
|
||||
@Bean
|
||||
WebSecurityCustomizer webSecurityCustomizer() {
|
||||
return (web) -> web.ignoring().antMatchers("/resources/**");
|
||||
return (web) -> web.ignoring().requestMatchers("/resources/**");
|
||||
}
|
||||
|
||||
@Bean
|
||||
|
||||
@@ -1,146 +0,0 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.config.annotation.web.configurers;
|
||||
|
||||
import jakarta.servlet.http.HttpServletResponse;
|
||||
import org.junit.jupiter.api.AfterEach;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.mock.web.MockFilterChain;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.core.userdetails.UserDetailsService;
|
||||
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
||||
import org.springframework.security.web.FilterChainProxy;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
*
|
||||
*/
|
||||
public class HttpSecurityAntMatchersTests {
|
||||
|
||||
AnnotationConfigWebApplicationContext context;
|
||||
|
||||
MockHttpServletRequest request;
|
||||
|
||||
MockHttpServletResponse response;
|
||||
|
||||
MockFilterChain chain;
|
||||
|
||||
@Autowired
|
||||
FilterChainProxy springSecurityFilterChain;
|
||||
|
||||
@BeforeEach
|
||||
public void setup() {
|
||||
this.request = new MockHttpServletRequest("GET", "");
|
||||
this.response = new MockHttpServletResponse();
|
||||
this.chain = new MockFilterChain();
|
||||
}
|
||||
|
||||
@AfterEach
|
||||
public void cleanup() {
|
||||
if (this.context != null) {
|
||||
this.context.close();
|
||||
}
|
||||
}
|
||||
|
||||
// SEC-3135
|
||||
@Test
|
||||
public void antMatchersMethodAndNoPatterns() throws Exception {
|
||||
loadConfig(AntMatchersNoPatternsConfig.class);
|
||||
this.request.setMethod("POST");
|
||||
this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
|
||||
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
|
||||
}
|
||||
|
||||
// SEC-3135
|
||||
@Test
|
||||
public void antMatchersMethodAndEmptyPatterns() throws Exception {
|
||||
loadConfig(AntMatchersEmptyPatternsConfig.class);
|
||||
this.request.setMethod("POST");
|
||||
this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
|
||||
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
|
||||
}
|
||||
|
||||
public void loadConfig(Class<?>... configs) {
|
||||
this.context = new AnnotationConfigWebApplicationContext();
|
||||
this.context.register(configs);
|
||||
this.context.refresh();
|
||||
this.context.getAutowireCapableBeanFactory().autowireBean(this);
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
@Configuration
|
||||
static class AntMatchersNoPatternsConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers()
|
||||
.antMatchers(HttpMethod.POST)
|
||||
.and()
|
||||
.authorizeRequests()
|
||||
.anyRequest().denyAll();
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
}
|
||||
|
||||
@Bean
|
||||
UserDetailsService userDetailsService() {
|
||||
return new InMemoryUserDetailsManager();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
@Configuration
|
||||
static class AntMatchersEmptyPatternsConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers()
|
||||
.antMatchers("/never/")
|
||||
.antMatchers(HttpMethod.POST, new String[0])
|
||||
.and()
|
||||
.authorizeRequests()
|
||||
.anyRequest().denyAll();
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
}
|
||||
|
||||
@Bean
|
||||
UserDetailsService userDetailsService() {
|
||||
return new InMemoryUserDetailsManager();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
@@ -36,12 +36,14 @@ import org.springframework.security.core.userdetails.UserDetailsService;
|
||||
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
||||
import org.springframework.security.web.FilterChainProxy;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
|
||||
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
|
||||
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.springframework.security.config.Customizer.withDefaults;
|
||||
@@ -217,13 +219,14 @@ public class HttpSecurityRequestMatchersTests {
|
||||
|
||||
@Bean
|
||||
@Order(Ordered.HIGHEST_PRECEDENCE)
|
||||
SecurityFilterChain first(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain first(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requests) -> requests
|
||||
.mvcMatchers("/test-1")
|
||||
.mvcMatchers("/test-2")
|
||||
.mvcMatchers("/test-3")
|
||||
.securityMatchers((requests) -> requests
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/test-1"))
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/test-2"))
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/test-3"))
|
||||
)
|
||||
.authorizeRequests((authorize) -> authorize.anyRequest().denyAll())
|
||||
.httpBasic(withDefaults());
|
||||
@@ -232,11 +235,12 @@ public class HttpSecurityRequestMatchersTests {
|
||||
}
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain second(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain second(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requests) -> requests
|
||||
.mvcMatchers("/test-1")
|
||||
.securityMatchers((requests) -> requests
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/test-1"))
|
||||
)
|
||||
.authorizeRequests((authorize) -> authorize
|
||||
.anyRequest().permitAll()
|
||||
@@ -264,13 +268,14 @@ public class HttpSecurityRequestMatchersTests {
|
||||
|
||||
@Bean
|
||||
@Order(Ordered.HIGHEST_PRECEDENCE)
|
||||
SecurityFilterChain first(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain first(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers()
|
||||
.mvcMatchers("/test-1")
|
||||
.mvcMatchers("/test-2")
|
||||
.mvcMatchers("/test-3")
|
||||
.securityMatchers()
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/test-1"))
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/test-2"))
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/test-3"))
|
||||
.and()
|
||||
.authorizeRequests()
|
||||
.anyRequest().denyAll()
|
||||
@@ -281,11 +286,12 @@ public class HttpSecurityRequestMatchersTests {
|
||||
}
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain second(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain second(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers()
|
||||
.mvcMatchers("/test-1")
|
||||
.securityMatchers()
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/test-1"))
|
||||
.and()
|
||||
.authorizeRequests()
|
||||
.anyRequest().permitAll();
|
||||
@@ -311,10 +317,10 @@ public class HttpSecurityRequestMatchersTests {
|
||||
static class MvcMatcherConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.mvcMatcher("/path")
|
||||
.securityMatcher(new MvcRequestMatcher(introspector, "/path"))
|
||||
.httpBasic().and()
|
||||
.authorizeRequests()
|
||||
.anyRequest().denyAll();
|
||||
@@ -345,11 +351,11 @@ public class HttpSecurityRequestMatchersTests {
|
||||
static class RequestMatchersMvcMatcherConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers()
|
||||
.mvcMatchers("/path")
|
||||
.securityMatchers()
|
||||
.requestMatchers(new MvcRequestMatcher(introspector, "/path"))
|
||||
.and()
|
||||
.httpBasic().and()
|
||||
.authorizeRequests()
|
||||
@@ -381,12 +387,12 @@ public class HttpSecurityRequestMatchersTests {
|
||||
static class RequestMatchersMvcMatcherInLambdaConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requestMatchers) ->
|
||||
requestMatchers
|
||||
.mvcMatchers("/path")
|
||||
.securityMatchers((matchers) ->
|
||||
matchers
|
||||
.requestMatchers(new MvcRequestMatcher(introspector, "/path"))
|
||||
)
|
||||
.httpBasic(withDefaults())
|
||||
.authorizeRequests((authorizeRequests) ->
|
||||
@@ -415,12 +421,14 @@ public class HttpSecurityRequestMatchersTests {
|
||||
static class RequestMatchersMvcMatcherServeltPathConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
|
||||
mvcMatcherBuilder.servletPath("/spring");
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers()
|
||||
.mvcMatchers("/path").servletPath("/spring")
|
||||
.mvcMatchers("/never-match")
|
||||
.securityMatchers()
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/path"))
|
||||
.requestMatchers("/never-match")
|
||||
.and()
|
||||
.httpBasic().and()
|
||||
.authorizeRequests()
|
||||
@@ -452,13 +460,15 @@ public class HttpSecurityRequestMatchersTests {
|
||||
static class RequestMatchersMvcMatcherServletPathInLambdaConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
|
||||
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
|
||||
mvcMatcherBuilder.servletPath("/spring");
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requestMatchers) ->
|
||||
requestMatchers
|
||||
.mvcMatchers("/path").servletPath("/spring")
|
||||
.mvcMatchers("/never-match")
|
||||
.securityMatchers((matchers) ->
|
||||
matchers
|
||||
.requestMatchers(mvcMatcherBuilder.pattern("/path"))
|
||||
.requestMatchers("/never-match")
|
||||
)
|
||||
.httpBasic(withDefaults())
|
||||
.authorizeRequests((authorizeRequests) ->
|
||||
|
||||
@@ -38,6 +38,7 @@ import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
|
||||
@@ -91,6 +92,7 @@ public class NamespaceHttpAnonymousTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class AnonymousConfig {
|
||||
|
||||
@Bean
|
||||
@@ -98,7 +100,7 @@ public class NamespaceHttpAnonymousTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/type").anonymous()
|
||||
.requestMatchers("/type").anonymous()
|
||||
.anyRequest().denyAll();
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
@@ -131,6 +133,7 @@ public class NamespaceHttpAnonymousTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class AnonymousGrantedAuthorityConfig {
|
||||
|
||||
@Bean
|
||||
@@ -138,7 +141,7 @@ public class NamespaceHttpAnonymousTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/type").hasRole("ANON")
|
||||
.requestMatchers("/type").hasRole("ANON")
|
||||
.anyRequest().denyAll()
|
||||
.and()
|
||||
.anonymous()
|
||||
@@ -151,6 +154,7 @@ public class NamespaceHttpAnonymousTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class AnonymousKeyConfig {
|
||||
|
||||
@Bean
|
||||
@@ -158,7 +162,7 @@ public class NamespaceHttpAnonymousTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/key").anonymous()
|
||||
.requestMatchers("/key").anonymous()
|
||||
.anyRequest().denyAll()
|
||||
.and()
|
||||
.anonymous().key("AnonymousKeyConfig");
|
||||
@@ -170,6 +174,7 @@ public class NamespaceHttpAnonymousTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class AnonymousUsernameConfig {
|
||||
|
||||
@Bean
|
||||
@@ -177,7 +182,7 @@ public class NamespaceHttpAnonymousTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/principal").anonymous()
|
||||
.requestMatchers("/principal").anonymous()
|
||||
.anyRequest().denyAll()
|
||||
.and()
|
||||
.anonymous().principal("AnonymousUsernameConfig");
|
||||
|
||||
@@ -37,6 +37,7 @@ import org.springframework.security.web.authentication.SimpleUrlAuthenticationFa
|
||||
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.Mockito.spy;
|
||||
@@ -111,11 +112,12 @@ public class NamespaceHttpFormLoginTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class FormLoginConfig {
|
||||
|
||||
@Bean
|
||||
WebSecurityCustomizer webSecurityCustomizer() {
|
||||
return (web) -> web.ignoring().antMatchers("/resources/**");
|
||||
return (web) -> web.ignoring().requestMatchers("/resources/**");
|
||||
}
|
||||
|
||||
@Bean
|
||||
|
||||
@@ -39,6 +39,7 @@ import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilde
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication;
|
||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
|
||||
@@ -110,25 +111,26 @@ public class NamespaceHttpInterceptUrlTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class HttpInterceptUrlConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests().antMatchers(
|
||||
.authorizeRequests().requestMatchers(
|
||||
// the line below is similar to intercept-url@pattern:
|
||||
// <intercept-url pattern="/users**" access="hasRole('ROLE_ADMIN')"/>
|
||||
//" access="hasRole('ROLE_ADMIN')"/>
|
||||
"/users**", "/sessions/**").hasRole("ADMIN").antMatchers(
|
||||
"/users**", "/sessions/**").hasRole("ADMIN").requestMatchers(
|
||||
// the line below is similar to intercept-url@method:
|
||||
// <intercept-url pattern="/admin/post" access="hasRole('ROLE_ADMIN')" method="POST"/>
|
||||
//" access="hasRole('ROLE_ADMIN')" method="POST"/>
|
||||
HttpMethod.POST, "/admin/post", "/admin/another-post/**").hasRole("ADMIN")
|
||||
.antMatchers("/signup").permitAll()
|
||||
.requestMatchers("/signup").permitAll()
|
||||
.anyRequest().hasRole("USER")
|
||||
.and()
|
||||
.requiresChannel().antMatchers("/login", "/secured/**")
|
||||
.requiresChannel().requestMatchers("/login", "/secured/**")
|
||||
// NOTE: channel security is configured separately of authorization (i.e. intercept-url@access
|
||||
// the line below is similar to intercept-url@requires-channel="https":
|
||||
// <intercept-url pattern="/login" requires-channel="https"/>
|
||||
|
||||
@@ -31,6 +31,7 @@ import org.springframework.security.core.userdetails.UserDetailsService;
|
||||
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
|
||||
@@ -62,6 +63,7 @@ public class NamespaceHttpPortMappingsTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class HttpInterceptUrlWithPortMapperConfig {
|
||||
|
||||
@Bean
|
||||
@@ -75,7 +77,7 @@ public class NamespaceHttpPortMappingsTests {
|
||||
.http(9080).mapsTo(9443)
|
||||
.and()
|
||||
.requiresChannel()
|
||||
.antMatchers("/login", "/secured/**").requiresSecure()
|
||||
.requestMatchers("/login", "/secured/**").requiresSecure()
|
||||
.anyRequest().requiresInsecure();
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
|
||||
@@ -43,6 +43,7 @@ import org.springframework.security.web.authentication.RememberMeServices;
|
||||
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
|
||||
import org.springframework.security.web.authentication.rememberme.PersistentRememberMeToken;
|
||||
import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.MvcResult;
|
||||
import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
|
||||
@@ -351,7 +352,7 @@ public class NamespaceRememberMeTests {
|
||||
SecurityFilterChain withoutKeyFilterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.antMatcher("/without-key/**")
|
||||
.securityMatcher(new AntPathRequestMatcher("/without-key/**"))
|
||||
.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated())
|
||||
.formLogin()
|
||||
.loginProcessingUrl("/without-key/login")
|
||||
|
||||
@@ -27,6 +27,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
|
||||
import org.springframework.security.config.test.SpringTestContext;
|
||||
import org.springframework.security.config.test.SpringTestContextExtension;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||
@@ -77,11 +78,11 @@ public class RequestMatcherConfigurerTests {
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers()
|
||||
.antMatchers("/api/**")
|
||||
.securityMatchers()
|
||||
.requestMatchers(new AntPathRequestMatcher("/api/**"))
|
||||
.and()
|
||||
.requestMatchers()
|
||||
.antMatchers("/oauth/**")
|
||||
.securityMatchers()
|
||||
.requestMatchers(new AntPathRequestMatcher("/oauth/**"))
|
||||
.and()
|
||||
.authorizeRequests()
|
||||
.anyRequest().denyAll();
|
||||
@@ -99,13 +100,13 @@ public class RequestMatcherConfigurerTests {
|
||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.requestMatchers((requestMatchers) ->
|
||||
requestMatchers
|
||||
.antMatchers("/api/**")
|
||||
.securityMatchers((matchers) ->
|
||||
matchers
|
||||
.requestMatchers(new AntPathRequestMatcher("/api/**"))
|
||||
)
|
||||
.requestMatchers((requestMatchers) ->
|
||||
requestMatchers
|
||||
.antMatchers("/oauth/**")
|
||||
.securityMatchers((matchers) ->
|
||||
matchers
|
||||
.requestMatchers(new AntPathRequestMatcher("/oauth/**"))
|
||||
)
|
||||
.authorizeRequests((authorizeRequests) ->
|
||||
authorizeRequests
|
||||
|
||||
@@ -41,12 +41,14 @@ import org.springframework.security.core.userdetails.UserDetailsService;
|
||||
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
||||
import org.springframework.security.web.FilterChainProxy;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
|
||||
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
|
||||
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
@@ -176,12 +178,13 @@ public class UrlAuthorizationConfigurerTests {
|
||||
static class MvcMatcherConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context,
|
||||
HandlerMappingIntrospector introspector) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.httpBasic().and()
|
||||
.apply(new UrlAuthorizationConfigurer(context)).getRegistry()
|
||||
.mvcMatchers("/path").hasRole("ADMIN");
|
||||
.requestMatchers(new MvcRequestMatcher(introspector, "/path")).hasRole("ADMIN");
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
}
|
||||
@@ -209,12 +212,15 @@ public class UrlAuthorizationConfigurerTests {
|
||||
static class MvcMatcherServletPathConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context) throws Exception {
|
||||
SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context,
|
||||
HandlerMappingIntrospector introspector) throws Exception {
|
||||
MvcRequestMatcher mvcRequestMatcher = new MvcRequestMatcher(introspector, "/path");
|
||||
mvcRequestMatcher.setServletPath("/spring");
|
||||
// @formatter:off
|
||||
http
|
||||
.httpBasic().and()
|
||||
.apply(new UrlAuthorizationConfigurer(context)).getRegistry()
|
||||
.mvcMatchers("/path").servletPath("/spring").hasRole("ADMIN");
|
||||
.requestMatchers(mvcRequestMatcher).hasRole("ADMIN");
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
}
|
||||
@@ -274,9 +280,9 @@ public class UrlAuthorizationConfigurerTests {
|
||||
http
|
||||
.httpBasic(Customizer.withDefaults())
|
||||
.apply(new UrlAuthorizationConfigurer<>(context)).getRegistry()
|
||||
.mvcMatchers("/test-1").hasRole("ADMIN")
|
||||
.mvcMatchers("/test-2").hasRole("ADMIN")
|
||||
.mvcMatchers("/test-3").hasRole("ADMIN")
|
||||
.requestMatchers("/test-1").hasRole("ADMIN")
|
||||
.requestMatchers("/test-2").hasRole("ADMIN")
|
||||
.requestMatchers("/test-3").hasRole("ADMIN")
|
||||
.anyRequest().hasRole("USER");
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
|
||||
@@ -38,6 +38,7 @@ import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
|
||||
import org.springframework.test.context.junit.jupiter.SpringExtension;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||
@@ -133,6 +134,7 @@ public class UrlAuthorizationsTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class RoleConfig {
|
||||
|
||||
@Bean
|
||||
@@ -140,12 +142,12 @@ public class UrlAuthorizationsTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/role-user-authority").hasAnyAuthority("ROLE_USER")
|
||||
.antMatchers("/role-admin-authority").hasAnyAuthority("ROLE_ADMIN")
|
||||
.antMatchers("/role-user-admin-authority").hasAnyAuthority("ROLE_USER", "ROLE_ADMIN")
|
||||
.antMatchers("/role-user").hasAnyRole("USER")
|
||||
.antMatchers("/role-admin").hasAnyRole("ADMIN")
|
||||
.antMatchers("/role-user-admin").hasAnyRole("USER", "ADMIN");
|
||||
.requestMatchers("/role-user-authority").hasAnyAuthority("ROLE_USER")
|
||||
.requestMatchers("/role-admin-authority").hasAnyAuthority("ROLE_ADMIN")
|
||||
.requestMatchers("/role-user-admin-authority").hasAnyAuthority("ROLE_USER", "ROLE_ADMIN")
|
||||
.requestMatchers("/role-user").hasAnyRole("USER")
|
||||
.requestMatchers("/role-admin").hasAnyRole("ADMIN")
|
||||
.requestMatchers("/role-user-admin").hasAnyRole("USER", "ADMIN");
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
}
|
||||
@@ -154,6 +156,7 @@ public class UrlAuthorizationsTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class NoSpecificAccessDecisionManagerConfig {
|
||||
|
||||
@Bean
|
||||
@@ -162,7 +165,7 @@ public class UrlAuthorizationsTests {
|
||||
.apply(new UrlAuthorizationConfigurer(context)).getRegistry();
|
||||
// @formatter:off
|
||||
registry
|
||||
.antMatchers("/a").hasRole("ADMIN")
|
||||
.requestMatchers("/a").hasRole("ADMIN")
|
||||
.anyRequest().hasRole("USER");
|
||||
return http.build();
|
||||
// @formatter:on
|
||||
|
||||
@@ -147,6 +147,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.client.RestOperations;
|
||||
import org.springframework.web.context.support.GenericWebApplicationContext;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
@@ -1494,6 +1495,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class DefaultConfig {
|
||||
|
||||
@Bean
|
||||
@@ -1501,7 +1503,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
|
||||
.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
@@ -1514,6 +1516,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class DefaultInLambdaConfig {
|
||||
|
||||
@Bean
|
||||
@@ -1522,7 +1525,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
http
|
||||
.authorizeRequests((authorizeRequests) ->
|
||||
authorizeRequests
|
||||
.antMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
|
||||
.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer((oauth2ResourceServer) ->
|
||||
@@ -1537,6 +1540,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class JwkSetUriConfig {
|
||||
|
||||
@Value("${mockwebserver.url:https://example.org}")
|
||||
@@ -1547,7 +1551,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
|
||||
.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
@@ -1561,6 +1565,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class JwkSetUriInLambdaConfig {
|
||||
|
||||
@Value("${mockwebserver.url:https://example.org}")
|
||||
@@ -1572,7 +1577,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
http
|
||||
.authorizeRequests((authorizeRequests) ->
|
||||
authorizeRequests
|
||||
.antMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
|
||||
.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer((oauth2ResourceServer) ->
|
||||
@@ -1590,6 +1595,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class CsrfDisabledConfig {
|
||||
|
||||
@Value("${mockwebserver.url:https://example.org}")
|
||||
@@ -1600,7 +1606,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
|
||||
.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.csrf().disable()
|
||||
@@ -1787,6 +1793,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class CustomAuthorityMappingConfig {
|
||||
|
||||
@Bean
|
||||
@@ -1794,7 +1801,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/requires-read-scope").access("hasAuthority('message:read')")
|
||||
.requestMatchers("/requires-read-scope").access("hasAuthority('message:read')")
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
.jwt()
|
||||
@@ -2326,6 +2333,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class OpaqueTokenConfig {
|
||||
|
||||
@Bean
|
||||
@@ -2333,7 +2341,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
|
||||
.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
@@ -2346,6 +2354,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class OpaqueTokenInLambdaConfig {
|
||||
|
||||
@Bean
|
||||
@@ -2354,7 +2363,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
http
|
||||
.authorizeRequests((authorizeRequests) ->
|
||||
authorizeRequests
|
||||
.antMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
|
||||
.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.oauth2ResourceServer((oauth2ResourceServer) ->
|
||||
@@ -2540,6 +2549,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
static class OpaqueTokenAuthenticationConverterConfig {
|
||||
|
||||
@Bean
|
||||
@@ -2547,7 +2557,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
|
||||
.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2ResourceServer()
|
||||
|
||||
@@ -22,6 +22,7 @@ import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configurers.FormLoginConfigurer;
|
||||
import org.springframework.security.web.DefaultSecurityFilterChain;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
@@ -43,7 +44,7 @@ public class CustomConfigurer extends SecurityConfigurerAdapter<DefaultSecurityF
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers(this.permitAllPattern).permitAll()
|
||||
.requestMatchers(new AntPathRequestMatcher(this.permitAllPattern)).permitAll()
|
||||
.anyRequest().authenticated();
|
||||
// @formatter:on
|
||||
if (http.getConfigurer(FormLoginConfigurer.class) == null) {
|
||||
|
||||
Reference in New Issue
Block a user