Remove deprecated RequestMatcher methods from Java Configuration

Closes gh-11939
This commit is contained in:
Marcus Da Coregio
2022-10-05 13:29:47 -03:00
parent 9fd195d419
commit 398f5dee7f
57 changed files with 382 additions and 1308 deletions

View File

@@ -32,6 +32,7 @@ import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.util.Assert;
/**
@@ -51,7 +52,7 @@ public class SecurityConfig {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/*").permitAll()
.requestMatchers(new AntPathRequestMatcher("/*")).permitAll()
.and()
.authenticationProvider(authenticationProvider());
// @formatter:on

View File

@@ -25,8 +25,11 @@ import org.springframework.mock.web.MockServletContext;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RegexRequestMatcher;
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@@ -85,7 +88,7 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
http
.authorizeRequests()
.anyRequest().authenticated()
.antMatchers("/demo/**").permitAll();
.requestMatchers(new AntPathRequestMatcher("/demo/**")).permitAll();
return http.build();
// @formatter:on
}
@@ -97,12 +100,12 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
static class MvcMatchersAfterAnyRequestConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
// @formatter:off
http
.authorizeRequests()
.anyRequest().authenticated()
.mvcMatchers("/demo/**").permitAll();
.requestMatchers(new MvcRequestMatcher(introspector, "/demo/**")).permitAll();
return http.build();
// @formatter:on
}
@@ -119,7 +122,7 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests {
http
.authorizeRequests()
.anyRequest().authenticated()
.regexMatchers(".*").permitAll();
.requestMatchers(new RegexRequestMatcher(".*", null)).permitAll();
return http.build();
// @formatter:on
}

View File

@@ -69,16 +69,6 @@ public class AbstractRequestMatcherRegistryNoMvcTests {
private static class TestRequestMatcherRegistry extends AbstractRequestMatcherRegistry<List<RequestMatcher>> {
@Override
public List<RequestMatcher> mvcMatchers(String... mvcPatterns) {
return null;
}
@Override
public List<RequestMatcher> mvcMatchers(HttpMethod method, String... mvcPatterns) {
return null;
}
@Override
protected List<RequestMatcher> chainRequestMatchers(List<RequestMatcher> requestMatchers) {
return requestMatchers;

View File

@@ -65,7 +65,8 @@ public class AbstractRequestMatcherRegistryTests {
@Test
public void regexMatchersWhenHttpMethodAndPatternParamsThenReturnRegexRequestMatcherType() {
List<RequestMatcher> requestMatchers = this.matcherRegistry.regexMatchers(HttpMethod.GET, "/a.*");
List<RequestMatcher> requestMatchers = this.matcherRegistry
.requestMatchers(new RegexRequestMatcher("/a.*", HttpMethod.GET.name()));
assertThat(requestMatchers).isNotEmpty();
assertThat(requestMatchers.size()).isEqualTo(1);
assertThat(requestMatchers.get(0)).isExactlyInstanceOf(RegexRequestMatcher.class);
@@ -73,7 +74,8 @@ public class AbstractRequestMatcherRegistryTests {
@Test
public void regexMatchersWhenPatternParamThenReturnRegexRequestMatcherType() {
List<RequestMatcher> requestMatchers = this.matcherRegistry.regexMatchers("/a.*");
List<RequestMatcher> requestMatchers = this.matcherRegistry
.requestMatchers(new RegexRequestMatcher("/a.*", null));
assertThat(requestMatchers).isNotEmpty();
assertThat(requestMatchers.size()).isEqualTo(1);
assertThat(requestMatchers.get(0)).isExactlyInstanceOf(RegexRequestMatcher.class);
@@ -81,7 +83,8 @@ public class AbstractRequestMatcherRegistryTests {
@Test
public void antMatchersWhenHttpMethodAndPatternParamsThenReturnAntPathRequestMatcherType() {
List<RequestMatcher> requestMatchers = this.matcherRegistry.antMatchers(HttpMethod.GET, "/a.*");
List<RequestMatcher> requestMatchers = this.matcherRegistry
.requestMatchers(new AntPathRequestMatcher("/a.*", HttpMethod.GET.name()));
assertThat(requestMatchers).isNotEmpty();
assertThat(requestMatchers.size()).isEqualTo(1);
assertThat(requestMatchers.get(0)).isExactlyInstanceOf(AntPathRequestMatcher.class);
@@ -89,7 +92,7 @@ public class AbstractRequestMatcherRegistryTests {
@Test
public void antMatchersWhenPatternParamThenReturnAntPathRequestMatcherType() {
List<RequestMatcher> requestMatchers = this.matcherRegistry.antMatchers("/a.*");
List<RequestMatcher> requestMatchers = this.matcherRegistry.requestMatchers(new AntPathRequestMatcher("/a.*"));
assertThat(requestMatchers).isNotEmpty();
assertThat(requestMatchers.size()).isEqualTo(1);
assertThat(requestMatchers.get(0)).isExactlyInstanceOf(AntPathRequestMatcher.class);
@@ -151,16 +154,6 @@ public class AbstractRequestMatcherRegistryTests {
private static class TestRequestMatcherRegistry extends AbstractRequestMatcherRegistry<List<RequestMatcher>> {
@Override
public List<RequestMatcher> mvcMatchers(String... mvcPatterns) {
return null;
}
@Override
public List<RequestMatcher> mvcMatchers(HttpMethod method, String... mvcPatterns) {
return null;
}
@Override
protected List<RequestMatcher> chainRequestMatchers(List<RequestMatcher> requestMatchers) {
return requestMatchers;

View File

@@ -36,8 +36,10 @@ import org.springframework.security.core.userdetails.PasswordEncodedUser;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
@@ -107,18 +109,19 @@ public class HttpConfigurationTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class RequestMatcherRegistryConfigs {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.requestMatchers()
.antMatchers("/api/**")
.antMatchers("/oauth/**")
.securityMatchers()
.requestMatchers(new AntPathRequestMatcher("/api/**"))
.requestMatchers(new AntPathRequestMatcher("/oauth/**"))
.and()
.authorizeRequests()
.antMatchers("/**").hasRole("USER")
.anyRequest().hasRole("USER")
.and()
.httpBasic();
return http.build();

View File

@@ -62,6 +62,7 @@ import org.springframework.stereotype.Controller;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.ArgumentMatchers.any;
@@ -302,6 +303,7 @@ public class NamespaceHttpTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class AccessDeniedPageConfig {
@Bean
@@ -309,7 +311,7 @@ public class NamespaceHttpTests {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/admin").hasRole("ADMIN")
.requestMatchers("/admin").hasRole("ADMIN")
.anyRequest().authenticated()
.and()
.exceptionHandling()
@@ -385,6 +387,7 @@ public class NamespaceHttpTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class IfRequiredConfig {
@Bean
@@ -392,7 +395,7 @@ public class NamespaceHttpTests {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/unsecure").permitAll()
.requestMatchers("/unsecure").permitAll()
.anyRequest().authenticated()
.and()
.sessionManagement()
@@ -487,7 +490,7 @@ public class NamespaceHttpTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.antMatcher("/api/**");
.securityMatcher(new AntPathRequestMatcher("/api/**"));
return http.build();
// @formatter:on
}
@@ -502,7 +505,7 @@ public class NamespaceHttpTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.regexMatcher("/regex/.*");
.securityMatcher(new RegexRequestMatcher("/regex/.*", null));
return http.build();
// @formatter:on
}
@@ -517,7 +520,7 @@ public class NamespaceHttpTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.requestMatcher(new MyRequestMatcher());
.securityMatcher(new MyRequestMatcher());
return http.build();
// @formatter:on
}
@@ -539,7 +542,8 @@ public class NamespaceHttpTests {
@Bean
WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().antMatchers("/resources/**", "/public/**");
return (web) -> web.ignoring().requestMatchers(new AntPathRequestMatcher("/resources/**"),
new AntPathRequestMatcher("/public/**"));
}
@Bean
@@ -625,6 +629,7 @@ public class NamespaceHttpTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class UseExpressionsConfig {
private Class<? extends FilterInvocationSecurityMetadataSource> filterInvocationSecurityMetadataSourceType;
@@ -636,8 +641,8 @@ public class NamespaceHttpTests {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/users**", "/sessions/**").hasRole("USER")
.antMatchers("/signup").permitAll()
.requestMatchers("/users**", "/sessions/**").hasRole("USER")
.requestMatchers("/signup").permitAll()
.anyRequest().hasRole("USER");
this.httpSecurity = http;
return http.build();
@@ -659,6 +664,7 @@ public class NamespaceHttpTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class DisableUseExpressionsConfig {
private Class<? extends FilterInvocationSecurityMetadataSource> filterInvocationSecurityMetadataSourceType;
@@ -670,8 +676,8 @@ public class NamespaceHttpTests {
// @formatter:off
http
.apply(new UrlAuthorizationConfigurer<>(context)).getRegistry()
.antMatchers("/users**", "/sessions/**").hasRole("USER")
.antMatchers("/signup").hasRole("ANONYMOUS")
.requestMatchers("/users**", "/sessions/**").hasRole("USER")
.requestMatchers("/signup").hasRole("ANONYMOUS")
.anyRequest().hasRole("USER");
this.httpSecurity = http;
return http.build();

View File

@@ -40,12 +40,14 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.firewall.HttpStatusRequestRejectedHandler;
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
import static org.assertj.core.api.Assertions.assertThat;
@@ -147,8 +149,8 @@ public class WebSecurityTests {
static class MvcMatcherConfig {
@Bean
WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().mvcMatchers("/path");
WebSecurityCustomizer webSecurityCustomizer(HandlerMappingIntrospector introspector) {
return (web) -> web.ignoring().requestMatchers(new MvcRequestMatcher(introspector, "/path"));
}
@Bean
@@ -185,8 +187,9 @@ public class WebSecurityTests {
static class MvcMatcherServletPathConfig {
@Bean
WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().mvcMatchers("/path").servletPath("/spring").mvcMatchers("/notused");
WebSecurityCustomizer webSecurityCustomizer(HandlerMappingIntrospector introspector) {
MvcRequestMatcher.Builder builder = new MvcRequestMatcher.Builder(introspector).servletPath("/spring");
return (web) -> web.ignoring().requestMatchers(builder.pattern("/path")).requestMatchers("/notused");
}
@Bean

View File

@@ -58,10 +58,12 @@ import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.RequestMatcherDelegatingWebInvocationPrivilegeEvaluator;
import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.util.ClassUtils;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@@ -346,7 +348,7 @@ public class WebSecurityConfigurationTests {
SecurityFilterChain filterChain1(HttpSecurity http) throws Exception {
// @formatter:off
return http
.antMatcher("/role1/**")
.securityMatcher(new AntPathRequestMatcher("/role1/**"))
.authorizeRequests((authorize) -> authorize
.anyRequest().hasRole("1")
)
@@ -359,7 +361,7 @@ public class WebSecurityConfigurationTests {
SecurityFilterChain filterChain2(HttpSecurity http) throws Exception {
// @formatter:off
return http
.antMatcher("/role2/**")
.securityMatcher(new AntPathRequestMatcher("/role2/**"))
.authorizeRequests((authorize) -> authorize
.anyRequest().hasRole("2")
)
@@ -372,7 +374,7 @@ public class WebSecurityConfigurationTests {
SecurityFilterChain filterChain3(HttpSecurity http) throws Exception {
// @formatter:off
return http
.antMatcher("/role3/**")
.securityMatcher(new AntPathRequestMatcher("/role3/**"))
.authorizeRequests((authorize) -> authorize
.anyRequest().hasRole("3")
)
@@ -403,7 +405,7 @@ public class WebSecurityConfigurationTests {
SecurityFilterChain securityFilterChain1(HttpSecurity http) throws Exception {
// @formatter:off
return http
.antMatcher("/role1/**")
.securityMatcher(new AntPathRequestMatcher("/role1/**"))
.authorizeRequests((authorize) -> authorize
.anyRequest().hasRole("1")
)
@@ -634,31 +636,33 @@ public class WebSecurityConfigurationTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
@Import(AuthenticationTestConfiguration.class)
static class WebSecurityCustomizerConfig {
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2");
return (web) -> web.ignoring().requestMatchers("/ignore1", "/ignore2");
}
}
@Configuration
@EnableWebSecurity
@EnableWebMvc
@Import(AuthenticationTestConfiguration.class)
static class CustomizerAndFilterChainConfig {
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2");
return (web) -> web.ignoring().requestMatchers("/ignore1", "/ignore2");
}
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
return http
.antMatcher("/role1/**")
.securityMatcher(new AntPathRequestMatcher("/role1/**"))
.authorizeRequests((authorize) -> authorize
.anyRequest().hasRole("1")
)
@@ -670,19 +674,20 @@ public class WebSecurityConfigurationTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
@Import(AuthenticationTestConfiguration.class)
static class OrderedCustomizerConfig {
@Order(1)
@Bean
public WebSecurityCustomizer webSecurityCustomizer1() {
return (web) -> web.ignoring().antMatchers("/ignore1");
return (web) -> web.ignoring().requestMatchers("/ignore1");
}
@Order(2)
@Bean
public WebSecurityCustomizer webSecurityCustomizer2() {
return (web) -> web.ignoring().antMatchers("/ignore2");
return (web) -> web.ignoring().requestMatchers("/ignore2");
}
}
@@ -696,7 +701,7 @@ public class WebSecurityConfigurationTests {
public SecurityFilterChain path1(HttpSecurity http) throws Exception {
// @formatter:off
http
.requestMatchers((requests) -> requests.antMatchers("/path1/**"))
.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/path1/**")))
.authorizeRequests((requests) -> requests.anyRequest().authenticated());
// @formatter:on
return http.build();
@@ -720,7 +725,7 @@ public class WebSecurityConfigurationTests {
public SecurityFilterChain path1(HttpSecurity http) throws Exception {
// @formatter:off
http
.requestMatchers((requests) -> requests.antMatchers("/path1/**"))
.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/path1/**")))
.authorizeRequests((requests) -> requests.anyRequest().authenticated());
// @formatter:on
return http.build();
@@ -745,7 +750,7 @@ public class WebSecurityConfigurationTests {
public SecurityFilterChain notAuthorized(HttpSecurity http) throws Exception {
// @formatter:off
http
.requestMatchers((requests) -> requests.antMatchers("/user"))
.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/user")))
.authorizeRequests((requests) -> requests.anyRequest().hasRole("USER"));
// @formatter:on
return http.build();
@@ -756,7 +761,7 @@ public class WebSecurityConfigurationTests {
public SecurityFilterChain path1(HttpSecurity http) throws Exception {
// @formatter:off
http
.requestMatchers((requests) -> requests.antMatchers("/admin"))
.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/admin")))
.authorizeRequests((requests) -> requests.anyRequest().hasRole("ADMIN"));
// @formatter:on
return http.build();
@@ -773,12 +778,13 @@ public class WebSecurityConfigurationTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
@Import(AuthenticationTestConfiguration.class)
static class MultipleSecurityFilterChainIgnoringConfig {
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().antMatchers("/ignoring1/**");
return (web) -> web.ignoring().requestMatchers("/ignoring1/**");
}
@Bean
@@ -786,7 +792,7 @@ public class WebSecurityConfigurationTests {
public SecurityFilterChain notAuthorized(HttpSecurity http) throws Exception {
// @formatter:off
http
.requestMatchers((requests) -> requests.antMatchers("/user"))
.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/user")))
.authorizeRequests((requests) -> requests.anyRequest().hasRole("USER"));
// @formatter:on
return http.build();
@@ -797,7 +803,7 @@ public class WebSecurityConfigurationTests {
public SecurityFilterChain admin(HttpSecurity http) throws Exception {
// @formatter:off
http
.requestMatchers((requests) -> requests.antMatchers("/admin"))
.securityMatchers((requests) -> requests.requestMatchers(new AntPathRequestMatcher("/admin")))
.authorizeRequests((requests) -> requests.anyRequest().hasRole("ADMIN"));
// @formatter:on
return http.build();

View File

@@ -22,7 +22,6 @@ import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.springframework.http.HttpMethod;
import org.springframework.security.access.AccessDecisionVoter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RegexRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
@@ -40,7 +39,8 @@ public class AbstractConfigAttributeRequestMatcherRegistryTests {
@Test
public void testGetRequestMatcherIsTypeRegexMatcher() {
List<RequestMatcher> requestMatchers = this.registry.regexMatchers(HttpMethod.GET, "/a.*");
List<RequestMatcher> requestMatchers = this.registry
.requestMatchers(new RegexRequestMatcher("/a.*", HttpMethod.GET.name()));
for (RequestMatcher requestMatcher : requestMatchers) {
assertThat(requestMatcher).isInstanceOf(RegexRequestMatcher.class);
}
@@ -48,7 +48,7 @@ public class AbstractConfigAttributeRequestMatcherRegistryTests {
@Test
public void testRequestMatcherIsTypeRegexMatcher() {
List<RequestMatcher> requestMatchers = this.registry.regexMatchers("/a.*");
List<RequestMatcher> requestMatchers = this.registry.requestMatchers(new RegexRequestMatcher("/a.*", null));
for (RequestMatcher requestMatcher : requestMatchers) {
assertThat(requestMatcher).isInstanceOf(RegexRequestMatcher.class);
}
@@ -56,7 +56,8 @@ public class AbstractConfigAttributeRequestMatcherRegistryTests {
@Test
public void testGetRequestMatcherIsTypeAntPathRequestMatcher() {
List<RequestMatcher> requestMatchers = this.registry.antMatchers(HttpMethod.GET, "/a.*");
List<RequestMatcher> requestMatchers = this.registry
.requestMatchers(new AntPathRequestMatcher("/a.*", HttpMethod.GET.name()));
for (RequestMatcher requestMatcher : requestMatchers) {
assertThat(requestMatcher).isInstanceOf(AntPathRequestMatcher.class);
}
@@ -64,7 +65,7 @@ public class AbstractConfigAttributeRequestMatcherRegistryTests {
@Test
public void testRequestMatcherIsTypeAntPathRequestMatcher() {
List<RequestMatcher> requestMatchers = this.registry.antMatchers("/a.*");
List<RequestMatcher> requestMatchers = this.registry.requestMatchers(new AntPathRequestMatcher("/a.*"));
for (RequestMatcher requestMatcher : requestMatchers) {
assertThat(requestMatcher).isInstanceOf(AntPathRequestMatcher.class);
}
@@ -73,25 +74,11 @@ public class AbstractConfigAttributeRequestMatcherRegistryTests {
static class ConcreteAbstractRequestMatcherMappingConfigurer
extends AbstractConfigAttributeRequestMatcherRegistry<List<RequestMatcher>> {
List<AccessDecisionVoter> decisionVoters() {
return null;
}
@Override
protected List<RequestMatcher> chainRequestMatchersInternal(List<RequestMatcher> requestMatchers) {
return requestMatchers;
}
@Override
public List<RequestMatcher> mvcMatchers(String... mvcPatterns) {
return null;
}
@Override
public List<RequestMatcher> mvcMatchers(HttpMethod method, String... mvcPatterns) {
return null;
}
}
}

View File

@@ -46,6 +46,7 @@ import org.springframework.security.web.access.expression.WebExpressionAuthoriza
import org.springframework.security.web.access.intercept.AuthorizationFilter;
import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
import org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager;
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
import org.springframework.test.web.servlet.request.RequestPostProcessor;
@@ -55,6 +56,7 @@ import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.mockito.Mockito.any;
@@ -615,7 +617,7 @@ public class AuthorizeHttpRequestsConfigurerTests {
return http
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated()
.mvcMatchers("/path").hasRole("USER")
.requestMatchers("/path").hasRole("USER")
)
.build();
// @formatter:on
@@ -847,11 +849,13 @@ public class AuthorizeHttpRequestsConfigurerTests {
static class ServletPathConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector)
.servletPath("/spring");
// @formatter:off
return http
.authorizeHttpRequests((requests) -> requests
.mvcMatchers("/").servletPath("/spring").hasRole("ADMIN")
.requestMatchers(mvcMatcherBuilder.pattern("/")).hasRole("ADMIN")
)
.build();
// @formatter:on
@@ -940,7 +944,7 @@ public class AuthorizeHttpRequestsConfigurerTests {
http
.httpBasic(withDefaults())
.authorizeHttpRequests((requests) -> requests
.mvcMatchers("/user/{username}").access(new WebExpressionAuthorizationManager("#username == 'user'"))
.requestMatchers("/user/{username}").access(new WebExpressionAuthorizationManager("#username == 'user'"))
);
// @formatter:on
return http.build();

View File

@@ -42,6 +42,7 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@@ -49,6 +50,7 @@ import org.springframework.web.context.support.AnnotationConfigWebApplicationCon
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.spy;
@@ -289,7 +291,7 @@ public class AuthorizeRequestsTests {
// @formatter:off
http
.authorizeRequests()
.antMatchers(HttpMethod.POST).denyAll();
.requestMatchers(new AntPathRequestMatcher("/**", HttpMethod.POST.name())).denyAll();
// @formatter:on
return http.build();
}
@@ -311,7 +313,7 @@ public class AuthorizeRequestsTests {
http
.authorizeRequests((authorizeRequests) ->
authorizeRequests
.antMatchers(HttpMethod.POST).denyAll()
.requestMatchers(new AntPathRequestMatcher("/**", HttpMethod.POST.name())).denyAll()
);
// @formatter:on
return http.build();
@@ -407,7 +409,7 @@ public class AuthorizeRequestsTests {
http
.httpBasic().and()
.authorizeRequests()
.mvcMatchers("/path").denyAll();
.requestMatchers("/path").denyAll();
// @formatter:on
return http.build();
}
@@ -441,7 +443,7 @@ public class AuthorizeRequestsTests {
.httpBasic(withDefaults())
.authorizeRequests((authorizeRequests) ->
authorizeRequests
.mvcMatchers("/path").denyAll()
.requestMatchers("/path").denyAll()
);
// @formatter:on
return http.build();
@@ -470,12 +472,14 @@ public class AuthorizeRequestsTests {
static class MvcMatcherServletPathConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector)
.servletPath("/spring");
// @formatter:off
http
.httpBasic().and()
.authorizeRequests()
.mvcMatchers("/path").servletPath("/spring").denyAll();
.requestMatchers(mvcMatcherBuilder.pattern("/path")).denyAll();
// @formatter:on
return http.build();
}
@@ -503,13 +507,15 @@ public class AuthorizeRequestsTests {
static class MvcMatcherServletPathInLambdaConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector)
.servletPath("/spring");
// @formatter:off
http
.httpBasic(withDefaults())
.authorizeRequests((authorizeRequests) ->
authorizeRequests
.mvcMatchers("/path").servletPath("/spring").denyAll()
.requestMatchers(mvcMatcherBuilder.pattern("/path")).denyAll()
);
// @formatter:on
return http.build();
@@ -543,7 +549,7 @@ public class AuthorizeRequestsTests {
http
.httpBasic().and()
.authorizeRequests()
.mvcMatchers("/user/{userName}").access("#userName == 'user'");
.requestMatchers("/user/{userName}").access("#userName == 'user'");
// @formatter:on
return http.build();
}
@@ -577,7 +583,7 @@ public class AuthorizeRequestsTests {
.httpBasic(withDefaults())
.authorizeRequests((authorizeRequests) ->
authorizeRequests
.mvcMatchers("/user/{userName}").access("#userName == 'user'")
.requestMatchers("/user/{userName}").access("#userName == 'user'")
);
// @formatter:on
return http.build();
@@ -611,7 +617,7 @@ public class AuthorizeRequestsTests {
http
.httpBasic().and()
.authorizeRequests()
.mvcMatchers("/user").denyAll();
.requestMatchers("/user").denyAll();
// @formatter:on
return http.build();
}

View File

@@ -243,11 +243,11 @@ public class ChannelSecurityConfigurerTests {
.portMapper(new PortMapperImpl())
.and()
.requiresChannel()
.mvcMatchers("/test-1")
.requestMatchers("/test-1")
.requiresSecure()
.mvcMatchers("/test-2")
.requestMatchers("/test-2")
.requiresSecure()
.mvcMatchers("/test-3")
.requestMatchers("/test-3")
.requiresSecure()
.anyRequest()
.requiresInsecure();
@@ -271,11 +271,11 @@ public class ChannelSecurityConfigurerTests {
.portMapper(new PortMapperImpl())
)
.requiresChannel((channel) -> channel
.mvcMatchers("/test-1")
.requestMatchers("/test-1")
.requiresSecure()
.mvcMatchers("/test-2")
.requestMatchers("/test-2")
.requiresSecure()
.mvcMatchers("/test-3")
.requestMatchers("/test-3")
.requiresSecure()
.anyRequest()
.requiresInsecure()

View File

@@ -119,6 +119,7 @@ public class CsrfConfigurerIgnoringRequestMatchersTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class IgnoringRequestInLambdaMatchers {
RequestMatcher requestMatcher = (request) -> HttpMethod.POST.name().equals(request.getMethod());
@@ -149,7 +150,7 @@ public class CsrfConfigurerIgnoringRequestMatchersTests {
// @formatter:off
http
.csrf()
.ignoringAntMatchers("/no-csrf")
.ignoringRequestMatchers(new AntPathRequestMatcher("/no-csrf"))
.ignoringRequestMatchers(this.requestMatcher);
return http.build();
// @formatter:on
@@ -159,6 +160,7 @@ public class CsrfConfigurerIgnoringRequestMatchersTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class IgnoringPathsAndMatchersInLambdaConfig {
RequestMatcher requestMatcher = (request) -> HttpMethod.POST.name().equals(request.getMethod());
@@ -169,7 +171,7 @@ public class CsrfConfigurerIgnoringRequestMatchersTests {
http
.csrf((csrf) ->
csrf
.ignoringAntMatchers("/no-csrf")
.ignoringRequestMatchers(new AntPathRequestMatcher("/no-csrf"))
.ignoringRequestMatchers(this.requestMatcher)
);
return http.build();

View File

@@ -57,6 +57,7 @@ import org.springframework.security.web.header.HeaderWriterFilter;
import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import static org.assertj.core.api.Assertions.assertThat;
@@ -163,11 +164,12 @@ public class DefaultFiltersTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class FilterChainProxyBuilderIgnoringConfig {
@Bean
WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().antMatchers("/resources/**");
return (web) -> web.ignoring().requestMatchers("/resources/**");
}
@Bean

View File

@@ -63,6 +63,7 @@ import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@@ -611,6 +612,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class IncompleteMappingConfig {
@Bean
@@ -618,7 +620,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/a").authenticated()
.requestMatchers("/a").authenticated()
.anyRequest();
return http.build();
// @formatter:on
@@ -965,6 +967,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class AllPropertiesWorkConfig {
@Bean
@@ -978,7 +981,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
.expressionHandler(handler)
.accessDecisionManager(adm)
.filterSecurityInterceptorOncePerRequest(true)
.antMatchers("/a", "/b").hasRole("ADMIN")
.requestMatchers("/a", "/b").hasRole("ADMIN")
.anyRequest().permitAll()
.and()
.formLogin();
@@ -1034,6 +1037,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class UseBeansInExpressions {
@Bean
@@ -1041,9 +1045,9 @@ public class ExpressionUrlAuthorizationConfigurerTests {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/admin").hasRole("ADMIN")
.antMatchers("/user").hasRole("USER")
.antMatchers("/allow").access("@permission.check(authentication,'user')")
.requestMatchers("/admin").hasRole("ADMIN")
.requestMatchers("/user").hasRole("USER")
.requestMatchers("/allow").access("@permission.check(authentication,'user')")
.anyRequest().access("@permission.check(authentication,'admin')");
return http.build();
// @formatter:on
@@ -1066,6 +1070,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class CustomExpressionRootConfig {
@Bean
@@ -1074,9 +1079,9 @@ public class ExpressionUrlAuthorizationConfigurerTests {
http
.authorizeRequests()
.expressionHandler(expressionHandler())
.antMatchers("/admin").hasRole("ADMIN")
.antMatchers("/user").hasRole("USER")
.antMatchers("/allow").access("check('user')")
.requestMatchers("/admin").hasRole("ADMIN")
.requestMatchers("/user").hasRole("USER")
.requestMatchers("/allow").access("check('user')")
.anyRequest().access("check('admin')");
return http.build();
// @formatter:on
@@ -1146,6 +1151,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class PermissionEvaluatorConfig {
@Bean
@@ -1153,10 +1159,10 @@ public class ExpressionUrlAuthorizationConfigurerTests {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/allow").access("hasPermission('ID', 'TYPE', 'PERMISSION')")
.antMatchers("/allowObject").access("hasPermission('TESTOBJ', 'PERMISSION')")
.antMatchers("/deny").access("hasPermission('ID', 'TYPE', 'NO PERMISSION')")
.antMatchers("/denyObject").access("hasPermission('TESTOBJ', 'NO PERMISSION')")
.requestMatchers("/allow").access("hasPermission('ID', 'TYPE', 'PERMISSION')")
.requestMatchers("/allowObject").access("hasPermission('TESTOBJ', 'PERMISSION')")
.requestMatchers("/deny").access("hasPermission('ID', 'TYPE', 'NO PERMISSION')")
.requestMatchers("/denyObject").access("hasPermission('TESTOBJ', 'NO PERMISSION')")
.anyRequest().permitAll();
return http.build();
// @formatter:on
@@ -1183,6 +1189,7 @@ public class ExpressionUrlAuthorizationConfigurerTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class RoleHierarchyConfig {
@Bean
@@ -1190,8 +1197,8 @@ public class ExpressionUrlAuthorizationConfigurerTests {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/allow").access("hasRole('MEMBER')")
.antMatchers("/deny").access("hasRole('ADMIN')")
.requestMatchers("/allow").access("hasRole('MEMBER')")
.requestMatchers("/deny").access("hasRole('ADMIN')")
.anyRequest().permitAll();
return http.build();
// @formatter:on

View File

@@ -45,6 +45,7 @@ import org.springframework.security.web.authentication.LoginUrlAuthenticationEnt
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.BDDMockito.given;
@@ -409,11 +410,12 @@ public class FormLoginConfigurerTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class FormLoginConfig {
@Bean
WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().antMatchers("/resources/**");
return (web) -> web.ignoring().requestMatchers("/resources/**");
}
@Bean

View File

@@ -1,146 +0,0 @@
/*
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.annotation.web.configurers;
import jakarta.servlet.http.HttpServletResponse;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
import static org.assertj.core.api.Assertions.assertThat;
/**
* @author Rob Winch
*
*/
public class HttpSecurityAntMatchersTests {
AnnotationConfigWebApplicationContext context;
MockHttpServletRequest request;
MockHttpServletResponse response;
MockFilterChain chain;
@Autowired
FilterChainProxy springSecurityFilterChain;
@BeforeEach
public void setup() {
this.request = new MockHttpServletRequest("GET", "");
this.response = new MockHttpServletResponse();
this.chain = new MockFilterChain();
}
@AfterEach
public void cleanup() {
if (this.context != null) {
this.context.close();
}
}
// SEC-3135
@Test
public void antMatchersMethodAndNoPatterns() throws Exception {
loadConfig(AntMatchersNoPatternsConfig.class);
this.request.setMethod("POST");
this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
}
// SEC-3135
@Test
public void antMatchersMethodAndEmptyPatterns() throws Exception {
loadConfig(AntMatchersEmptyPatternsConfig.class);
this.request.setMethod("POST");
this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
}
public void loadConfig(Class<?>... configs) {
this.context = new AnnotationConfigWebApplicationContext();
this.context.register(configs);
this.context.refresh();
this.context.getAutowireCapableBeanFactory().autowireBean(this);
}
@EnableWebSecurity
@Configuration
static class AntMatchersNoPatternsConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.requestMatchers()
.antMatchers(HttpMethod.POST)
.and()
.authorizeRequests()
.anyRequest().denyAll();
// @formatter:on
return http.build();
}
@Bean
UserDetailsService userDetailsService() {
return new InMemoryUserDetailsManager();
}
}
@EnableWebSecurity
@Configuration
static class AntMatchersEmptyPatternsConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.requestMatchers()
.antMatchers("/never/")
.antMatchers(HttpMethod.POST, new String[0])
.and()
.authorizeRequests()
.anyRequest().denyAll();
// @formatter:on
return http.build();
}
@Bean
UserDetailsService userDetailsService() {
return new InMemoryUserDetailsManager();
}
}
}

View File

@@ -36,12 +36,14 @@ import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
import static org.assertj.core.api.Assertions.assertThat;
import static org.springframework.security.config.Customizer.withDefaults;
@@ -217,13 +219,14 @@ public class HttpSecurityRequestMatchersTests {
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
SecurityFilterChain first(HttpSecurity http) throws Exception {
SecurityFilterChain first(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
// @formatter:off
http
.requestMatchers((requests) -> requests
.mvcMatchers("/test-1")
.mvcMatchers("/test-2")
.mvcMatchers("/test-3")
.securityMatchers((requests) -> requests
.requestMatchers(mvcMatcherBuilder.pattern("/test-1"))
.requestMatchers(mvcMatcherBuilder.pattern("/test-2"))
.requestMatchers(mvcMatcherBuilder.pattern("/test-3"))
)
.authorizeRequests((authorize) -> authorize.anyRequest().denyAll())
.httpBasic(withDefaults());
@@ -232,11 +235,12 @@ public class HttpSecurityRequestMatchersTests {
}
@Bean
SecurityFilterChain second(HttpSecurity http) throws Exception {
SecurityFilterChain second(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
// @formatter:off
http
.requestMatchers((requests) -> requests
.mvcMatchers("/test-1")
.securityMatchers((requests) -> requests
.requestMatchers(mvcMatcherBuilder.pattern("/test-1"))
)
.authorizeRequests((authorize) -> authorize
.anyRequest().permitAll()
@@ -264,13 +268,14 @@ public class HttpSecurityRequestMatchersTests {
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
SecurityFilterChain first(HttpSecurity http) throws Exception {
SecurityFilterChain first(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
// @formatter:off
http
.requestMatchers()
.mvcMatchers("/test-1")
.mvcMatchers("/test-2")
.mvcMatchers("/test-3")
.securityMatchers()
.requestMatchers(mvcMatcherBuilder.pattern("/test-1"))
.requestMatchers(mvcMatcherBuilder.pattern("/test-2"))
.requestMatchers(mvcMatcherBuilder.pattern("/test-3"))
.and()
.authorizeRequests()
.anyRequest().denyAll()
@@ -281,11 +286,12 @@ public class HttpSecurityRequestMatchersTests {
}
@Bean
SecurityFilterChain second(HttpSecurity http) throws Exception {
SecurityFilterChain second(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
// @formatter:off
http
.requestMatchers()
.mvcMatchers("/test-1")
.securityMatchers()
.requestMatchers(mvcMatcherBuilder.pattern("/test-1"))
.and()
.authorizeRequests()
.anyRequest().permitAll();
@@ -311,10 +317,10 @@ public class HttpSecurityRequestMatchersTests {
static class MvcMatcherConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
// @formatter:off
http
.mvcMatcher("/path")
.securityMatcher(new MvcRequestMatcher(introspector, "/path"))
.httpBasic().and()
.authorizeRequests()
.anyRequest().denyAll();
@@ -345,11 +351,11 @@ public class HttpSecurityRequestMatchersTests {
static class RequestMatchersMvcMatcherConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
// @formatter:off
http
.requestMatchers()
.mvcMatchers("/path")
.securityMatchers()
.requestMatchers(new MvcRequestMatcher(introspector, "/path"))
.and()
.httpBasic().and()
.authorizeRequests()
@@ -381,12 +387,12 @@ public class HttpSecurityRequestMatchersTests {
static class RequestMatchersMvcMatcherInLambdaConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
// @formatter:off
http
.requestMatchers((requestMatchers) ->
requestMatchers
.mvcMatchers("/path")
.securityMatchers((matchers) ->
matchers
.requestMatchers(new MvcRequestMatcher(introspector, "/path"))
)
.httpBasic(withDefaults())
.authorizeRequests((authorizeRequests) ->
@@ -415,12 +421,14 @@ public class HttpSecurityRequestMatchersTests {
static class RequestMatchersMvcMatcherServeltPathConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
mvcMatcherBuilder.servletPath("/spring");
// @formatter:off
http
.requestMatchers()
.mvcMatchers("/path").servletPath("/spring")
.mvcMatchers("/never-match")
.securityMatchers()
.requestMatchers(mvcMatcherBuilder.pattern("/path"))
.requestMatchers("/never-match")
.and()
.httpBasic().and()
.authorizeRequests()
@@ -452,13 +460,15 @@ public class HttpSecurityRequestMatchersTests {
static class RequestMatchersMvcMatcherServletPathInLambdaConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
mvcMatcherBuilder.servletPath("/spring");
// @formatter:off
http
.requestMatchers((requestMatchers) ->
requestMatchers
.mvcMatchers("/path").servletPath("/spring")
.mvcMatchers("/never-match")
.securityMatchers((matchers) ->
matchers
.requestMatchers(mvcMatcherBuilder.pattern("/path"))
.requestMatchers("/never-match")
)
.httpBasic(withDefaults())
.authorizeRequests((authorizeRequests) ->

View File

@@ -38,6 +38,7 @@ import org.springframework.security.web.SecurityFilterChain;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
@@ -91,6 +92,7 @@ public class NamespaceHttpAnonymousTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class AnonymousConfig {
@Bean
@@ -98,7 +100,7 @@ public class NamespaceHttpAnonymousTests {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/type").anonymous()
.requestMatchers("/type").anonymous()
.anyRequest().denyAll();
return http.build();
// @formatter:on
@@ -131,6 +133,7 @@ public class NamespaceHttpAnonymousTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class AnonymousGrantedAuthorityConfig {
@Bean
@@ -138,7 +141,7 @@ public class NamespaceHttpAnonymousTests {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/type").hasRole("ANON")
.requestMatchers("/type").hasRole("ANON")
.anyRequest().denyAll()
.and()
.anonymous()
@@ -151,6 +154,7 @@ public class NamespaceHttpAnonymousTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class AnonymousKeyConfig {
@Bean
@@ -158,7 +162,7 @@ public class NamespaceHttpAnonymousTests {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/key").anonymous()
.requestMatchers("/key").anonymous()
.anyRequest().denyAll()
.and()
.anonymous().key("AnonymousKeyConfig");
@@ -170,6 +174,7 @@ public class NamespaceHttpAnonymousTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class AnonymousUsernameConfig {
@Bean
@@ -177,7 +182,7 @@ public class NamespaceHttpAnonymousTests {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/principal").anonymous()
.requestMatchers("/principal").anonymous()
.anyRequest().denyAll()
.and()
.anonymous().principal("AnonymousUsernameConfig");

View File

@@ -37,6 +37,7 @@ import org.springframework.security.web.authentication.SimpleUrlAuthenticationFa
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.spy;
@@ -111,11 +112,12 @@ public class NamespaceHttpFormLoginTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class FormLoginConfig {
@Bean
WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().antMatchers("/resources/**");
return (web) -> web.ignoring().requestMatchers("/resources/**");
}
@Bean

View File

@@ -39,6 +39,7 @@ import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilde
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
@@ -110,25 +111,26 @@ public class NamespaceHttpInterceptUrlTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class HttpInterceptUrlConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests().antMatchers(
.authorizeRequests().requestMatchers(
// the line below is similar to intercept-url@pattern:
// <intercept-url pattern="/users**" access="hasRole('ROLE_ADMIN')"/>
//" access="hasRole('ROLE_ADMIN')"/>
"/users**", "/sessions/**").hasRole("ADMIN").antMatchers(
"/users**", "/sessions/**").hasRole("ADMIN").requestMatchers(
// the line below is similar to intercept-url@method:
// <intercept-url pattern="/admin/post" access="hasRole('ROLE_ADMIN')" method="POST"/>
//" access="hasRole('ROLE_ADMIN')" method="POST"/>
HttpMethod.POST, "/admin/post", "/admin/another-post/**").hasRole("ADMIN")
.antMatchers("/signup").permitAll()
.requestMatchers("/signup").permitAll()
.anyRequest().hasRole("USER")
.and()
.requiresChannel().antMatchers("/login", "/secured/**")
.requiresChannel().requestMatchers("/login", "/secured/**")
// NOTE: channel security is configured separately of authorization (i.e. intercept-url@access
// the line below is similar to intercept-url@requires-channel="https":
// <intercept-url pattern="/login" requires-channel="https"/>

View File

@@ -31,6 +31,7 @@ import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
@@ -62,6 +63,7 @@ public class NamespaceHttpPortMappingsTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class HttpInterceptUrlWithPortMapperConfig {
@Bean
@@ -75,7 +77,7 @@ public class NamespaceHttpPortMappingsTests {
.http(9080).mapsTo(9443)
.and()
.requiresChannel()
.antMatchers("/login", "/secured/**").requiresSecure()
.requestMatchers("/login", "/secured/**").requiresSecure()
.anyRequest().requiresInsecure();
// @formatter:on
return http.build();

View File

@@ -43,6 +43,7 @@ import org.springframework.security.web.authentication.RememberMeServices;
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
import org.springframework.security.web.authentication.rememberme.PersistentRememberMeToken;
import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
@@ -351,7 +352,7 @@ public class NamespaceRememberMeTests {
SecurityFilterChain withoutKeyFilterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.antMatcher("/without-key/**")
.securityMatcher(new AntPathRequestMatcher("/without-key/**"))
.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated())
.formLogin()
.loginProcessingUrl("/without-key/login")

View File

@@ -27,6 +27,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
import org.springframework.security.config.test.SpringTestContext;
import org.springframework.security.config.test.SpringTestContextExtension;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.test.web.servlet.MockMvc;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
@@ -77,11 +78,11 @@ public class RequestMatcherConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.requestMatchers()
.antMatchers("/api/**")
.securityMatchers()
.requestMatchers(new AntPathRequestMatcher("/api/**"))
.and()
.requestMatchers()
.antMatchers("/oauth/**")
.securityMatchers()
.requestMatchers(new AntPathRequestMatcher("/oauth/**"))
.and()
.authorizeRequests()
.anyRequest().denyAll();
@@ -99,13 +100,13 @@ public class RequestMatcherConfigurerTests {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.requestMatchers((requestMatchers) ->
requestMatchers
.antMatchers("/api/**")
.securityMatchers((matchers) ->
matchers
.requestMatchers(new AntPathRequestMatcher("/api/**"))
)
.requestMatchers((requestMatchers) ->
requestMatchers
.antMatchers("/oauth/**")
.securityMatchers((matchers) ->
matchers
.requestMatchers(new AntPathRequestMatcher("/oauth/**"))
)
.authorizeRequests((authorizeRequests) ->
authorizeRequests

View File

@@ -41,12 +41,14 @@ import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
import static org.assertj.core.api.Assertions.assertThat;
@@ -176,12 +178,13 @@ public class UrlAuthorizationConfigurerTests {
static class MvcMatcherConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context) throws Exception {
SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context,
HandlerMappingIntrospector introspector) throws Exception {
// @formatter:off
http
.httpBasic().and()
.apply(new UrlAuthorizationConfigurer(context)).getRegistry()
.mvcMatchers("/path").hasRole("ADMIN");
.requestMatchers(new MvcRequestMatcher(introspector, "/path")).hasRole("ADMIN");
// @formatter:on
return http.build();
}
@@ -209,12 +212,15 @@ public class UrlAuthorizationConfigurerTests {
static class MvcMatcherServletPathConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context) throws Exception {
SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context,
HandlerMappingIntrospector introspector) throws Exception {
MvcRequestMatcher mvcRequestMatcher = new MvcRequestMatcher(introspector, "/path");
mvcRequestMatcher.setServletPath("/spring");
// @formatter:off
http
.httpBasic().and()
.apply(new UrlAuthorizationConfigurer(context)).getRegistry()
.mvcMatchers("/path").servletPath("/spring").hasRole("ADMIN");
.requestMatchers(mvcRequestMatcher).hasRole("ADMIN");
// @formatter:on
return http.build();
}
@@ -274,9 +280,9 @@ public class UrlAuthorizationConfigurerTests {
http
.httpBasic(Customizer.withDefaults())
.apply(new UrlAuthorizationConfigurer<>(context)).getRegistry()
.mvcMatchers("/test-1").hasRole("ADMIN")
.mvcMatchers("/test-2").hasRole("ADMIN")
.mvcMatchers("/test-3").hasRole("ADMIN")
.requestMatchers("/test-1").hasRole("ADMIN")
.requestMatchers("/test-2").hasRole("ADMIN")
.requestMatchers("/test-3").hasRole("ADMIN")
.anyRequest().hasRole("USER");
// @formatter:on
return http.build();

View File

@@ -38,6 +38,7 @@ import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.test.context.junit.jupiter.SpringExtension;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import static org.assertj.core.api.Assertions.assertThat;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
@@ -133,6 +134,7 @@ public class UrlAuthorizationsTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class RoleConfig {
@Bean
@@ -140,12 +142,12 @@ public class UrlAuthorizationsTests {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/role-user-authority").hasAnyAuthority("ROLE_USER")
.antMatchers("/role-admin-authority").hasAnyAuthority("ROLE_ADMIN")
.antMatchers("/role-user-admin-authority").hasAnyAuthority("ROLE_USER", "ROLE_ADMIN")
.antMatchers("/role-user").hasAnyRole("USER")
.antMatchers("/role-admin").hasAnyRole("ADMIN")
.antMatchers("/role-user-admin").hasAnyRole("USER", "ADMIN");
.requestMatchers("/role-user-authority").hasAnyAuthority("ROLE_USER")
.requestMatchers("/role-admin-authority").hasAnyAuthority("ROLE_ADMIN")
.requestMatchers("/role-user-admin-authority").hasAnyAuthority("ROLE_USER", "ROLE_ADMIN")
.requestMatchers("/role-user").hasAnyRole("USER")
.requestMatchers("/role-admin").hasAnyRole("ADMIN")
.requestMatchers("/role-user-admin").hasAnyRole("USER", "ADMIN");
return http.build();
// @formatter:on
}
@@ -154,6 +156,7 @@ public class UrlAuthorizationsTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class NoSpecificAccessDecisionManagerConfig {
@Bean
@@ -162,7 +165,7 @@ public class UrlAuthorizationsTests {
.apply(new UrlAuthorizationConfigurer(context)).getRegistry();
// @formatter:off
registry
.antMatchers("/a").hasRole("ADMIN")
.requestMatchers("/a").hasRole("ADMIN")
.anyRequest().hasRole("USER");
return http.build();
// @formatter:on

View File

@@ -147,6 +147,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.client.RestOperations;
import org.springframework.web.context.support.GenericWebApplicationContext;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@@ -1494,6 +1495,7 @@ public class OAuth2ResourceServerConfigurerTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class DefaultConfig {
@Bean
@@ -1501,7 +1503,7 @@ public class OAuth2ResourceServerConfigurerTests {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
@@ -1514,6 +1516,7 @@ public class OAuth2ResourceServerConfigurerTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class DefaultInLambdaConfig {
@Bean
@@ -1522,7 +1525,7 @@ public class OAuth2ResourceServerConfigurerTests {
http
.authorizeRequests((authorizeRequests) ->
authorizeRequests
.antMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
.anyRequest().authenticated()
)
.oauth2ResourceServer((oauth2ResourceServer) ->
@@ -1537,6 +1540,7 @@ public class OAuth2ResourceServerConfigurerTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class JwkSetUriConfig {
@Value("${mockwebserver.url:https://example.org}")
@@ -1547,7 +1551,7 @@ public class OAuth2ResourceServerConfigurerTests {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
@@ -1561,6 +1565,7 @@ public class OAuth2ResourceServerConfigurerTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class JwkSetUriInLambdaConfig {
@Value("${mockwebserver.url:https://example.org}")
@@ -1572,7 +1577,7 @@ public class OAuth2ResourceServerConfigurerTests {
http
.authorizeRequests((authorizeRequests) ->
authorizeRequests
.antMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
.anyRequest().authenticated()
)
.oauth2ResourceServer((oauth2ResourceServer) ->
@@ -1590,6 +1595,7 @@ public class OAuth2ResourceServerConfigurerTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class CsrfDisabledConfig {
@Value("${mockwebserver.url:https://example.org}")
@@ -1600,7 +1606,7 @@ public class OAuth2ResourceServerConfigurerTests {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
.anyRequest().authenticated()
.and()
.csrf().disable()
@@ -1787,6 +1793,7 @@ public class OAuth2ResourceServerConfigurerTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class CustomAuthorityMappingConfig {
@Bean
@@ -1794,7 +1801,7 @@ public class OAuth2ResourceServerConfigurerTests {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/requires-read-scope").access("hasAuthority('message:read')")
.requestMatchers("/requires-read-scope").access("hasAuthority('message:read')")
.and()
.oauth2ResourceServer()
.jwt()
@@ -2326,6 +2333,7 @@ public class OAuth2ResourceServerConfigurerTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class OpaqueTokenConfig {
@Bean
@@ -2333,7 +2341,7 @@ public class OAuth2ResourceServerConfigurerTests {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
@@ -2346,6 +2354,7 @@ public class OAuth2ResourceServerConfigurerTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class OpaqueTokenInLambdaConfig {
@Bean
@@ -2354,7 +2363,7 @@ public class OAuth2ResourceServerConfigurerTests {
http
.authorizeRequests((authorizeRequests) ->
authorizeRequests
.antMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
.anyRequest().authenticated()
)
.oauth2ResourceServer((oauth2ResourceServer) ->
@@ -2540,6 +2549,7 @@ public class OAuth2ResourceServerConfigurerTests {
@Configuration
@EnableWebSecurity
@EnableWebMvc
static class OpaqueTokenAuthenticationConverterConfig {
@Bean
@@ -2547,7 +2557,7 @@ public class OAuth2ResourceServerConfigurerTests {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
.requestMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()

View File

@@ -22,6 +22,7 @@ import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.FormLoginConfigurer;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
/**
* @author Rob Winch
@@ -43,7 +44,7 @@ public class CustomConfigurer extends SecurityConfigurerAdapter<DefaultSecurityF
// @formatter:off
http
.authorizeRequests()
.antMatchers(this.permitAllPattern).permitAll()
.requestMatchers(new AntPathRequestMatcher(this.permitAllPattern)).permitAll()
.anyRequest().authenticated();
// @formatter:on
if (http.getConfigurer(FormLoginConfigurer.class) == null) {