Do Not Wire Default OidcSessionStrategy without OidcLogoutConfigurer

Closes gh-14558
This commit is contained in:
Josh Cummings
2024-01-29 17:20:56 -07:00
parent eea4279fae
commit 3ab323663a
6 changed files with 172 additions and 13 deletions

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -22,6 +22,7 @@ import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import org.apache.http.HttpHeaders;
import org.junit.jupiter.api.AfterEach;
@@ -36,6 +37,7 @@ import org.springframework.context.ApplicationListener;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.event.SmartApplicationListener;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.mock.web.MockFilterChain;
@@ -48,6 +50,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
import org.springframework.security.config.oauth2.client.CommonOAuth2Provider;
import org.springframework.security.config.test.SpringTestContext;
import org.springframework.security.config.test.SpringTestContextExtension;
import org.springframework.security.context.DelegatingApplicationListener;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
@@ -55,9 +58,11 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.core.context.SecurityContextChangedListener;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.core.session.SessionDestroyedEvent;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
import org.springframework.security.oauth2.client.oidc.session.OidcSessionRegistry;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
@@ -95,7 +100,9 @@ import org.springframework.security.web.authentication.HttpStatusEntryPoint;
import org.springframework.security.web.context.HttpRequestResponseHolder;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.session.HttpSessionDestroyedEvent;
import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
import org.springframework.test.util.ReflectionTestUtils;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
@@ -150,10 +157,10 @@ public class OAuth2LoginConfigurerTests {
@Autowired
private FilterChainProxy springSecurityFilterChain;
@Autowired
@Autowired(required = false)
private AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository;
@Autowired
@Autowired(required = false)
SecurityContextRepository securityContextRepository;
public final SpringTestContext spring = new SpringTestContext(this);
@@ -642,6 +649,26 @@ public class OAuth2LoginConfigurerTests {
.andExpect(redirectedUrl("https://logout?id_token_hint=id-token"));
}
@Test
public void configureWhenOidcSessionStrategyThenUses() {
this.spring.register(OAuth2LoginWithOidcSessionRegistry.class).autowire();
OidcSessionRegistry registry = this.spring.getContext().getBean(OidcSessionRegistry.class);
this.spring.getContext().publishEvent(new HttpSessionDestroyedEvent(this.request.getSession()));
verify(registry).removeSessionInformation(this.request.getSession().getId());
}
// gh-14558
@Test
public void oauth2LoginWhenDefaultsThenNoOidcSessionRegistry() {
this.spring.register(OAuth2LoginConfig.class).autowire();
DelegatingApplicationListener listener = this.spring.getContext().getBean(DelegatingApplicationListener.class);
List<SmartApplicationListener> listeners = (List<SmartApplicationListener>) ReflectionTestUtils
.getField(listener, "listeners");
assertThat(listeners.stream()
.filter((l) -> l.supportsEventType(SessionDestroyedEvent.class))
.collect(Collectors.toList())).isEmpty();
}
private void loadConfig(Class<?>... configs) {
AnnotationConfigWebApplicationContext applicationContext = new AnnotationConfigWebApplicationContext();
applicationContext.register(configs);
@@ -1117,6 +1144,32 @@ public class OAuth2LoginConfigurerTests {
}
@Configuration
@EnableWebSecurity
static class OAuth2LoginWithOidcSessionRegistry {
private final OidcSessionRegistry registry = mock(OidcSessionRegistry.class);
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.oauth2Login((oauth2) -> oauth2
.clientRegistrationRepository(
new InMemoryClientRegistrationRepository(GOOGLE_CLIENT_REGISTRATION))
.oidcSessionRegistry(this.registry)
);
// @formatter:on
return http.build();
}
@Bean
OidcSessionRegistry oidcSessionRegistry() {
return this.registry;
}
}
@Configuration
@EnableWebSecurity
static class OAuth2LoginWithXHREntryPointConfig extends CommonSecurityFilterChainConfig {

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -34,11 +34,13 @@ import org.springframework.http.HttpHeaders;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authentication.UserDetailsRepositoryReactiveAuthenticationManager;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.oauth2.client.CommonOAuth2Provider;
import org.springframework.security.config.test.SpringTestContext;
import org.springframework.security.config.test.SpringTestContextExtension;
import org.springframework.security.config.users.ReactiveAuthenticationTestConfiguration;
import org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2LoginSpec.OidcSessionRegistryAuthenticationWebFilter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.AuthorityUtils;
@@ -54,10 +56,12 @@ import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuth
import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
import org.springframework.security.oauth2.client.endpoint.ReactiveOAuth2AccessTokenResponseClient;
import org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeReactiveAuthenticationManager;
import org.springframework.security.oauth2.client.oidc.server.session.ReactiveOidcSessionRegistry;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.oidc.web.server.logout.OidcClientInitiatedServerLogoutSuccessHandler;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.InMemoryReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.TestClientRegistrations;
import org.springframework.security.oauth2.client.userinfo.ReactiveOAuth2UserService;
import org.springframework.security.oauth2.client.web.server.ServerAuthorizationRequestRepository;
@@ -576,6 +580,27 @@ public class OAuth2LoginTests {
// @formatter:on
}
@Test
public void oauth2LoginWhenOidcSessionRegistryThenUses() {
this.spring.register(OAuth2LoginWithOidcSessionRegistry.class).autowire();
SecurityWebFilterChain chain = this.spring.getContext().getBean(SecurityWebFilterChain.class);
assertThat(chain.getWebFilters()
.filter((filter) -> filter instanceof OidcSessionRegistryAuthenticationWebFilter)
.collectList()
.block()).isNotEmpty();
}
// gh-14558
@Test
public void oauth2LoginWhenDefaultsThenNoOidcSessionRegistry() {
this.spring.register(OAuth2LoginWithSingleClientRegistrations.class, OAuth2LoginConfig.class).autowire();
SecurityWebFilterChain chain = this.spring.getContext().getBean(SecurityWebFilterChain.class);
assertThat(chain.getWebFilters()
.filter((filter) -> filter instanceof OidcSessionRegistryAuthenticationWebFilter)
.collectList()
.block()).isEmpty();
}
Mono<SecurityContext> authentication(Authentication authentication) {
SecurityContext context = new SecurityContextImpl();
context.setAuthentication(authentication);
@@ -624,6 +649,21 @@ public class OAuth2LoginTests {
}
@EnableWebFlux
static class OAuth2LoginConfig {
@Bean
SecurityWebFilterChain springSecurity(ServerHttpSecurity http) {
// @formatter:off
http
.authorizeExchange((authorize) -> authorize.anyExchange().authenticated())
.oauth2Login(Customizer.withDefaults());
// @formatter:on
return http.build();
}
}
@EnableWebFlux
static class OAuth2AuthorizeWithMockObjectsConfig {
@@ -892,6 +932,35 @@ public class OAuth2LoginTests {
}
@Configuration
@EnableWebFluxSecurity
static class OAuth2LoginWithOidcSessionRegistry {
private final ReactiveOidcSessionRegistry registry = mock(ReactiveOidcSessionRegistry.class);
private final ReactiveClientRegistrationRepository clients = new InMemoryReactiveClientRegistrationRepository(
TestClientRegistrations.clientRegistration().build());
@Bean
SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
// @formatter:off
http
.authorizeExchange((authorize) -> authorize.anyExchange().authenticated())
.oauth2Login((oauth2) -> oauth2
.clientRegistrationRepository(this.clients)
.oidcSessionRegistry(this.registry)
);
// @formatter:on
return http.build();
}
@Bean
ReactiveOidcSessionRegistry oidcSessionRegistry() {
return this.registry;
}
}
static class GitHubWebFilter implements WebFilter {
@Override