Add support checking AnyRequestMatcher securityFilterChains

Closes gh-15220
This commit is contained in:
Max Batischev
2024-06-11 01:26:27 +03:00
committed by Josh Cummings
parent 470cb46e38
commit 4c780bf8d4
2 changed files with 45 additions and 2 deletions

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -318,6 +318,14 @@ public class WebSecurityConfigurationTests {
assertThat(privilegeEvaluator.isAllowed("/ignoring1/child", null)).isTrue();
}
@Test
public void loadConfigWhenTwoSecurityFilterChainsPresentAndSecondWithAnyRequestThenException() {
assertThatExceptionOfType(BeanCreationException.class)
.isThrownBy(() -> this.spring.register(MultipleAnyRequestSecurityFilterChainConfig.class).autowire())
.havingRootCause()
.isExactlyInstanceOf(IllegalArgumentException.class);
}
private void assertAnotherUserPermission(WebInvocationPrivilegeEvaluator privilegeEvaluator) {
Authentication anotherUser = new TestingAuthenticationToken("anotherUser", "password", "ROLE_ANOTHER");
assertThat(privilegeEvaluator.isAllowed("/user", anotherUser)).isFalse();
@@ -819,4 +827,26 @@ public class WebSecurityConfigurationTests {
}
@Configuration
@EnableWebSecurity
@EnableWebMvc
@Import(AuthenticationTestConfiguration.class)
static class MultipleAnyRequestSecurityFilterChainConfig {
@Bean
@Order(0)
SecurityFilterChain api1(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((auth) -> auth.anyRequest().authenticated());
return http.build();
}
@Bean
@Order(1)
SecurityFilterChain api2(HttpSecurity http) throws Exception {
http.securityMatcher("/app/**").authorizeHttpRequests((auth) -> auth.anyRequest().authenticated());
return http.build();
}
}
}