From 753e113a13aa6ad71791129510d2c17dd8fd22ed Mon Sep 17 00:00:00 2001 From: Joe Grandja Date: Thu, 13 Oct 2022 07:16:29 -0400 Subject: [PATCH] RequestMatcherDelegatingAuthorizationManager defaults to deny Closes gh-11958 --- .../config/http/AuthorizationFilterParser.java | 5 +---- .../AuthorizeHttpRequestsConfigurerTests.java | 4 ++-- ...enticationManagerBeanDefinitionParserTests.java | 5 ++++- .../config/http/InterceptUrlConfigTests.java | 2 +- .../SessionManagementConfigServlet31Tests.java | 4 +++- .../web/AuthorizeHttpRequestsDslTests.kt | 4 ++-- .../PasswordEncoderParserTests-bean.xml | 7 +++++-- .../PasswordEncoderParserTests-default.xml | 5 ++++- ...yDebugBeanFactoryPostProcessorTests-context.xml | 6 ++++-- .../CsrfConfigTests-WithAccessDeniedHandler.xml | 3 ++- .../http/CsrfConfigTests-WithRequestAttrName.xml | 3 ++- ...rmLoginBeanDefinitionParserTests-AutoConfig.xml | 3 ++- .../FormLoginBeanDefinitionParserTests-Simple.xml | 3 ++- ...erTests-WithAuthenticationFailureForwardUrl.xml | 3 ++- ...erTests-WithAuthenticationSuccessForwardUrl.xml | 3 ++- ...nDefinitionParserTests-WithCustomAttributes.xml | 3 ++- ...Tests-AuthenticationManagerEraseCredentials.xml | 3 ++- ...sts-AuthenticationManagerRefKeepCredentials.xml | 3 ++- ...-AuthenticationManagerRefNotProviderManager.xml | 3 ++- .../config/http/MiscHttpConfigTests-AutoConfig.xml | 6 ++++-- ...gTests-CustomAuthenticationDetailsSourceRef.xml | 3 ++- .../http/MiscHttpConfigTests-CustomFilters.xml | 3 ++- .../http/MiscHttpConfigTests-DeleteCookies.xml | 3 ++- .../config/http/MiscHttpConfigTests-HttpBasic.xml | 3 ++- .../http/MiscHttpConfigTests-HttpFirewall.xml | 3 ++- .../config/http/MiscHttpConfigTests-Jaas.xml | 3 ++- .../config/http/MiscHttpConfigTests-JeeFilter.xml | 3 ++- ...MiscHttpConfigTests-LogoutSuccessHandlerRef.xml | 3 ++- .../MiscHttpConfigTests-MinimalConfiguration.xml | 3 ++- ...scHttpConfigTests-MissingUserDetailsService.xml | 6 ++++-- ...nfigTests-NoInternalAuthenticationProviders.xml | 3 ++- .../config/http/MiscHttpConfigTests-Sec750.xml | 6 ++++-- ...tiHttpBlockConfigTests-DistinctHttpElements.xml | 2 ++ ...iHttpBlockConfigTests-IdenticalHttpElements.xml | 4 +++- ...onfigTests-IdenticallyPatternedHttpElements.xml | 2 ++ .../http/MultiHttpBlockConfigTests-Sec1937.xml | 4 +++- ...arserTests-AuthorizedClientArgumentResolver.xml | 3 ++- ...erTests-CustomAuthorizationRedirectStrategy.xml | 1 + ...onParserTests-CustomAuthorizedClientService.xml | 3 ++- ...serTests-CustomClientRegistrationRepository.xml | 3 ++- ...anDefinitionParserTests-CustomConfiguration.xml | 3 ++- ...uth2ClientBeanDefinitionParserTests-Minimal.xml | 3 ++- ...ntConfigTests-ConcurrencyControlMaxSessions.xml | 3 ++- ...ts-ConcurrencyControlMaxSessionsPlaceHolder.xml | 3 ++- ...gTests-ConcurrencyControlSessionRegistryRef.xml | 3 ++- ...ateSessionAlwaysWithTransientAuthentication.xml | 3 ++- ...enticationTests-WithTransientAuthentication.xml | 3 ++- ...initionParserTests-CustomChangePasswordPage.xml | 3 ++- ...nitionParserTests-DefaultChangePasswordPage.xml | 3 ++- ...questMatcherDelegatingAuthorizationManager.java | 10 +++++++--- ...MatcherDelegatingAuthorizationManagerTests.java | 14 ++++++-------- 51 files changed, 126 insertions(+), 67 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/http/AuthorizationFilterParser.java b/config/src/main/java/org/springframework/security/config/http/AuthorizationFilterParser.java index 3baac94204..5f8b97f0da 100644 --- a/config/src/main/java/org/springframework/security/config/http/AuthorizationFilterParser.java +++ b/config/src/main/java/org/springframework/security/config/http/AuthorizationFilterParser.java @@ -34,7 +34,6 @@ import org.springframework.beans.factory.xml.AbstractBeanDefinitionParser; import org.springframework.beans.factory.xml.BeanDefinitionParser; import org.springframework.beans.factory.xml.ParserContext; import org.springframework.beans.factory.xml.XmlReaderContext; -import org.springframework.security.authorization.AuthenticatedAuthorizationManager; import org.springframework.security.authorization.AuthorizationManager; import org.springframework.security.authorization.ObservationAuthorizationManager; import org.springframework.security.config.Elements; @@ -43,7 +42,6 @@ import org.springframework.security.web.access.expression.WebExpressionAuthoriza import org.springframework.security.web.access.intercept.AuthorizationFilter; import org.springframework.security.web.access.intercept.RequestAuthorizationContext; import org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager; -import org.springframework.security.web.util.matcher.AnyRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.StringUtils; import org.springframework.util.xml.DomUtils; @@ -197,8 +195,7 @@ class AuthorizationFilterParser implements BeanDefinitionParser { .entrySet()) { builder.add(entry.getKey(), entry.getValue()); } - AuthorizationManager manager = builder - .add(AnyRequestMatcher.INSTANCE, AuthenticatedAuthorizationManager.authenticated()).build(); + AuthorizationManager manager = builder.build(); if (!this.observationRegistry.isNoop()) { return new ObservationAuthorizationManager<>(this.observationRegistry, manager); } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java index 2256393dd2..40d59f146f 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java @@ -358,7 +358,7 @@ public class AuthorizeHttpRequestsConfigurerTests { } @Test - public void getWhenServletPathRoleAdminConfiguredAndRoleIsUserAndWithoutServletPathThenRespondsWithOk() + public void getWhenServletPathRoleAdminConfiguredAndRoleIsUserAndWithoutServletPathThenRespondsWithForbidden() throws Exception { this.spring.register(ServletPathConfig.class, BasicController.class).autowire(); // @formatter:off @@ -366,7 +366,7 @@ public class AuthorizeHttpRequestsConfigurerTests { .with(user("user") .roles("USER")); // @formatter:on - this.mvc.perform(requestWithUser).andExpect(status().isOk()); + this.mvc.perform(requestWithUser).andExpect(status().isForbidden()); } @Test diff --git a/config/src/test/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParserTests.java index ebdb8ee9dd..212b675108 100644 --- a/config/src/test/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParserTests.java @@ -139,7 +139,10 @@ public class AuthenticationManagerBeanDefinitionParserTests { + "" + " " + "" - + "") + + "" + + " " + + " " + + "") .mockMvcAfterSpringSecurityOk() .autowire(); this.mockMvc.perform(get("/").with(httpBasic("user", "password"))) diff --git a/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java b/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java index f925de4d0e..c4e821126a 100644 --- a/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java +++ b/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java @@ -120,7 +120,7 @@ public class InterceptUrlConfigTests { this.spring.configLocations(this.xml("PatchMethodAuthorizationManager")).autowire(); // @formatter:off this.mvc.perform(get("/path").with(userCredentials())) - .andExpect(status().isOk()); + .andExpect(status().isForbidden()); this.mvc.perform(patch("/path").with(userCredentials())) .andExpect(status().isForbidden()); this.mvc.perform(patch("/path").with(adminCredentials())) diff --git a/config/src/test/java/org/springframework/security/config/http/SessionManagementConfigServlet31Tests.java b/config/src/test/java/org/springframework/security/config/http/SessionManagementConfigServlet31Tests.java index 3bcc4172ea..03c50c9db9 100644 --- a/config/src/test/java/org/springframework/security/config/http/SessionManagementConfigServlet31Tests.java +++ b/config/src/test/java/org/springframework/security/config/http/SessionManagementConfigServlet31Tests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2013 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -85,6 +85,7 @@ public class SessionManagementConfigServlet31Tests { String id = request.getSession().getId(); // @formatter:off loadContext("\n" + + " \n" + " \n" + " \n" + " \n" @@ -107,6 +108,7 @@ public class SessionManagementConfigServlet31Tests { String id = request.getSession().getId(); // @formatter:off loadContext("\n" + + " \n" + " \n" + " \n" + " \n" diff --git a/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt b/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt index e23e1360a1..3dac9f6ed9 100644 --- a/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt +++ b/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt @@ -512,7 +512,7 @@ class AuthorizeHttpRequestsDslTests { request.servletPath = "/other" request }) - .andExpect(status().isOk) + .andExpect(status().isForbidden) } @Configuration @@ -602,7 +602,7 @@ class AuthorizeHttpRequestsDslTests { servletPath = "/other" } }) - .andExpect(status().isOk) + .andExpect(status().isForbidden) } @Configuration diff --git a/config/src/test/resources/org/springframework/security/config/authentication/PasswordEncoderParserTests-bean.xml b/config/src/test/resources/org/springframework/security/config/authentication/PasswordEncoderParserTests-bean.xml index 04f6e1596e..f203b9e268 100644 --- a/config/src/test/resources/org/springframework/security/config/authentication/PasswordEncoderParserTests-bean.xml +++ b/config/src/test/resources/org/springframework/security/config/authentication/PasswordEncoderParserTests-bean.xml @@ -1,5 +1,5 @@