diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java index 6294f0e1b9..a34bd9c875 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java @@ -1281,11 +1281,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -1302,12 +1301,11 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -1320,32 +1318,27 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder - * @param authorizeHttpRequestsCustomizer the {@link Customizer} to provide more - * options for the {@link AuthorizationManagerRequestMatcherRegistry} * @return the {@link HttpSecurity} for further customizations * @throws Exception - * @since 5.5 + * @since 5.6 * @see #requestMatcher(RequestMatcher) */ - public HttpSecurity authorizeHttpRequests( - Customizer.AuthorizationManagerRequestMatcherRegistry> authorizeHttpRequestsCustomizer) + public AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry authorizeHttpRequests() throws Exception { ApplicationContext context = getContext(); - authorizeHttpRequestsCustomizer - .customize(getOrApply(new AuthorizeHttpRequestsConfigurer<>(context)).getRegistry()); - return HttpSecurity.this; + return getOrApply(new AuthorizeHttpRequestsConfigurer<>(context)).getRegistry(); } /** @@ -1366,10 +1359,11 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder + * authorizeHttpRequests + * .antMatchers("/**").hasRole("USER") + * ) + * .formLogin(withDefaults()); * } * } * @@ -1386,10 +1380,11 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder + * authorizeHttpRequests + * .antMatchers("/admin/**").hasRole("ADMIN") + * .antMatchers("/**").hasRole("USER") + * ) * .formLogin(withDefaults()); * } * } @@ -1407,24 +1402,27 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder + * authorizeHttpRequests + * .antMatchers("/**").hasRole("USER") + * .antMatchers("/admin/**").hasRole("ADMIN") + * ); * } * } * + * @param authorizeHttpRequestsCustomizer the {@link Customizer} to provide more + * options for the {@link AuthorizationManagerRequestMatcherRegistry} * @return the {@link HttpSecurity} for further customizations * @throws Exception * @since 5.5 * @see #requestMatcher(RequestMatcher) */ - public HttpSecurity authorizeHttpRequests() throws Exception { - ApplicationContext applicationContext = getContext(); - Customizer.AuthorizationManagerRequestMatcherRegistry> authorizeHttpRequestsCustomizer = Customizer - .withDefaults(); + public HttpSecurity authorizeHttpRequests( + Customizer.AuthorizationManagerRequestMatcherRegistry> authorizeHttpRequestsCustomizer) + throws Exception { + ApplicationContext context = getContext(); authorizeHttpRequestsCustomizer - .customize(getOrApply(new AuthorizeHttpRequestsConfigurer<>(applicationContext)).getRegistry()); + .customize(getOrApply(new AuthorizeHttpRequestsConfigurer<>(context)).getRegistry()); return HttpSecurity.this; } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java index 6fabfee130..42dbea01c6 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java @@ -73,9 +73,9 @@ public class AuthorizeHttpRequestsConfigurerTests { } @Test - public void configureWhenAuthorizedHttpRequestsAndNoRequestsThenExceptionWithDefaultConfig() { + public void configureNoParameterWhenAuthorizedHttpRequestsAndNoRequestsThenException() { assertThatExceptionOfType(BeanCreationException.class) - .isThrownBy(() -> this.spring.register(NoRequestsConfigWithDefaultConfig.class).autowire()) + .isThrownBy(() -> this.spring.register(NoRequestsNoParameterConfig.class).autowire()) .withMessageContaining( "At least one mapping is required (for example, authorizeHttpRequests().anyRequest().authenticated())"); } @@ -88,11 +88,10 @@ public class AuthorizeHttpRequestsConfigurerTests { } @Test - public void configureWhenAnyRequestIncompleteMappingDefaultConfigThenException() { + public void configureNoParameterWhenAnyRequestIncompleteMappingThenException() { assertThatExceptionOfType(BeanCreationException.class) - this.spring.register(IncompleteMappingConfigWithDefaultConfig.class, BasicController.class).autowire(); - this.mvc.perform(get("/")).andExpect(status().isOk()); - verify(CustomAuthorizationManagerConfig.authorizationManager).check(any(), any()); + .isThrownBy(() -> this.spring.register(IncompleteMappingNoParameterConfig.class).autowire()) + .withMessageContaining("An incomplete mapping was found for "); } @Test @@ -111,11 +110,11 @@ public class AuthorizeHttpRequestsConfigurerTests { } @Test - public void configureMvcMatcherAccessAuthorizationManagerOnDefault() throws Exception { - CustomAuthorizationManagerConfig.authorizationManager = mock(AuthorizationManager.class); - this.spring.register(IncompleteMappingConfigWithDefaultConfig.class).autowire(); - this.mvc.perform(get("/")).andExpect(status().isUnauthorized()); - verify(CustomAuthorizationManagerConfig.authorizationManager).check(any(), any()); + public void configureNoParameterMvcMatcherAccessAuthorizationManagerWhenNotNullThenVerifyUse() throws Exception { + CustomAuthorizationManagerNoParameterConfig.authorizationManager = mock(AuthorizationManager.class); + this.spring.register(CustomAuthorizationManagerNoParameterConfig.class, BasicController.class).autowire(); + this.mvc.perform(get("/")).andExpect(status().isOk()); + verify(CustomAuthorizationManagerNoParameterConfig.authorizationManager).check(any(), any()); } @Test @@ -395,29 +394,16 @@ public class AuthorizeHttpRequestsConfigurerTests { } @EnableWebSecurity - static class NoRequestsConfigWithDefaultConfig { + static class NoRequestsNoParameterConfig { @Bean SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off - return http - .authorizeHttpRequests() - .build(); + http + .authorizeHttpRequests(); // @formatter:on - } - } - - @EnableWebSecurity - static class IncompleteMappingConfigWithDefaultConfig { - - @Bean - FormLoginConfigurer filterChain(HttpSecurity http) throws Exception { - // @formatter:off - return http - .authorizeHttpRequests() - .formLogin(); - // @formatter:on + return http.build(); } } @@ -436,6 +422,22 @@ public class AuthorizeHttpRequestsConfigurerTests { } + @EnableWebSecurity + static class IncompleteMappingNoParameterConfig { + + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + // @formatter:off + http + .authorizeHttpRequests() + .anyRequest(); + // @formatter:on + + return http.build(); + } + + } + @EnableWebSecurity static class AfterAnyRequestConfig { @@ -471,6 +473,24 @@ public class AuthorizeHttpRequestsConfigurerTests { } + @EnableWebSecurity + static class CustomAuthorizationManagerNoParameterConfig { + + static AuthorizationManager authorizationManager; + + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + // @formatter:off + http + .authorizeHttpRequests() + .anyRequest().access(authorizationManager); + // @formatter:on + + return http.build(); + } + + } + @EnableWebSecurity static class ObjectPostProcessorConfig {