Spring Security

This commit is contained in:
Marcin Grzejszczak
2021-06-01 16:21:06 +02:00
parent 6a094db84e
commit 082ccbd2f2
23 changed files with 831 additions and 67 deletions

View File

@@ -75,6 +75,7 @@
|spring.sleuth.sampler.refresh.enabled | `true` | Enable refresh scope for sampler.
|spring.sleuth.scheduled.enabled | `true` | Enable tracing for {@link org.springframework.scheduling.annotation.Scheduled}.
|spring.sleuth.scheduled.skip-pattern | | Pattern for the fully qualified name of a class that should be skipped.
|spring.sleuth.security.enabled | `true` | Enable Spring Security instrumentation.
|spring.sleuth.span-filter.additional-span-name-patterns-to-ignore | | Additional list of span names to ignore. Will be appended to {@link #spanNamePatternsToSkip}.
|spring.sleuth.span-filter.enabled | `false` | Will turn on the default Sleuth handler mechanism. Might ignore exporting of certain spans;
|spring.sleuth.span-filter.span-name-patterns-to-skip | `^catalogWatchTaskScheduler$` | List of span names to ignore. They will not be sent to external systems.

View File

@@ -558,5 +558,11 @@ Fully qualified name of the enclosing class `org.springframework.cloud.sleuth.in
|http.status_code|Response status code.
|mvc.controller.class|Name of the class that is processing the request.
|mvc.controller.method|Name of the method that is processing the request.
|security.authentication.authenticated|Whether user is authenticated.
|security.authentication.authorities|Authorities assigned to the user.
|security.principal.account-non-expired|Whether principal's account is non expired.
|security.principal.authorities|Principal's authorities.
|security.principal.credentials-non-expired|Whether principal's credentials are non expired.
|security.principal.enabled|Whether principal is enabled.
|===

View File

@@ -651,6 +651,13 @@ This feature is available for all tracer implementations.
We're adding an instrumented Tomcat's `Valve` that originates the span.
In order to disable this instrumentation set `spring.sleuth.web.tomcat.enabled` to `false`.
[[sleuth-security-integration]]
== Spring Security
This feature is available for all tracer implementations.
We're injecting a custom filter into the Spring Security filter chains and we're tagging the existing span with security related tags.
In order to disable this instrumentation set `spring.sleuth.security.enabled` to `false`.
[[sleuth-jdbc-integration]]
== Spring JDBC

View File

@@ -0,0 +1,67 @@
/*
* Copyright 2013-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.sleuth.autoconfig.instrument.web;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.springframework.beans.factory.BeanFactory;
import org.springframework.cloud.sleuth.CurrentTraceContext;
import org.springframework.cloud.sleuth.http.HttpServerHandler;
import org.springframework.cloud.sleuth.instrument.web.servlet.TracingFilter;
final class LazyTracingFilter implements Filter {
private final BeanFactory beanFactory;
private Filter tracingFilter;
LazyTracingFilter(BeanFactory beanFactory) {
this.beanFactory = beanFactory;
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
tracingFilter().init(filterConfig);
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
tracingFilter().doFilter(request, response, chain);
}
@Override
public void destroy() {
tracingFilter().destroy();
}
private Filter tracingFilter() {
if (this.tracingFilter == null) {
this.tracingFilter = TracingFilter.create(this.beanFactory.getBean(CurrentTraceContext.class),
this.beanFactory.getBean(HttpServerHandler.class));
}
return this.tracingFilter;
}
}

View File

@@ -0,0 +1,43 @@
/*
* Copyright 2013-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.sleuth.autoconfig.instrument.web;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.BeanFactory;
import org.springframework.beans.factory.config.BeanPostProcessor;
import org.springframework.cloud.sleuth.instrument.web.TracingSecurityServletFilter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.authentication.switchuser.SwitchUserFilter;
class TraceServletSecurityBeanPostProcessor implements BeanPostProcessor {
private final BeanFactory beanFactory;
TraceServletSecurityBeanPostProcessor(BeanFactory beanFactory) {
this.beanFactory = beanFactory;
}
@Override
public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
if (bean instanceof HttpSecurity) {
HttpSecurity httpSecurity = (HttpSecurity) bean;
httpSecurity.addFilterAfter(TracingSecurityServletFilter.lazy(this.beanFactory), SwitchUserFilter.class);
}
return bean;
}
}

View File

@@ -17,6 +17,7 @@
package org.springframework.cloud.sleuth.autoconfig.instrument.web;
import org.springframework.beans.factory.BeanFactory;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.cloud.sleuth.CurrentTraceContext;
@@ -25,6 +26,7 @@ import org.springframework.cloud.sleuth.http.HttpServerHandler;
import org.springframework.cloud.sleuth.instrument.web.TraceWebFilter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.web.server.ServerHttpSecurity;
/**
* {@link org.springframework.boot.autoconfigure.EnableAutoConfiguration
@@ -52,4 +54,16 @@ class TraceWebFluxConfiguration {
return new TraceHandlerFunctionAdapterBeanPostProcessor(beanFactory);
}
@Configuration(proxyBeanMethods = false)
@ConditionalOnClass(ServerHttpSecurity.class)
@ConditionalOnProperty(value = "spring.sleuth.security.enabled", matchIfMissing = true)
protected static class TraceSecurityWebFluxAutoConfiguration {
@Bean
static TraceWebFluxSecurityBeanPostProcessor traceWebFluxSecurityBeanPostProcessor() {
return new TraceWebFluxSecurityBeanPostProcessor();
}
}
}

View File

@@ -0,0 +1,36 @@
/*
* Copyright 2013-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.sleuth.autoconfig.instrument.web;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.config.BeanPostProcessor;
import org.springframework.cloud.sleuth.instrument.web.TracingSecurityWebFilter;
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
import org.springframework.security.config.web.server.ServerHttpSecurity;
class TraceWebFluxSecurityBeanPostProcessor implements BeanPostProcessor {
@Override
public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
if (bean instanceof ServerHttpSecurity) {
ServerHttpSecurity httpSecurity = (ServerHttpSecurity) bean;
httpSecurity.addFilterBefore(new TracingSecurityWebFilter(), SecurityWebFiltersOrder.LAST);
}
return bean;
}
}

View File

@@ -16,15 +16,7 @@
package org.springframework.cloud.sleuth.autoconfig.instrument.web;
import java.io.IOException;
import javax.servlet.DispatcherType;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.catalina.Valve;
@@ -41,13 +33,13 @@ import org.springframework.cloud.sleuth.Tracer;
import org.springframework.cloud.sleuth.http.HttpServerHandler;
import org.springframework.cloud.sleuth.instrument.web.TraceWebAspect;
import org.springframework.cloud.sleuth.instrument.web.mvc.SpanCustomizingAsyncHandlerInterceptor;
import org.springframework.cloud.sleuth.instrument.web.servlet.TracingFilter;
import org.springframework.cloud.sleuth.instrument.web.tomcat.TraceValve;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
@@ -92,6 +84,18 @@ class TraceWebServletConfiguration {
}
@Configuration(proxyBeanMethods = false)
@ConditionalOnClass(HttpSecurity.class)
@ConditionalOnProperty(value = "spring.sleuth.security.enabled", matchIfMissing = true)
protected static class TraceSecurityWebMvcAutoConfiguration {
@Bean
static TraceServletSecurityBeanPostProcessor traceServletSecurityBeanPostProcessor(BeanFactory beanFactory) {
return new TraceServletSecurityBeanPostProcessor(beanFactory);
}
}
@Configuration(proxyBeanMethods = false)
@ConditionalOnClass({ Valve.class, ConfigurableTomcatWebServerFactory.class })
@ConditionalOnProperty(value = "spring.sleuth.web.tomcat.enabled", matchIfMissing = true)
@@ -108,40 +112,4 @@ class TraceWebServletConfiguration {
}
static final class LazyTracingFilter implements Filter {
private final BeanFactory beanFactory;
private Filter tracingFilter;
LazyTracingFilter(BeanFactory beanFactory) {
this.beanFactory = beanFactory;
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
tracingFilter().init(filterConfig);
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
tracingFilter().doFilter(request, response, chain);
}
@Override
public void destroy() {
tracingFilter().destroy();
}
private Filter tracingFilter() {
if (this.tracingFilter == null) {
this.tracingFilter = TracingFilter.create(this.beanFactory.getBean(CurrentTraceContext.class),
this.beanFactory.getBean(HttpServerHandler.class));
}
return this.tracingFilter;
}
}
}

View File

@@ -190,6 +190,12 @@
"type": "java.lang.Boolean",
"description": "Enable Spring Vault instrumentation.",
"defaultValue": true
},
{
"name": "spring.sleuth.security.enabled",
"type": "java.lang.Boolean",
"description": "Enable Spring Security instrumentation.",
"defaultValue": true
}
]
}

View File

@@ -115,10 +115,12 @@ public class TraceQuartzAutoConfigurationTest {
}
@Configuration(proxyBeanMethods = false)
@EnableAutoConfiguration(exclude = { GatewayClassPathWarningAutoConfiguration.class, GatewayAutoConfiguration.class,
GatewayMetricsAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class,
MongoAutoConfiguration.class, QuartzAutoConfiguration.class, R2dbcAutoConfiguration.class,
R2dbcDataAutoConfiguration.class })
@EnableAutoConfiguration(
exclude = { GatewayClassPathWarningAutoConfiguration.class, GatewayAutoConfiguration.class,
GatewayMetricsAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class,
MongoAutoConfiguration.class, QuartzAutoConfiguration.class, R2dbcAutoConfiguration.class,
R2dbcDataAutoConfiguration.class },
excludeName = "org.springframework.cloud.gateway.config.GatewayRedisAutoConfiguration")
public static class EnableAutoConfig {
}

View File

@@ -0,0 +1,91 @@
/*
* Copyright 2013-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.sleuth.autoconfig.instrument.web;
import org.junit.Test;
import org.mockito.BDDMockito;
import org.springframework.boot.autoconfigure.AutoConfigurations;
import org.springframework.boot.test.context.FilteredClassLoader;
import org.springframework.boot.test.context.runner.ReactiveWebApplicationContextRunner;
import org.springframework.cloud.sleuth.CurrentTraceContext;
import org.springframework.cloud.sleuth.SpanNamer;
import org.springframework.cloud.sleuth.Tracer;
import org.springframework.cloud.sleuth.http.HttpServerHandler;
import org.springframework.cloud.sleuth.internal.DefaultSpanNamer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import static org.assertj.core.api.Assertions.assertThat;
/**
* @author Michał Ziemba
*/
public class TraceWebFluxSecurityConfigurationTests {
private final ReactiveWebApplicationContextRunner contextRunner = new ReactiveWebApplicationContextRunner()
.withConfiguration(AutoConfigurations.of(TraceWebAutoConfiguration.class))
.withUserConfiguration(TestConfig.class);
@Test
public void shouldNotCreateTracedWebBeansWhenSecurityMissing() {
this.contextRunner.withClassLoader(new FilteredClassLoader(ServerHttpSecurity.class)).run((context) -> {
assertThat(context).doesNotHaveBean(TraceWebFluxSecurityBeanPostProcessor.class);
});
}
@Test
public void shouldNotCreateTracedWebBeansWhenSecurityTraceDisabled() {
this.contextRunner.withPropertyValues("spring.sleuth.security.enabled=false").run((context) -> {
assertThat(context).doesNotHaveBean(TraceWebFluxSecurityBeanPostProcessor.class);
});
}
@Test
public void shouldCreateTraceSecurityBeanPostProcessorWhenServletClassPresent() {
this.contextRunner.run((context) -> {
assertThat(context).hasSingleBean(TraceWebFluxSecurityBeanPostProcessor.class);
});
}
@Configuration(proxyBeanMethods = false)
static class TestConfig {
@Bean
Tracer tracer() {
return BDDMockito.mock(Tracer.class);
}
@Bean
CurrentTraceContext currentTraceContext() {
return BDDMockito.mock(CurrentTraceContext.class);
}
@Bean
SpanNamer spanNamer() {
return new DefaultSpanNamer();
}
@Bean
HttpServerHandler httpServerHandler() {
return BDDMockito.mock(HttpServerHandler.class);
}
}
}

View File

@@ -0,0 +1,91 @@
/*
* Copyright 2013-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.sleuth.autoconfig.instrument.web;
import org.junit.Test;
import org.mockito.BDDMockito;
import org.springframework.boot.autoconfigure.AutoConfigurations;
import org.springframework.boot.test.context.FilteredClassLoader;
import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
import org.springframework.cloud.sleuth.CurrentTraceContext;
import org.springframework.cloud.sleuth.SpanNamer;
import org.springframework.cloud.sleuth.Tracer;
import org.springframework.cloud.sleuth.http.HttpServerHandler;
import org.springframework.cloud.sleuth.internal.DefaultSpanNamer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import static org.assertj.core.api.Assertions.assertThat;
/**
* @author Michał Ziemba
*/
public class TraceWebServletSecurityConfigurationTests {
private final WebApplicationContextRunner contextRunner = new WebApplicationContextRunner()
.withConfiguration(AutoConfigurations.of(TraceWebAutoConfiguration.class))
.withUserConfiguration(TestConfig.class);
@Test
public void shouldNotCreateTracedWebBeansWhenSecurityMissing() {
this.contextRunner.withClassLoader(new FilteredClassLoader(HttpSecurity.class)).run((context) -> {
assertThat(context).doesNotHaveBean(TraceServletSecurityBeanPostProcessor.class);
});
}
@Test
public void shouldNotCreateTracedWebBeansWhenSecurityTraceDisabled() {
this.contextRunner.withPropertyValues("spring.sleuth.security.enabled=false").run((context) -> {
assertThat(context).doesNotHaveBean(TraceServletSecurityBeanPostProcessor.class);
});
}
@Test
public void shouldCreateTraceSecurityBeanPostProcessorWhenServletClassPresent() {
this.contextRunner.run((context) -> {
assertThat(context).hasSingleBean(TraceServletSecurityBeanPostProcessor.class);
});
}
@Configuration(proxyBeanMethods = false)
static class TestConfig {
@Bean
Tracer tracer() {
return BDDMockito.mock(Tracer.class);
}
@Bean
CurrentTraceContext currentTraceContext() {
return BDDMockito.mock(CurrentTraceContext.class);
}
@Bean
SpanNamer spanNamer() {
return new DefaultSpanNamer();
}
@Bean
HttpServerHandler httpServerHandler() {
return BDDMockito.mock(HttpServerHandler.class);
}
}
}

View File

@@ -120,10 +120,12 @@ public class BraveWebClientAutoConfigurationTests {
}
@Configuration(proxyBeanMethods = false)
@EnableAutoConfiguration(exclude = { GatewayClassPathWarningAutoConfiguration.class, GatewayAutoConfiguration.class,
GatewayMetricsAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class,
MongoAutoConfiguration.class, QuartzAutoConfiguration.class, R2dbcAutoConfiguration.class,
R2dbcDataAutoConfiguration.class })
@EnableAutoConfiguration(
exclude = { GatewayClassPathWarningAutoConfiguration.class, GatewayAutoConfiguration.class,
GatewayMetricsAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class,
MongoAutoConfiguration.class, QuartzAutoConfiguration.class, R2dbcAutoConfiguration.class,
R2dbcDataAutoConfiguration.class },
excludeName = "org.springframework.cloud.gateway.config.GatewayRedisAutoConfiguration")
static class Config {
// custom builder

View File

@@ -54,10 +54,12 @@ public class GH846Tests {
}
@Configuration(proxyBeanMethods = false)
@EnableAutoConfiguration(exclude = { GatewayClassPathWarningAutoConfiguration.class, GatewayAutoConfiguration.class,
GatewayMetricsAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class,
MongoAutoConfiguration.class, QuartzAutoConfiguration.class, R2dbcAutoConfiguration.class,
R2dbcDataAutoConfiguration.class })
@EnableAutoConfiguration(
exclude = { GatewayClassPathWarningAutoConfiguration.class, GatewayAutoConfiguration.class,
GatewayMetricsAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class,
MongoAutoConfiguration.class, QuartzAutoConfiguration.class, R2dbcAutoConfiguration.class,
R2dbcDataAutoConfiguration.class },
excludeName = "org.springframework.cloud.gateway.config.GatewayRedisAutoConfiguration")
static class App {
@Bean

View File

@@ -43,10 +43,12 @@ public class TraceWebClientDisabledTests {
}
@Configuration(proxyBeanMethods = false)
@EnableAutoConfiguration(exclude = { GatewayClassPathWarningAutoConfiguration.class, GatewayAutoConfiguration.class,
GatewayMetricsAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class,
MongoAutoConfiguration.class, QuartzAutoConfiguration.class, R2dbcAutoConfiguration.class,
R2dbcDataAutoConfiguration.class })
@EnableAutoConfiguration(
exclude = { GatewayClassPathWarningAutoConfiguration.class, GatewayAutoConfiguration.class,
GatewayMetricsAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class,
MongoAutoConfiguration.class, QuartzAutoConfiguration.class, R2dbcAutoConfiguration.class,
R2dbcDataAutoConfiguration.class },
excludeName = "org.springframework.cloud.gateway.config.GatewayRedisAutoConfiguration")
public static class Config {
}

View File

@@ -53,10 +53,12 @@ public class ZipkinSamplerTests {
}
@Configuration(proxyBeanMethods = false)
@EnableAutoConfiguration(exclude = { GatewayClassPathWarningAutoConfiguration.class, GatewayAutoConfiguration.class,
GatewayMetricsAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class,
MongoAutoConfiguration.class, QuartzAutoConfiguration.class, R2dbcAutoConfiguration.class,
R2dbcDataAutoConfiguration.class })
@EnableAutoConfiguration(
exclude = { GatewayClassPathWarningAutoConfiguration.class, GatewayAutoConfiguration.class,
GatewayMetricsAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class,
MongoAutoConfiguration.class, QuartzAutoConfiguration.class, R2dbcAutoConfiguration.class,
R2dbcDataAutoConfiguration.class },
excludeName = "org.springframework.cloud.gateway.config.GatewayRedisAutoConfiguration")
static class TestConfig {
}

View File

@@ -1,3 +1,3 @@
logging.level.org.springframework.cloud: DEBUG
spring.autoconfigure.exclude: org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration, org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration, org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration, org.springframework.boot.autoconfigure.data.web.SpringDataWebAutoConfiguration, org.springframework.cloud.gateway.config.GatewayAutoConfiguration, org.springframework.cloud.gateway.config.GatewayClassPathWarningAutoConfiguration, org.springframework.cloud.gateway.config.GatewayMetricsAutoConfiguration, org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration, org.springframework.boot.autoconfigure.r2dbc.R2dbcAutoConfiguration, org.springframework.boot.autoconfigure.mongo.MongoAutoConfiguration, org.springframework.boot.autoconfigure.data.mongo.MongoDataAutoConfiguration
spring.autoconfigure.exclude: org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration, org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration, org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration, org.springframework.boot.autoconfigure.data.web.SpringDataWebAutoConfiguration, org.springframework.cloud.gateway.config.GatewayAutoConfiguration, org.springframework.cloud.gateway.config.GatewayClassPathWarningAutoConfiguration, org.springframework.cloud.gateway.config.GatewayMetricsAutoConfiguration, org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration, org.springframework.boot.autoconfigure.r2dbc.R2dbcAutoConfiguration, org.springframework.boot.autoconfigure.mongo.MongoAutoConfiguration, org.springframework.boot.autoconfigure.data.mongo.MongoDataAutoConfiguration, org.springframework.cloud.gateway.config.GatewayRedisAutoConfiguration

View File

@@ -33,7 +33,7 @@ enum SleuthWebSpan implements DocumentedSpan {
@Override
public TagKey[] getTagKeys() {
return Tags.values();
return TagKey.merge(Tags.values(), SecurityTags.values());
}
};
@@ -78,4 +78,74 @@ enum SleuthWebSpan implements DocumentedSpan {
}
/**
* Tags related to security.
*
* @author Marcin Grzejszczak
* @since 3.1.0
*/
enum SecurityTags implements TagKey {
/**
* Authorities assigned to the user.
*/
AUTHORITIES {
@Override
public String getKey() {
return "security.authentication.authorities";
}
},
/**
* Whether user is authenticated.
*/
AUTHENTICATED {
@Override
public String getKey() {
return "security.authentication.authenticated";
}
},
/**
* Whether principal is enabled.
*/
PRINCIPAL_ENABLED {
@Override
public String getKey() {
return "security.principal.enabled";
}
},
/**
* Principal's authorities.
*/
PRINCIPAL_AUTHORITIES {
@Override
public String getKey() {
return "security.principal.authorities";
}
},
/**
* Whether principal's account is non expired.
*/
PRINCIPAL_ACCOUNT_NON_EXPIRED {
@Override
public String getKey() {
return "security.principal.account-non-expired";
}
},
/**
* Whether principal's credentials are non expired.
*/
PRINCIPAL_CREDENTIALS_NON_EXPIRED {
@Override
public String getKey() {
return "security.principal.credentials-non-expired";
}
}
}
}

View File

@@ -0,0 +1,91 @@
/*
* Copyright 2013-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.sleuth.instrument.web;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.springframework.beans.factory.BeanFactory;
import org.springframework.cloud.sleuth.Span;
import org.springframework.cloud.sleuth.Tracer;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.GenericFilterBean;
/**
* A filter that adds security related tags.
*
* @author Marcin Grzejszczak
* @since 3.1.0
*/
public class TracingSecurityServletFilter extends GenericFilterBean {
private final Tracer tracer;
public TracingSecurityServletFilter(Tracer tracer) {
this.tracer = tracer;
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
throws ServletException, IOException {
SecurityContext securityContext = getContext();
if (securityContext != null) {
Span span = this.tracer.currentSpan();
if (span != null) {
TracingSecurityTagSetter.setSecurityTags(span, securityContext.getAuthentication());
}
}
filterChain.doFilter(servletRequest, servletResponse);
}
SecurityContext getContext() {
return SecurityContextHolder.getContext();
}
/**
* Lazy version of the {@link TracingSecurityServletFilter}.
* @param beanFactory bean factory
* @return lazy version of the filter
*/
public static Filter lazy(BeanFactory beanFactory) {
return new Filter() {
private TracingSecurityServletFilter tracingSecurityServletFilter;
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
FilterChain filterChain) throws IOException, ServletException {
tracingSecurityFilter().doFilter(servletRequest, servletResponse, filterChain);
}
private TracingSecurityServletFilter tracingSecurityFilter() {
if (this.tracingSecurityServletFilter == null) {
this.tracingSecurityServletFilter = new TracingSecurityServletFilter(
beanFactory.getBean(Tracer.class));
}
return this.tracingSecurityServletFilter;
}
};
}
}

View File

@@ -0,0 +1,57 @@
/*
* Copyright 2013-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.sleuth.instrument.web;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.cloud.sleuth.Span;
import org.springframework.cloud.sleuth.docs.AssertingSpan;
import org.springframework.cloud.sleuth.instrument.web.SleuthWebSpan.SecurityTags;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.User;
import org.springframework.util.StringUtils;
final class TracingSecurityTagSetter {
private static final Log log = LogFactory.getLog(TracingSecurityTagSetter.class);
private TracingSecurityTagSetter() {
throw new IllegalStateException("Can't instantiate a utility class");
}
static void setSecurityTags(Span span, Authentication authentication) {
if (log.isDebugEnabled()) {
log.debug("Will set security tags on span [" + span + "]");
}
AssertingSpan assertingSpan = AssertingSpan.of(SleuthWebSpan.WEB_FILTER_SPAN, span);
assertingSpan.tag(SecurityTags.AUTHORITIES,
StringUtils.collectionToCommaDelimitedString(authentication.getAuthorities()));
assertingSpan.tag(SecurityTags.AUTHENTICATED, String.valueOf(authentication.isAuthenticated()));
Object principal = authentication.getPrincipal();
if (principal instanceof User) {
User user = (User) principal;
assertingSpan.tag(SecurityTags.PRINCIPAL_ENABLED, String.valueOf(user.isEnabled()));
assertingSpan.tag(SecurityTags.PRINCIPAL_AUTHORITIES,
StringUtils.collectionToCommaDelimitedString(user.getAuthorities()));
assertingSpan.tag(SecurityTags.PRINCIPAL_ACCOUNT_NON_EXPIRED, String.valueOf(user.isAccountNonExpired()));
assertingSpan.tag(SecurityTags.PRINCIPAL_CREDENTIALS_NON_EXPIRED,
String.valueOf(user.isCredentialsNonExpired()));
}
}
}

View File

@@ -0,0 +1,56 @@
/*
* Copyright 2013-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.sleuth.instrument.web;
import reactor.core.publisher.Mono;
import org.springframework.cloud.sleuth.Span;
import org.springframework.security.core.context.ReactiveSecurityContextHolder;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
/**
* A filter that adds security related tags.
*
* @author Marcin Grzejszczak
* @since 3.1.0
*/
public class TracingSecurityWebFilter implements WebFilter {
@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
// @formatter:off
return getContext()
.filter((c) -> c.getAuthentication() != null)
.map(SecurityContext::getAuthentication)
.doOnNext(authentication -> {
Object attribute = exchange.getAttribute(TraceWebFilter.TRACE_REQUEST_ATTR);
if (attribute instanceof Span) {
TracingSecurityTagSetter.setSecurityTags((Span) attribute, authentication);
}
})
.then(chain.filter(exchange));
// @formatter:on
}
Mono<SecurityContext> getContext() {
return ReactiveSecurityContextHolder.getContext();
}
}

View File

@@ -0,0 +1,73 @@
/*
* Copyright 2013-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.sleuth.instrument.web;
import java.io.IOException;
import java.util.Collections;
import javax.servlet.ServletException;
import org.junit.jupiter.api.Test;
import org.springframework.cloud.sleuth.tracer.SimpleSpan;
import org.springframework.cloud.sleuth.tracer.SimpleTracer;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.security.core.userdetails.User;
import static org.assertj.core.api.BDDAssertions.then;
class TracingSecurityServletFilterTests {
SimpleTracer tracer = new SimpleTracer();
TracingSecurityServletFilter filter = new TracingSecurityServletFilter(this.tracer) {
@Override
SecurityContext getContext() {
return new SecurityContextImpl(new TestingAuthenticationToken(
new User("foo", "bar", Collections.singletonList(new SimpleGrantedAuthority("my-role"))), null,
"my-authority"));
}
};
@Test
void should_tag_current_span_with_security_info() throws ServletException, IOException {
SimpleSpan simpleSpan = this.tracer.nextSpan().start();
this.filter.doFilter(new MockHttpServletRequest(), new MockHttpServletResponse(), new MockFilterChain());
then(simpleSpan.tags).containsEntry("security.authentication.authorities", "my-authority")
.containsEntry("security.authentication.authenticated", "true")
.containsEntry("security.principal.enabled", "true")
.containsEntry("security.principal.authorities", "my-role")
.containsEntry("security.principal.account-non-expired", "true")
.containsEntry("security.principal.credentials-non-expired", "true");
}
@Test
void should_do_nothing_when_there_is_no_current_span() throws ServletException, IOException {
this.filter.doFilter(new MockHttpServletRequest(), new MockHttpServletResponse(), new MockFilterChain());
then(this.tracer.spans).isEmpty();
}
}

View File

@@ -0,0 +1,77 @@
/*
* Copyright 2013-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.sleuth.instrument.web;
import java.time.Duration;
import java.util.Collections;
import org.junit.jupiter.api.Test;
import reactor.core.publisher.Mono;
import org.springframework.cloud.sleuth.tracer.SimpleSpan;
import org.springframework.cloud.sleuth.tracer.SimpleTracer;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.web.server.MockServerWebExchange;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.security.core.userdetails.User;
import static org.assertj.core.api.BDDAssertions.then;
class TracingSecurityWebFluxFilterTests {
SimpleTracer tracer = new SimpleTracer();
TracingSecurityWebFilter filter = new TracingSecurityWebFilter() {
@Override
Mono<SecurityContext> getContext() {
return Mono.just(new SecurityContextImpl(new TestingAuthenticationToken(
new User("foo", "bar", Collections.singletonList(new SimpleGrantedAuthority("my-role"))), null,
"my-authority")));
}
};
@Test
void should_tag_current_span_with_security_info() {
MockServerHttpRequest request = MockServerHttpRequest.post("foo/bar").build();
MockServerWebExchange exchange = MockServerWebExchange.builder(request).build();
SimpleSpan simpleSpan = this.tracer.nextSpan().start();
exchange.getAttributes().put(TraceWebFilter.TRACE_REQUEST_ATTR, simpleSpan);
this.filter.filter(exchange, exchange1 -> Mono.empty()).block(Duration.ofMillis(10));
then(simpleSpan.tags).containsEntry("security.authentication.authorities", "my-authority")
.containsEntry("security.authentication.authenticated", "true")
.containsEntry("security.principal.enabled", "true")
.containsEntry("security.principal.authorities", "my-role")
.containsEntry("security.principal.account-non-expired", "true")
.containsEntry("security.principal.credentials-non-expired", "true");
}
@Test
void should_do_nothing_when_there_is_no_current_span() {
MockServerHttpRequest request = MockServerHttpRequest.post("foo/bar").build();
MockServerWebExchange exchange = MockServerWebExchange.builder(request).build();
this.filter.filter(exchange, exchange1 -> Mono.empty()).block(Duration.ofMillis(10));
then(this.tracer.spans).isEmpty();
}
}