From 02d7e2826c4bdf5a3db388c25e839aa8ec289ac8 Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Fri, 30 Oct 2015 11:25:46 +0000 Subject: [PATCH] =?UTF-8?q?Don=E2=80=99t=20call=20ignoring.antMatchers([])?= =?UTF-8?q?=20as=20empty=20array=20now=20maps=20to=20/**?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, if security.ignored was set to none and the error controller was disabled, there would be no paths to ignore and we would call IgnoredRequestConfigurer.antMatchers with an empty array. While a bit pointless, this had no effect on Spring Security’s configuration. This behaviour has changed in the latest 4.0.3 snapshots [1]. An empty array passed to IgnoredRequestConfigurer.antMatchers now maps to /**. As Spring Boot configures its ignored paths with highest precedence this means that security is now disabled for every path. This commit updates both the management security and application security configuration to avoid calling antMatchers with an empty array, thereby ensuring that we don’t inadvertently ignore every path. Even if the change to Spring Security is reverted we can keep this change. The behaviour will remain the same and, arguably, it makes the intent of our configuration clearer. Closes gh-4345 [1] https://github.com/spring-projects/spring-security/commit/8663ac41731ead18c549a24c2c94b78ce0cceb1b --- .../ManagementWebSecurityAutoConfiguration.java | 5 ++++- .../ManagementWebSecurityAutoConfigurationTests.java | 2 +- .../security/SpringBootWebSecurityConfiguration.java | 7 ++++--- .../security/SecurityAutoConfigurationTests.java | 12 ++++-------- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementWebSecurityAutoConfiguration.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementWebSecurityAutoConfiguration.java index 8e2aefa12f..be94fb0af9 100644 --- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementWebSecurityAutoConfiguration.java +++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementWebSecurityAutoConfiguration.java @@ -69,6 +69,7 @@ import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.AnyRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; +import org.springframework.util.ObjectUtils; import org.springframework.util.StringUtils; /** @@ -163,7 +164,9 @@ public class ManagementWebSecurityAutoConfiguration { } if (this.server != null) { String[] paths = this.server.getPathsArray(ignored); - ignoring.antMatchers(paths); + if (!ObjectUtils.isEmpty(paths)) { + ignoring.antMatchers(paths); + } } } diff --git a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/ManagementWebSecurityAutoConfigurationTests.java b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/ManagementWebSecurityAutoConfigurationTests.java index 907e1a2d94..d0be9ccf38 100644 --- a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/ManagementWebSecurityAutoConfigurationTests.java +++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/ManagementWebSecurityAutoConfigurationTests.java @@ -144,7 +144,7 @@ public class ManagementWebSecurityAutoConfigurationTests { EnvironmentTestUtils.addEnvironment(this.context, "security.ignored:none"); this.context.refresh(); // Just the application and management endpoints now - assertEquals(3, + assertEquals(2, this.context.getBean(FilterChainProxy.class).getFilterChains().size()); } diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java index 2d6fa77e1c..e24fa6e9f2 100644 --- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java +++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java @@ -39,7 +39,6 @@ import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.web.WebSecurityConfigurer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; -import org.springframework.security.config.annotation.web.builders.WebSecurity.IgnoredRequestConfigurer; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @@ -49,6 +48,7 @@ import org.springframework.security.web.authentication.www.BasicAuthenticationEn import org.springframework.security.web.header.writers.HstsHeaderWriter; import org.springframework.security.web.util.matcher.AnyRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; +import org.springframework.util.ObjectUtils; import org.springframework.util.StringUtils; /** @@ -147,13 +147,14 @@ public class SpringBootWebSecurityConfiguration { @Override public void init(WebSecurity builder) throws Exception { - IgnoredRequestConfigurer ignoring = builder.ignoring(); List ignored = getIgnored(this.security); if (this.errorController != null) { ignored.add(normalizePath(this.errorController.getErrorPath())); } String[] paths = this.server.getPathsArray(ignored); - ignoring.antMatchers(paths); + if (!ObjectUtils.isEmpty(paths)) { + builder.ignoring().antMatchers(paths); + } } private String normalizePath(String errorPath) { diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java index 5fc6d18a8e..d1eead39cd 100644 --- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java +++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java @@ -16,8 +16,6 @@ package org.springframework.boot.autoconfigure.security; -import java.util.List; - import org.junit.After; import org.junit.Test; @@ -56,7 +54,6 @@ import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.data.repository.query.SecurityEvaluationContextExtension; import org.springframework.security.web.FilterChainProxy; -import org.springframework.security.web.SecurityFilterChain; import org.springframework.web.context.support.AnnotationConfigWebApplicationContext; import static org.junit.Assert.assertEquals; @@ -91,10 +88,9 @@ public class SecurityAutoConfigurationTests { PropertyPlaceholderAutoConfiguration.class); this.context.refresh(); assertNotNull(this.context.getBean(AuthenticationManagerBuilder.class)); - // 5 for static resources and one for the rest - List filterChains = this.context - .getBean(FilterChainProxy.class).getFilterChains(); - assertEquals(5, filterChains.size()); + // 4 for static resources and one for the rest + assertEquals(5, + this.context.getBean(FilterChainProxy.class).getFilterChains().size()); } @Test @@ -165,7 +161,7 @@ public class SecurityAutoConfigurationTests { EnvironmentTestUtils.addEnvironment(this.context, "security.ignored:none"); this.context.refresh(); // Just the application endpoints now - assertEquals(2, + assertEquals(1, this.context.getBean(FilterChainProxy.class).getFilterChains().size()); }