Migrate to AuthorizationFilter in Spring Security auto-config

This commit updates Servlet based Spring Security auto-configuration
to use AuthorizationFilter, which is intended to supersede
FilterSecurityInterceptor.

See gh-31255
pull/32476/head
Vedran Pavic 2 years ago committed by Andy Wilkinson
parent 5543fba57e
commit 230f2cda84

@ -58,7 +58,7 @@ public class ManagementWebSecurityAutoConfiguration {
@Bean
@Order(SecurityProperties.BASIC_AUTH_ORDER)
SecurityFilterChain managementSecurityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests((requests) -> {
http.authorizeHttpRequests((requests) -> {
requests.requestMatchers(EndpointRequest.to(HealthEndpoint.class)).permitAll();
requests.anyRequest().authenticated();
});

@ -183,7 +183,7 @@ abstract class AbstractEndpointRequestIntegrationTests {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests((requests) -> {
http.authorizeHttpRequests((requests) -> {
requests.requestMatchers(EndpointRequest.toLinks()).permitAll();
requests.requestMatchers(EndpointRequest.to(TestEndpoint1.class)).permitAll();
requests.requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated();

@ -179,7 +179,7 @@ class ManagementWebSecurityAutoConfigurationTests {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests((requests) -> {
http.authorizeHttpRequests((requests) -> {
requests.antMatchers("/foo").permitAll();
requests.anyRequest().authenticated();
});
@ -194,7 +194,7 @@ class ManagementWebSecurityAutoConfigurationTests {
@Bean
SecurityFilterChain testSecurityFilterChain(HttpSecurity http) throws Exception {
return http.antMatcher("/**").authorizeRequests((authorize) -> authorize.anyRequest().authenticated())
return http.antMatcher("/**").authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
.build();
}
@ -206,8 +206,8 @@ class ManagementWebSecurityAutoConfigurationTests {
@Bean
@Order(SecurityProperties.BASIC_AUTH_ORDER - 1)
SecurityFilterChain testRemoteDevToolsSecurityFilterChain(HttpSecurity http) throws Exception {
return http.requestMatcher(new AntPathRequestMatcher("/**")).authorizeRequests().anyRequest().anonymous()
.and().csrf().disable().build();
return http.requestMatcher(new AntPathRequestMatcher("/**")).authorizeHttpRequests().anyRequest()
.anonymous().and().csrf().disable().build();
}
}

@ -58,7 +58,7 @@ class OAuth2WebSecurityConfiguration {
@Bean
SecurityFilterChain oauth2SecurityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
http.oauth2Login(Customizer.withDefaults());
http.oauth2Client();
return http.build();

@ -153,7 +153,7 @@ class OAuth2ResourceServerJwtConfiguration {
@Bean
@ConditionalOnBean(JwtDecoder.class)
SecurityFilterChain jwtSecurityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
return http.build();
}

@ -60,7 +60,7 @@ class OAuth2ResourceServerOpaqueTokenConfiguration {
@Bean
@ConditionalOnBean(OpaqueTokenIntrospector.class)
SecurityFilterChain opaqueTokenSecurityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
return http.build();
}

@ -37,7 +37,7 @@ class Saml2LoginConfiguration {
@Bean
SecurityFilterChain samlSecurityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests((requests) -> requests.anyRequest().authenticated()).saml2Login();
http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated()).saml2Login();
http.saml2Logout();
return http.build();
}

@ -54,7 +54,7 @@ class SpringBootWebSecurityConfiguration {
@Bean
@Order(SecurityProperties.BASIC_AUTH_ORDER)
SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated();
http.authorizeHttpRequests().anyRequest().authenticated();
http.formLogin();
http.httpBasic();
return http.build();

@ -160,7 +160,7 @@ class GraphQlWebMvcSecurityAutoConfigurationTests {
return http.csrf((c) -> c.disable())
// Demonstrate that method security works
// Best practice to use both for defense in depth
.authorizeRequests((requests) -> requests.anyRequest().permitAll()).httpBasic(withDefaults())
.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll()).httpBasic(withDefaults())
.build();
}

@ -241,7 +241,7 @@ class OAuth2WebSecurityConfigurationTests {
@Bean
SecurityFilterChain testSecurityFilterChain(HttpSecurity http) throws Exception {
return http.antMatcher("/**").authorizeRequests((authorize) -> authorize.anyRequest().authenticated())
return http.antMatcher("/**").authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
.build();
}

@ -692,7 +692,7 @@ class OAuth2ResourceServerAutoConfigurationTests {
@Bean
SecurityFilterChain testSecurityFilterChain(HttpSecurity http) throws Exception {
return http.antMatcher("/**").authorizeRequests((authorize) -> authorize.anyRequest().authenticated())
return http.antMatcher("/**").authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
.build();
}

@ -321,7 +321,7 @@ class Saml2RelyingPartyAutoConfigurationTests {
@Bean
SecurityFilterChain testSecurityFilterChain(HttpSecurity http) throws Exception {
return http.antMatcher("/**").authorizeRequests((authorize) -> authorize.anyRequest().authenticated())
return http.antMatcher("/**").authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
.build();
}

@ -298,7 +298,7 @@ class SecurityAutoConfigurationTests {
@Bean
SecurityFilterChain testSecurityFilterChain(HttpSecurity http) throws Exception {
return http.antMatcher("/**").authorizeRequests((authorize) -> authorize.anyRequest().authenticated())
return http.antMatcher("/**").authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
.build();
}

@ -50,7 +50,7 @@ class RemoteDevtoolsSecurityConfiguration {
@ConditionalOnMissingBean(org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.class)
@SuppressWarnings("deprecation")
SecurityFilterChain devtoolsSecurityFilterChain(HttpSecurity http) throws Exception {
http.requestMatcher(new AntPathRequestMatcher(this.url)).authorizeRequests().anyRequest().anonymous().and()
http.requestMatcher(new AntPathRequestMatcher(this.url)).authorizeHttpRequests().anyRequest().anonymous().and()
.csrf().disable();
return http.build();
}

@ -277,7 +277,7 @@ class RemoteDevToolsAutoConfigurationTests {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/foo/**").authorizeRequests().anyRequest().authenticated().and().httpBasic();
http.antMatcher("/foo/**").authorizeHttpRequests().anyRequest().authenticated().and().httpBasic();
}
}

@ -28,7 +28,7 @@ public class MySecurityConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint());
http.authorizeRequests((requests) -> requests.anyRequest().permitAll());
http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll());
return http.build();
}

@ -30,7 +30,7 @@ public class MySecurityConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint());
http.authorizeRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
http.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
http.httpBasic(withDefaults());
return http.build();
}

@ -34,7 +34,7 @@ public class DevProfileSecurityConfiguration {
@Order(Ordered.HIGHEST_PRECEDENCE)
SecurityFilterChain h2ConsoleSecurityFilterChain(HttpSecurity http) throws Exception {
http.requestMatcher(PathRequest.toH2Console());
http.authorizeRequests(yourCustomAuthorization());
http.authorizeHttpRequests(yourCustomAuthorization());
http.csrf((csrf) -> csrf.disable());
http.headers((headers) -> headers.frameOptions().sameOrigin());
return http.build();

@ -30,7 +30,7 @@ public class MyConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
return http.build();
}

@ -26,7 +26,7 @@ public class MySecurityConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
return http.build();
}

@ -26,7 +26,7 @@ public class MyOAuthClientConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
http.oauth2Login((login) -> login.redirectionEndpoint().baseUri("custom-callback"));
return http.build();
}

@ -26,7 +26,7 @@ public class MySamlRelyingPartyConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated();
http.authorizeHttpRequests().anyRequest().authenticated();
http.saml2Login();
http.saml2Logout((saml2) -> saml2.logoutRequest((request) -> request.logoutUrl("/SLOService.saml2"))
.logoutResponse((response) -> response.logoutUrl("/SLOService.saml2")));

@ -27,7 +27,7 @@ class MySecurityConfiguration {
@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests {
requests -> requests.anyRequest().permitAll() }
return http.build()
}

@ -27,7 +27,7 @@ class MySecurityConfiguration {
@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests { requests ->
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests { requests ->
requests.anyRequest().hasRole("ENDPOINT_ADMIN")
}
http.httpBasic()

@ -26,7 +26,7 @@ class MyOAuthClientConfiguration {
@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http.authorizeRequests().anyRequest().authenticated()
http.authorizeHttpRequests().anyRequest().authenticated()
http.oauth2Login().redirectionEndpoint().baseUri("custom-callback")
return http.build()
}

@ -55,7 +55,7 @@ public class SecurityConfiguration {
@Bean
SecurityFilterChain configure(HttpSecurity http) throws Exception {
http.authorizeRequests((requests) -> {
http.authorizeHttpRequests((requests) -> {
requests.mvcMatchers("/actuator/beans").hasRole("BEANS");
requests.requestMatchers(EndpointRequest.to("health")).permitAll();
requests.requestMatchers(EndpointRequest.toAnyEndpoint().excluding(MappingsEndpoint.class))

@ -38,7 +38,8 @@ public class SecurityConfig {
return http.csrf((csrf) -> csrf.disable())
// Demonstrate that method security works
// Best practice to use both for defense in depth
.authorizeRequests((requests) -> requests.anyRequest().permitAll()).httpBasic(withDefaults()).build();
.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll()).httpBasic(withDefaults())
.build();
}
@Bean

@ -41,7 +41,7 @@ public class SecurityConfiguration {
@Bean
SecurityFilterChain configure(HttpSecurity http) throws Exception {
// @formatter:off
http.authorizeRequests()
http.authorizeHttpRequests()
.requestMatchers(EndpointRequest.to("health")).permitAll()
.requestMatchers(EndpointRequest.toAnyEndpoint().excluding(MappingsEndpoint.class)).hasRole("ACTUATOR")
.antMatchers("/**").hasRole("USER")

@ -69,8 +69,8 @@ public class SampleMethodSecurityApplication implements WebMvcConfigurer {
@Bean
SecurityFilterChain configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests((requests) -> requests.anyRequest().fullyAuthenticated()
.filterSecurityInterceptorOncePerRequest(true));
http.authorizeHttpRequests(
(requests) -> requests.anyRequest().fullyAuthenticated().shouldFilterAllDispatcherTypes(false));
http.formLogin((form) -> form.loginPage("/login").permitAll());
http.exceptionHandling((exceptions) -> exceptions.accessDeniedPage("/access"));
return http.build();
@ -86,8 +86,8 @@ public class SampleMethodSecurityApplication implements WebMvcConfigurer {
SecurityFilterChain actuatorSecurity(HttpSecurity http) throws Exception {
http.csrf().disable();
http.requestMatcher(EndpointRequest.toAnyEndpoint());
http.authorizeRequests(
(requests) -> requests.anyRequest().authenticated().filterSecurityInterceptorOncePerRequest(true));
http.authorizeHttpRequests(
(requests) -> requests.anyRequest().authenticated().shouldFilterAllDispatcherTypes(false));
http.httpBasic();
return http.build();
}

@ -1,5 +1,5 @@
/*
* Copyright 2012-2021 the original author or authors.
* Copyright 2012-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -44,7 +44,7 @@ public class SampleWebSecureCustomApplication implements WebMvcConfigurer {
@Bean
SecurityFilterChain configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests((requests) -> requests.anyRequest().fullyAuthenticated());
http.authorizeHttpRequests((requests) -> requests.anyRequest().fullyAuthenticated());
http.formLogin((form) -> form.loginPage("/login").permitAll());
return http.build();
}

@ -1,5 +1,5 @@
/*
* Copyright 2012-2021 the original author or authors.
* Copyright 2012-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -47,7 +47,7 @@ public class SampleWebSecureJdbcApplication implements WebMvcConfigurer {
@Bean
SecurityFilterChain configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests((requests) -> requests.anyRequest().fullyAuthenticated());
http.authorizeHttpRequests((requests) -> requests.anyRequest().fullyAuthenticated());
http.formLogin((form) -> form.loginPage("/login").permitAll());
return http.build();
}

@ -50,7 +50,7 @@ abstract class AbstractErrorPageTests {
@Test
void testBadCredentials() {
final ResponseEntity<JsonNode> response = this.testRestTemplate.withBasicAuth("username", "wrongpassword")
.exchange("/test", HttpMethod.GET, null, JsonNode.class);
.exchange(this.pathPrefix + "/test", HttpMethod.GET, null, JsonNode.class);
assertThat(response.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED);
JsonNode jsonResponse = response.getBody();
assertThat(jsonResponse).isNull();

@ -44,10 +44,10 @@ class CustomServletPathErrorPageTests extends AbstractErrorPageTests {
@Bean
SecurityFilterChain configure(HttpSecurity http) throws Exception {
http.authorizeRequests((requests) -> {
http.authorizeHttpRequests((requests) -> {
requests.antMatchers("/custom/servlet/path/public/**").permitAll();
requests.anyRequest().fullyAuthenticated();
requests.filterSecurityInterceptorOncePerRequest(true);
requests.shouldFilterAllDispatcherTypes(false);
});
http.httpBasic();
http.formLogin((form) -> form.loginPage("/custom/servlet/path/login").permitAll());

@ -43,7 +43,7 @@ class CustomServletPathUnauthenticatedErrorPageTests extends AbstractUnauthentic
@Bean
SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests((requests) -> {
http.authorizeHttpRequests((requests) -> {
requests.antMatchers("/custom/servlet/path/error").permitAll();
requests.antMatchers("/custom/servlet/path/public/**").permitAll();
requests.anyRequest().authenticated();

@ -43,10 +43,10 @@ class ErrorPageTests extends AbstractErrorPageTests {
@Bean
SecurityFilterChain configure(HttpSecurity http) throws Exception {
http.authorizeRequests((requests) -> {
http.authorizeHttpRequests((requests) -> {
requests.antMatchers("/public/**").permitAll();
requests.anyRequest().fullyAuthenticated();
requests.filterSecurityInterceptorOncePerRequest(true);
requests.shouldFilterAllDispatcherTypes(false);
});
http.httpBasic();
http.formLogin((form) -> form.loginPage("/login").permitAll());

@ -45,10 +45,10 @@ class NoSessionErrorPageTests extends AbstractErrorPageTests {
@Bean
SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
http.sessionManagement((session) -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeRequests((requests) -> {
.authorizeHttpRequests((requests) -> {
requests.antMatchers("/public/**").permitAll();
requests.anyRequest().authenticated();
requests.filterSecurityInterceptorOncePerRequest(true);
requests.shouldFilterAllDispatcherTypes(false);
});
http.httpBasic();
return http.build();

@ -95,7 +95,7 @@ class SampleWebSecureApplicationTests {
@Bean
SecurityFilterChain configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests((requests) -> {
http.authorizeHttpRequests((requests) -> {
requests.antMatchers("/public/**").permitAll();
requests.anyRequest().fullyAuthenticated();
});

@ -43,7 +43,7 @@ class UnauthenticatedErrorPageTests extends AbstractUnauthenticatedErrorPageTest
@Bean
SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests((requests) -> {
http.authorizeHttpRequests((requests) -> {
requests.antMatchers("/error").permitAll();
requests.antMatchers("/public/**").permitAll();
requests.anyRequest().authenticated();

Loading…
Cancel
Save