From e9bd11ee8376a691ccec7317350b3008f89a404a Mon Sep 17 00:00:00 2001 From: Vedran Pavic Date: Fri, 17 May 2019 10:03:31 +0200 Subject: [PATCH 1/2] Fix NoClassDefFound when missing Spring Security Update Spring Session auto-configuration to ensure that the `DefaultCookieSerializer` doesn't break when Spring Security is not present on the classpath. Closes gh-16889 --- .../session/SessionAutoConfiguration.java | 37 +++++++++++-- ...AbstractSessionAutoConfigurationTests.java | 19 ++++++- ...AutoConfigurationWithoutSecurityTests.java | 55 +++++++++++++++++++ 3 files changed, 105 insertions(+), 6 deletions(-) create mode 100644 spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/session/SessionAutoConfigurationWithoutSecurityTests.java diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/SessionAutoConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/SessionAutoConfiguration.java index 688e66158e..0fac44fc37 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/SessionAutoConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/SessionAutoConfiguration.java @@ -23,7 +23,9 @@ import java.util.Locale; import javax.annotation.PostConstruct; +import org.springframework.beans.BeansException; import org.springframework.beans.factory.ObjectProvider; +import org.springframework.beans.factory.config.BeanPostProcessor; import org.springframework.boot.WebApplicationType; import org.springframework.boot.autoconfigure.AutoConfigureAfter; import org.springframework.boot.autoconfigure.AutoConfigureBefore; @@ -53,6 +55,7 @@ import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Import; import org.springframework.context.annotation.ImportSelector; import org.springframework.core.type.AnnotationMetadata; +import org.springframework.security.web.authentication.RememberMeServices; import org.springframework.session.ReactiveSessionRepository; import org.springframework.session.Session; import org.springframework.session.SessionRepository; @@ -92,8 +95,8 @@ public class SessionAutoConfiguration { @Bean @Conditional(DefaultCookieSerializerCondition.class) - public DefaultCookieSerializer cookieSerializer(ServerProperties serverProperties, - ObjectProvider springSessionRememberMeServices) { + public DefaultCookieSerializer cookieSerializer( + ServerProperties serverProperties) { Cookie cookie = serverProperties.getServlet().getSession().getCookie(); DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer(); PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull(); @@ -104,9 +107,6 @@ public class SessionAutoConfiguration { map.from(cookie::getSecure).to(cookieSerializer::setUseSecureCookie); map.from(cookie::getMaxAge).to((maxAge) -> cookieSerializer .setCookieMaxAge((int) maxAge.getSeconds())); - springSessionRememberMeServices.ifAvailable(( - rememberMeServices) -> cookieSerializer.setRememberMeRequestAttribute( - SpringSessionRememberMeServices.REMEMBER_ME_LOGIN_ATTR)); return cookieSerializer; } @@ -118,6 +118,33 @@ public class SessionAutoConfiguration { } + @Configuration + @ConditionalOnClass(RememberMeServices.class) + static class RememberMeServicesConfiguration { + + @Bean + public BeanPostProcessor rememberMeServicesBeanPostProcessor( + ObjectProvider springSessionRememberMeServices) { + return new BeanPostProcessor() { + + @Override + public Object postProcessBeforeInitialization(Object bean, + String beanName) throws BeansException { + if (bean instanceof DefaultCookieSerializer) { + DefaultCookieSerializer cookieSerializer = (DefaultCookieSerializer) bean; + springSessionRememberMeServices + .ifAvailable((rememberMeServices) -> cookieSerializer + .setRememberMeRequestAttribute( + SpringSessionRememberMeServices.REMEMBER_ME_LOGIN_ATTR)); + } + return bean; + } + + }; + } + + } + } @Configuration diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/session/AbstractSessionAutoConfigurationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/session/AbstractSessionAutoConfigurationTests.java index aeaf35a91d..5319f8b8c8 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/session/AbstractSessionAutoConfigurationTests.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/session/AbstractSessionAutoConfigurationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2018 the original author or authors. + * Copyright 2012-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,10 +16,16 @@ package org.springframework.boot.autoconfigure.session; +import java.util.Collections; + import org.springframework.boot.test.context.assertj.AssertableReactiveWebApplicationContext; import org.springframework.boot.test.context.assertj.AssertableWebApplicationContext; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.session.MapSessionRepository; import org.springframework.session.ReactiveSessionRepository; import org.springframework.session.SessionRepository; +import org.springframework.session.config.annotation.web.http.EnableSpringHttpSession; import org.springframework.session.web.http.SessionRepositoryFilter; import org.springframework.web.server.session.WebSessionManager; @@ -51,4 +57,15 @@ public abstract class AbstractSessionAutoConfigurationTests { return type.cast(repository); } + @Configuration + @EnableSpringHttpSession + static class SessionRepositoryConfiguration { + + @Bean + public MapSessionRepository mySessionRepository() { + return new MapSessionRepository(Collections.emptyMap()); + } + + } + } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/session/SessionAutoConfigurationWithoutSecurityTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/session/SessionAutoConfigurationWithoutSecurityTests.java new file mode 100644 index 0000000000..931f077e81 --- /dev/null +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/session/SessionAutoConfigurationWithoutSecurityTests.java @@ -0,0 +1,55 @@ +/* + * Copyright 2012-2019 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.boot.autoconfigure.session; + +import org.junit.Test; +import org.junit.runner.RunWith; + +import org.springframework.boot.autoconfigure.AutoConfigurations; +import org.springframework.boot.test.context.runner.WebApplicationContextRunner; +import org.springframework.boot.testsupport.runner.classpath.ClassPathExclusions; +import org.springframework.boot.testsupport.runner.classpath.ModifiedClassPathRunner; +import org.springframework.session.web.http.DefaultCookieSerializer; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * Tests for {@link SessionAutoConfiguration} when Spring Security is not on the + * classpath. + * + * @author Vedran Pavic + */ +@RunWith(ModifiedClassPathRunner.class) +@ClassPathExclusions("spring-security-*") +public class SessionAutoConfigurationWithoutSecurityTests + extends AbstractSessionAutoConfigurationTests { + + private final WebApplicationContextRunner contextRunner = new WebApplicationContextRunner() + .withConfiguration(AutoConfigurations.of(SessionAutoConfiguration.class)); + + @Test + public void sessionCookieConfigurationIsAppliedToAutoConfiguredCookieSerializer() { + this.contextRunner.withUserConfiguration(SessionRepositoryConfiguration.class) + .run((context) -> { + DefaultCookieSerializer cookieSerializer = context + .getBean(DefaultCookieSerializer.class); + assertThat(cookieSerializer).hasFieldOrPropertyWithValue( + "rememberMeRequestAttribute", null); + }); + } + +} From 6913ea24b0b0c8906a592fff6cf5f5b66717b4ad Mon Sep 17 00:00:00 2001 From: Phillip Webb Date: Tue, 28 May 2019 14:56:58 -0700 Subject: [PATCH 2/2] Polish "Fix NoClassDefFound when missing Spring Security" See gh-16889 --- .../session/SessionAutoConfiguration.java | 51 ++++++++----------- 1 file changed, 21 insertions(+), 30 deletions(-) diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/SessionAutoConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/SessionAutoConfiguration.java index 0fac44fc37..9fd9be2ae1 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/SessionAutoConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/SessionAutoConfiguration.java @@ -23,9 +23,7 @@ import java.util.Locale; import javax.annotation.PostConstruct; -import org.springframework.beans.BeansException; import org.springframework.beans.factory.ObjectProvider; -import org.springframework.beans.factory.config.BeanPostProcessor; import org.springframework.boot.WebApplicationType; import org.springframework.boot.autoconfigure.AutoConfigureAfter; import org.springframework.boot.autoconfigure.AutoConfigureBefore; @@ -55,7 +53,6 @@ import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Import; import org.springframework.context.annotation.ImportSelector; import org.springframework.core.type.AnnotationMetadata; -import org.springframework.security.web.authentication.RememberMeServices; import org.springframework.session.ReactiveSessionRepository; import org.springframework.session.Session; import org.springframework.session.SessionRepository; @@ -64,6 +61,7 @@ import org.springframework.session.web.http.CookieHttpSessionIdResolver; import org.springframework.session.web.http.CookieSerializer; import org.springframework.session.web.http.DefaultCookieSerializer; import org.springframework.session.web.http.HttpSessionIdResolver; +import org.springframework.util.ClassUtils; import org.springframework.util.StringUtils; /** @@ -87,6 +85,8 @@ import org.springframework.util.StringUtils; @AutoConfigureBefore(HttpHandlerAutoConfiguration.class) public class SessionAutoConfiguration { + private static final String REMEMBER_ME_SERVICES_CLASS = "org.springframework.security.web.authentication.RememberMeServices"; + @Configuration @ConditionalOnWebApplication(type = Type.SERVLET) @Import({ ServletSessionRepositoryValidator.class, @@ -107,6 +107,11 @@ public class SessionAutoConfiguration { map.from(cookie::getSecure).to(cookieSerializer::setUseSecureCookie); map.from(cookie::getMaxAge).to((maxAge) -> cookieSerializer .setCookieMaxAge((int) maxAge.getSeconds())); + if (ClassUtils.isPresent(REMEMBER_ME_SERVICES_CLASS, + getClass().getClassLoader())) { + new RememberMeServicesCookieSerializerCustomizer() + .apply(cookieSerializer); + } return cookieSerializer; } @@ -118,33 +123,6 @@ public class SessionAutoConfiguration { } - @Configuration - @ConditionalOnClass(RememberMeServices.class) - static class RememberMeServicesConfiguration { - - @Bean - public BeanPostProcessor rememberMeServicesBeanPostProcessor( - ObjectProvider springSessionRememberMeServices) { - return new BeanPostProcessor() { - - @Override - public Object postProcessBeforeInitialization(Object bean, - String beanName) throws BeansException { - if (bean instanceof DefaultCookieSerializer) { - DefaultCookieSerializer cookieSerializer = (DefaultCookieSerializer) bean; - springSessionRememberMeServices - .ifAvailable((rememberMeServices) -> cookieSerializer - .setRememberMeRequestAttribute( - SpringSessionRememberMeServices.REMEMBER_ME_LOGIN_ATTR)); - } - return bean; - } - - }; - } - - } - } @Configuration @@ -162,6 +140,19 @@ public class SessionAutoConfiguration { } + /** + * Customization log for {@link SpringSessionRememberMeServices} that is only + * instantiated when Spring Security is on the classpath. + */ + static class RememberMeServicesCookieSerializerCustomizer { + + public void apply(DefaultCookieSerializer cookieSerializer) { + cookieSerializer.setRememberMeRequestAttribute( + SpringSessionRememberMeServices.REMEMBER_ME_LOGIN_ATTR); + } + + } + /** * Condition to trigger the creation of a {@link DefaultCookieSerializer}. This kicks * in if either no {@link HttpSessionIdResolver} and {@link CookieSerializer} beans