Align default security filter dispatcher types with Spring Security

Fixes gh-33090
pull/33108/head
Madhura Bhave 2 years ago
parent d34ccb3880
commit f4cf722c27

@ -83,8 +83,8 @@ public class SecurityProperties {
/**
* Security filter chain dispatcher types.
*/
private Set<DispatcherType> dispatcherTypes = new HashSet<>(
Arrays.asList(DispatcherType.ASYNC, DispatcherType.ERROR, DispatcherType.REQUEST));
private Set<DispatcherType> dispatcherTypes = new HashSet<>(Arrays.asList(DispatcherType.ASYNC,
DispatcherType.ERROR, DispatcherType.REQUEST, DispatcherType.FORWARD, DispatcherType.INCLUDE));
public int getOrder() {
return this.order;

@ -161,7 +161,8 @@ class SecurityAutoConfigurationTests {
DelegatingFilterProxyRegistrationBean.class);
assertThat(bean)
.extracting("dispatcherTypes", InstanceOfAssertFactories.iterable(DispatcherType.class))
.containsOnly(DispatcherType.ASYNC, DispatcherType.ERROR, DispatcherType.REQUEST);
.containsOnly(DispatcherType.ASYNC, DispatcherType.ERROR, DispatcherType.REQUEST,
DispatcherType.INCLUDE, DispatcherType.FORWARD);
});
}

@ -16,6 +16,8 @@
package smoketest.security.method;
import jakarta.servlet.DispatcherType;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.builder.SpringApplicationBuilder;
@ -71,7 +73,10 @@ public class SampleMethodSecurityApplication implements WebMvcConfigurer {
@Bean
SecurityFilterChain configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeHttpRequests((requests) -> requests.anyRequest().fullyAuthenticated());
http.authorizeHttpRequests((requests) -> {
requests.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll();
requests.anyRequest().fullyAuthenticated();
});
http.httpBasic();
http.formLogin((form) -> form.loginPage("/login").permitAll());
http.exceptionHandling((exceptions) -> exceptions.accessDeniedPage("/access"));

@ -16,6 +16,8 @@
package smoketest.web.secure.custom;
import jakarta.servlet.DispatcherType;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.context.annotation.Bean;
@ -44,7 +46,10 @@ public class SampleWebSecureCustomApplication implements WebMvcConfigurer {
@Bean
SecurityFilterChain configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeHttpRequests((requests) -> requests.anyRequest().fullyAuthenticated());
http.authorizeHttpRequests((requests) -> {
requests.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll();
requests.anyRequest().fullyAuthenticated();
});
http.formLogin((form) -> form.loginPage("/login").permitAll());
return http.build();
}

@ -18,6 +18,8 @@ package smoketest.web.secure.jdbc;
import javax.sql.DataSource;
import jakarta.servlet.DispatcherType;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.context.annotation.Bean;
@ -47,7 +49,10 @@ public class SampleWebSecureJdbcApplication implements WebMvcConfigurer {
@Bean
SecurityFilterChain configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeHttpRequests((requests) -> requests.anyRequest().fullyAuthenticated());
http.authorizeHttpRequests((requests) -> {
requests.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll();
requests.anyRequest().fullyAuthenticated();
});
http.formLogin((form) -> form.loginPage("/login").permitAll());
return http.build();
}

@ -18,6 +18,7 @@ package smoketest.web.secure;
import java.util.Collections;
import jakarta.servlet.DispatcherType;
import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
@ -97,6 +98,7 @@ class SampleWebSecureApplicationTests {
http.csrf().disable();
http.authorizeHttpRequests((requests) -> {
requests.requestMatchers("/public/**").permitAll();
requests.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll();
requests.anyRequest().fullyAuthenticated();
});
http.httpBasic();

Loading…
Cancel
Save