Example 26 with SecurityFilterChain
use of org.springframework.security.web.SecurityFilterChain in project hub-alert by blackducksoftware.
the class AuthenticationHandler method samlFilter.
@Bean
public FilterChainProxy samlFilter() throws Exception {
List<SecurityFilterChain> chains = new ArrayList<>();
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"), samlEntryPoint()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"), samlWebSSOProcessingFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"), samlLogoutFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"), samlLogoutProcessingFilter()));
return new AlertFilterChainProxy(chains, samlContext());
}
Also used :
DefaultSecurityFilterChain(org.springframework.security.web.DefaultSecurityFilterChain)
SecurityFilterChain(org.springframework.security.web.SecurityFilterChain)
ArrayList(java.util.ArrayList)
AntPathRequestMatcher(org.springframework.security.web.util.matcher.AntPathRequestMatcher)
AlertFilterChainProxy(com.synopsys.integration.alert.component.authentication.security.saml.AlertFilterChainProxy)
DefaultSecurityFilterChain(org.springframework.security.web.DefaultSecurityFilterChain)
Bean(org.springframework.context.annotation.Bean)
Example 27 with SecurityFilterChain
use of org.springframework.security.web.SecurityFilterChain in project spring-security by spring-projects.
the class WebSecurity method performBuild.
@Override
protected Filter performBuild() throws Exception {
Assert.state(!this.securityFilterChainBuilders.isEmpty(), () -> "At least one SecurityBuilder<? extends SecurityFilterChain> needs to be specified. " + "Typically this is done by exposing a SecurityFilterChain bean " + "or by adding a @Configuration that extends WebSecurityConfigurerAdapter. " + "More advanced users can invoke " + WebSecurity.class.getSimpleName() + ".addSecurityFilterChainBuilder directly");
int chainSize = this.ignoredRequests.size() + this.securityFilterChainBuilders.size();
List<SecurityFilterChain> securityFilterChains = new ArrayList<>(chainSize);
List<RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>>> requestMatcherPrivilegeEvaluatorsEntries = new ArrayList<>();
for (RequestMatcher ignoredRequest : this.ignoredRequests) {
WebSecurity.this.logger.warn("You are asking Spring Security to ignore " + ignoredRequest + ". This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.");
SecurityFilterChain securityFilterChain = new DefaultSecurityFilterChain(ignoredRequest);
securityFilterChains.add(securityFilterChain);
requestMatcherPrivilegeEvaluatorsEntries.add(getRequestMatcherPrivilegeEvaluatorsEntry(securityFilterChain));
}
for (SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : this.securityFilterChainBuilders) {
SecurityFilterChain securityFilterChain = securityFilterChainBuilder.build();
securityFilterChains.add(securityFilterChain);
requestMatcherPrivilegeEvaluatorsEntries.add(getRequestMatcherPrivilegeEvaluatorsEntry(securityFilterChain));
}
if (this.privilegeEvaluator == null) {
this.privilegeEvaluator = new RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(requestMatcherPrivilegeEvaluatorsEntries);
}
FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains);
if (this.httpFirewall != null) {
filterChainProxy.setFirewall(this.httpFirewall);
}
if (this.requestRejectedHandler != null) {
filterChainProxy.setRequestRejectedHandler(this.requestRejectedHandler);
}
filterChainProxy.afterPropertiesSet();
Filter result = filterChainProxy;
if (this.debugEnabled) {
this.logger.warn("\n\n" + "********************************************************************\n" + "********** Security debugging is enabled. *************\n" + "********** This may include sensitive information. *************\n" + "********** Do not use in a production system! *************\n" + "********************************************************************\n\n");
result = new DebugFilter(filterChainProxy);
}
this.postBuildAction.run();
return result;
}
Also used :
WebInvocationPrivilegeEvaluator(org.springframework.security.web.access.WebInvocationPrivilegeEvaluator)
RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(org.springframework.security.web.access.RequestMatcherDelegatingWebInvocationPrivilegeEvaluator)
AuthorizationManagerWebInvocationPrivilegeEvaluator(org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator)
DefaultWebInvocationPrivilegeEvaluator(org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator)
RequestMatcher(org.springframework.security.web.util.matcher.RequestMatcher)
MvcRequestMatcher(org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher)
EnableWebSecurity(org.springframework.security.config.annotation.web.configuration.EnableWebSecurity)
ArrayList(java.util.ArrayList)
RequestMatcherEntry(org.springframework.security.web.util.matcher.RequestMatcherEntry)
DefaultSecurityFilterChain(org.springframework.security.web.DefaultSecurityFilterChain)
DebugFilter(org.springframework.security.web.debug.DebugFilter)
DefaultSecurityFilterChain(org.springframework.security.web.DefaultSecurityFilterChain)
SecurityFilterChain(org.springframework.security.web.SecurityFilterChain)
FilterChainProxy(org.springframework.security.web.FilterChainProxy)
RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(org.springframework.security.web.access.RequestMatcherDelegatingWebInvocationPrivilegeEvaluator)
Filter(jakarta.servlet.Filter)
DebugFilter(org.springframework.security.web.debug.DebugFilter)
AuthorizationFilter(org.springframework.security.web.access.intercept.AuthorizationFilter)
Example 28 with SecurityFilterChain
use of org.springframework.security.web.SecurityFilterChain in project spring-security by spring-projects.
the class WebSecurityConfiguration method springSecurityFilterChain.
/**
* Creates the Spring Security Filter Chain
* @return the {@link Filter} that represents the security filter chain
* @throws Exception
*/
@Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
public Filter springSecurityFilterChain() throws Exception {
boolean hasConfigurers = this.webSecurityConfigurers != null && !this.webSecurityConfigurers.isEmpty();
boolean hasFilterChain = !this.securityFilterChains.isEmpty();
Assert.state(!(hasConfigurers && hasFilterChain), "Found WebSecurityConfigurerAdapter as well as SecurityFilterChain. Please select just one.");
if (!hasConfigurers && !hasFilterChain) {
WebSecurityConfigurerAdapter adapter = this.objectObjectPostProcessor.postProcess(new WebSecurityConfigurerAdapter() {
});
this.webSecurity.apply(adapter);
}
for (SecurityFilterChain securityFilterChain : this.securityFilterChains) {
this.webSecurity.addSecurityFilterChainBuilder(() -> securityFilterChain);
for (Filter filter : securityFilterChain.getFilters()) {
if (filter instanceof FilterSecurityInterceptor) {
this.webSecurity.securityInterceptor((FilterSecurityInterceptor) filter);
break;
}
}
}
for (WebSecurityCustomizer customizer : this.webSecurityCustomizers) {
customizer.customize(this.webSecurity);
}
return this.webSecurity.build();
}
Also used :
SecurityFilterChain(org.springframework.security.web.SecurityFilterChain)
Filter(jakarta.servlet.Filter)
FilterSecurityInterceptor(org.springframework.security.web.access.intercept.FilterSecurityInterceptor)
Bean(org.springframework.context.annotation.Bean)
Example 29 with SecurityFilterChain
use of org.springframework.security.web.SecurityFilterChain in project spring-security by spring-projects.
the class WebSecurityConfigurationTests method loadConfigWhenSecurityFilterChainsHaveOrderOnBeanDefinitionsThenFilterChainsOrdered.
@Test
public void loadConfigWhenSecurityFilterChainsHaveOrderOnBeanDefinitionsThenFilterChainsOrdered() {
this.spring.register(OrderOnBeanDefinitionsSecurityFilterChainConfig.class).autowire();
FilterChainProxy filterChainProxy = this.spring.getContext().getBean(FilterChainProxy.class);
List<SecurityFilterChain> filterChains = filterChainProxy.getFilterChains();
assertThat(filterChains).hasSize(2);
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
request.setServletPath("/role1/**");
assertThat(filterChains.get(0).matches(request)).isTrue();
request.setServletPath("/role2/**");
assertThat(filterChains.get(1).matches(request)).isTrue();
}
Also used :
SecurityFilterChain(org.springframework.security.web.SecurityFilterChain)
FilterChainProxy(org.springframework.security.web.FilterChainProxy)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
Test(org.junit.jupiter.api.Test)
Example 30 with SecurityFilterChain
use of org.springframework.security.web.SecurityFilterChain in project spring-security by spring-projects.
the class WebSecurityConfigurationTests method loadConfigWhenWebSecurityCustomizerAndFilterChainThenFilterChainsOrdered.
@Test
public void loadConfigWhenWebSecurityCustomizerAndFilterChainThenFilterChainsOrdered() {
this.spring.register(CustomizerAndFilterChainConfig.class).autowire();
FilterChainProxy filterChainProxy = this.spring.getContext().getBean(FilterChainProxy.class);
List<SecurityFilterChain> filterChains = filterChainProxy.getFilterChains();
assertThat(filterChains).hasSize(3);
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
request.setServletPath("/ignore1");
assertThat(filterChains.get(0).matches(request)).isTrue();
assertThat(filterChains.get(0).getFilters()).isEmpty();
request.setServletPath("/ignore2");
assertThat(filterChains.get(1).matches(request)).isTrue();
assertThat(filterChains.get(1).getFilters()).isEmpty();
request.setServletPath("/role1/**");
assertThat(filterChains.get(2).matches(request)).isTrue();
request.setServletPath("/test/**");
assertThat(filterChains.get(2).matches(request)).isFalse();
}
Also used :
SecurityFilterChain(org.springframework.security.web.SecurityFilterChain)
FilterChainProxy(org.springframework.security.web.FilterChainProxy)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
Test(org.junit.jupiter.api.Test)
Aggregations
SecurityFilterChain (org.springframework.security.web.SecurityFilterChain)35
FilterChainProxy (org.springframework.security.web.FilterChainProxy)22
Test (org.junit.jupiter.api.Test)15
MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)11
HttpSecurity (org.springframework.security.config.annotation.web.builders.HttpSecurity)8
ModuleAuthenticationImpl (com.evolveum.midpoint.authentication.impl.module.authentication.ModuleAuthenticationImpl)7
DefaultSecurityFilterChain (org.springframework.security.web.DefaultSecurityFilterChain)7
Filter (jakarta.servlet.Filter)6
ArrayList (java.util.ArrayList)4
Bean (org.springframework.context.annotation.Bean)4
Filter (javax.servlet.Filter)3
AntPathRequestMatcher (org.springframework.security.web.util.matcher.AntPathRequestMatcher)3
Test (org.junit.Test)2
MotechURLSecurityRule (org.motechproject.security.domain.MotechURLSecurityRule)2
AnyRequestMatcher (org.springframework.security.web.util.matcher.AnyRequestMatcher)2
ModuleWebSecurityConfiguration (com.evolveum.midpoint.authentication.api.ModuleWebSecurityConfiguration)1
MidpointFilterChainProxy (com.evolveum.midpoint.authentication.impl.filter.MidpointFilterChainProxy)1
OidcClientModuleAuthenticationImpl (com.evolveum.midpoint.authentication.impl.module.authentication.OidcClientModuleAuthenticationImpl)1
RemoteModuleAuthenticationImpl (com.evolveum.midpoint.authentication.impl.module.authentication.RemoteModuleAuthenticationImpl)1
Saml2ModuleAuthenticationImpl (com.evolveum.midpoint.authentication.impl.module.authentication.Saml2ModuleAuthenticationImpl)1
