Example 1 with RequestMatcherEntry
use of org.springframework.security.web.util.matcher.RequestMatcherEntry in project spring-security by spring-projects.
the class WebSecurity method getRequestMatcherPrivilegeEvaluatorsEntry.
private RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> getRequestMatcherPrivilegeEvaluatorsEntry(SecurityFilterChain securityFilterChain) {
List<WebInvocationPrivilegeEvaluator> privilegeEvaluators = new ArrayList<>();
for (Filter filter : securityFilterChain.getFilters()) {
if (filter instanceof FilterSecurityInterceptor) {
DefaultWebInvocationPrivilegeEvaluator defaultWebInvocationPrivilegeEvaluator = new DefaultWebInvocationPrivilegeEvaluator((FilterSecurityInterceptor) filter);
defaultWebInvocationPrivilegeEvaluator.setServletContext(this.servletContext);
privilegeEvaluators.add(defaultWebInvocationPrivilegeEvaluator);
continue;
}
if (filter instanceof AuthorizationFilter) {
AuthorizationManager<HttpServletRequest> authorizationManager = ((AuthorizationFilter) filter).getAuthorizationManager();
privilegeEvaluators.add(new AuthorizationManagerWebInvocationPrivilegeEvaluator(authorizationManager));
}
}
return new RequestMatcherEntry<>(securityFilterChain::matches, privilegeEvaluators);
}
Also used :
DefaultWebInvocationPrivilegeEvaluator(org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator)
HttpServletRequest(jakarta.servlet.http.HttpServletRequest)
WebInvocationPrivilegeEvaluator(org.springframework.security.web.access.WebInvocationPrivilegeEvaluator)
RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(org.springframework.security.web.access.RequestMatcherDelegatingWebInvocationPrivilegeEvaluator)
AuthorizationManagerWebInvocationPrivilegeEvaluator(org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator)
DefaultWebInvocationPrivilegeEvaluator(org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator)
AuthorizationFilter(org.springframework.security.web.access.intercept.AuthorizationFilter)
Filter(jakarta.servlet.Filter)
DebugFilter(org.springframework.security.web.debug.DebugFilter)
AuthorizationFilter(org.springframework.security.web.access.intercept.AuthorizationFilter)
FilterSecurityInterceptor(org.springframework.security.web.access.intercept.FilterSecurityInterceptor)
ArrayList(java.util.ArrayList)
RequestMatcherEntry(org.springframework.security.web.util.matcher.RequestMatcherEntry)
AuthorizationManagerWebInvocationPrivilegeEvaluator(org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator)
Example 2 with RequestMatcherEntry
use of org.springframework.security.web.util.matcher.RequestMatcherEntry in project spring-security by spring-projects.
the class RequestMatcherDelegatingWebInvocationPrivilegeEvaluatorTests method isAllowedWhenServletContextIsSetThenPassedFilterInvocationHttpServletRequestHasServletContext.
@Test
void isAllowedWhenServletContextIsSetThenPassedFilterInvocationHttpServletRequestHasServletContext() {
Authentication token = new TestingAuthenticationToken("test", "Password", "MOCK_INDEX");
MockServletContext servletContext = new MockServletContext();
ArgumentCaptor<HttpServletRequest> argumentCaptor = ArgumentCaptor.forClass(HttpServletRequest.class);
RequestMatcher requestMatcher = mock(RequestMatcher.class);
WebInvocationPrivilegeEvaluator wipe = mock(WebInvocationPrivilegeEvaluator.class);
RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> delegate = new RequestMatcherEntry<>(requestMatcher, Collections.singletonList(wipe));
RequestMatcherDelegatingWebInvocationPrivilegeEvaluator requestMatcherWipe = new RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(Collections.singletonList(delegate));
requestMatcherWipe.setServletContext(servletContext);
requestMatcherWipe.isAllowed("/foo/index.jsp", token);
verify(requestMatcher).matches(argumentCaptor.capture());
assertThat(argumentCaptor.getValue().getServletContext()).isNotNull();
}
Also used :
HttpServletRequest(jakarta.servlet.http.HttpServletRequest)
RequestMatcher(org.springframework.security.web.util.matcher.RequestMatcher)
Authentication(org.springframework.security.core.Authentication)
List(java.util.List)
RequestMatcherEntry(org.springframework.security.web.util.matcher.RequestMatcherEntry)
TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken)
MockServletContext(org.springframework.mock.web.MockServletContext)
Test(org.junit.jupiter.api.Test)
Example 3 with RequestMatcherEntry
use of org.springframework.security.web.util.matcher.RequestMatcherEntry in project spring-security by spring-projects.
the class WebSecurity method performBuild.
@Override
protected Filter performBuild() throws Exception {
Assert.state(!this.securityFilterChainBuilders.isEmpty(), () -> "At least one SecurityBuilder<? extends SecurityFilterChain> needs to be specified. " + "Typically this is done by exposing a SecurityFilterChain bean " + "or by adding a @Configuration that extends WebSecurityConfigurerAdapter. " + "More advanced users can invoke " + WebSecurity.class.getSimpleName() + ".addSecurityFilterChainBuilder directly");
int chainSize = this.ignoredRequests.size() + this.securityFilterChainBuilders.size();
List<SecurityFilterChain> securityFilterChains = new ArrayList<>(chainSize);
List<RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>>> requestMatcherPrivilegeEvaluatorsEntries = new ArrayList<>();
for (RequestMatcher ignoredRequest : this.ignoredRequests) {
WebSecurity.this.logger.warn("You are asking Spring Security to ignore " + ignoredRequest + ". This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.");
SecurityFilterChain securityFilterChain = new DefaultSecurityFilterChain(ignoredRequest);
securityFilterChains.add(securityFilterChain);
requestMatcherPrivilegeEvaluatorsEntries.add(getRequestMatcherPrivilegeEvaluatorsEntry(securityFilterChain));
}
for (SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : this.securityFilterChainBuilders) {
SecurityFilterChain securityFilterChain = securityFilterChainBuilder.build();
securityFilterChains.add(securityFilterChain);
requestMatcherPrivilegeEvaluatorsEntries.add(getRequestMatcherPrivilegeEvaluatorsEntry(securityFilterChain));
}
if (this.privilegeEvaluator == null) {
this.privilegeEvaluator = new RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(requestMatcherPrivilegeEvaluatorsEntries);
}
FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains);
if (this.httpFirewall != null) {
filterChainProxy.setFirewall(this.httpFirewall);
}
if (this.requestRejectedHandler != null) {
filterChainProxy.setRequestRejectedHandler(this.requestRejectedHandler);
}
filterChainProxy.afterPropertiesSet();
Filter result = filterChainProxy;
if (this.debugEnabled) {
this.logger.warn("\n\n" + "********************************************************************\n" + "********** Security debugging is enabled. *************\n" + "********** This may include sensitive information. *************\n" + "********** Do not use in a production system! *************\n" + "********************************************************************\n\n");
result = new DebugFilter(filterChainProxy);
}
this.postBuildAction.run();
return result;
}
Also used :
WebInvocationPrivilegeEvaluator(org.springframework.security.web.access.WebInvocationPrivilegeEvaluator)
RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(org.springframework.security.web.access.RequestMatcherDelegatingWebInvocationPrivilegeEvaluator)
AuthorizationManagerWebInvocationPrivilegeEvaluator(org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator)
DefaultWebInvocationPrivilegeEvaluator(org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator)
RequestMatcher(org.springframework.security.web.util.matcher.RequestMatcher)
MvcRequestMatcher(org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher)
EnableWebSecurity(org.springframework.security.config.annotation.web.configuration.EnableWebSecurity)
ArrayList(java.util.ArrayList)
RequestMatcherEntry(org.springframework.security.web.util.matcher.RequestMatcherEntry)
DefaultSecurityFilterChain(org.springframework.security.web.DefaultSecurityFilterChain)
DebugFilter(org.springframework.security.web.debug.DebugFilter)
DefaultSecurityFilterChain(org.springframework.security.web.DefaultSecurityFilterChain)
SecurityFilterChain(org.springframework.security.web.SecurityFilterChain)
FilterChainProxy(org.springframework.security.web.FilterChainProxy)
RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(org.springframework.security.web.access.RequestMatcherDelegatingWebInvocationPrivilegeEvaluator)
Filter(jakarta.servlet.Filter)
DebugFilter(org.springframework.security.web.debug.DebugFilter)
AuthorizationFilter(org.springframework.security.web.access.intercept.AuthorizationFilter)
Aggregations
RequestMatcherEntry (org.springframework.security.web.util.matcher.RequestMatcherEntry)3
Filter (jakarta.servlet.Filter)2
HttpServletRequest (jakarta.servlet.http.HttpServletRequest)2
ArrayList (java.util.ArrayList)2
AuthorizationManagerWebInvocationPrivilegeEvaluator (org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator)2
DefaultWebInvocationPrivilegeEvaluator (org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator)2
RequestMatcherDelegatingWebInvocationPrivilegeEvaluator (org.springframework.security.web.access.RequestMatcherDelegatingWebInvocationPrivilegeEvaluator)2
WebInvocationPrivilegeEvaluator (org.springframework.security.web.access.WebInvocationPrivilegeEvaluator)2
AuthorizationFilter (org.springframework.security.web.access.intercept.AuthorizationFilter)2
DebugFilter (org.springframework.security.web.debug.DebugFilter)2
RequestMatcher (org.springframework.security.web.util.matcher.RequestMatcher)2
List (java.util.List)1
Test (org.junit.jupiter.api.Test)1
MockServletContext (org.springframework.mock.web.MockServletContext)1
TestingAuthenticationToken (org.springframework.security.authentication.TestingAuthenticationToken)1
EnableWebSecurity (org.springframework.security.config.annotation.web.configuration.EnableWebSecurity)1
Authentication (org.springframework.security.core.Authentication)1
DefaultSecurityFilterChain (org.springframework.security.web.DefaultSecurityFilterChain)1
FilterChainProxy (org.springframework.security.web.FilterChainProxy)1
SecurityFilterChain (org.springframework.security.web.SecurityFilterChain)1
