Instrument Filter Chain

Closes gh-11911

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java

@@ -19,6 +19,7 @@
 import java.util.ArrayList;
 import java.util.List;
 
+import io.micrometer.observation.ObservationRegistry;
 import jakarta.servlet.Filter;
 import jakarta.servlet.ServletContext;
 import jakarta.servlet.http.HttpServletRequest;
@@ -45,6 +46,7 @@
 import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.ObservationFilterChainDecorator;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator;
 import org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator;
@@ -101,6 +103,8 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 
 	private WebInvocationPrivilegeEvaluator privilegeEvaluator;
 
+	private ObservationRegistry observationRegistry = ObservationRegistry.NOOP;
+
 	private DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
 
 	private SecurityExpressionHandler<FilterInvocation> expressionHandler = this.defaultWebSecurityExpressionHandler;
@@ -303,6 +307,7 @@ protected Filter performBuild() throws Exception {
 		if (this.requestRejectedHandler != null) {
 			filterChainProxy.setRequestRejectedHandler(this.requestRejectedHandler);
 		}
+		filterChainProxy.setFilterChainDecorator(getFilterChainDecorator());
 		filterChainProxy.afterPropertiesSet();
 
 		Filter result = filterChainProxy;
@@ -366,13 +371,25 @@ public void setApplicationContext(ApplicationContext applicationContext) throws
 		}
 		catch (NoSuchBeanDefinitionException ex) {
 		}
+		try {
+			this.observationRegistry = applicationContext.getBean(ObservationRegistry.class);
+		}
+		catch (NoSuchBeanDefinitionException ex) {
+		}
 	}
 
 	@Override
 	public void setServletContext(ServletContext servletContext) {
 		this.servletContext = servletContext;
 	}
 
+	FilterChainProxy.FilterChainDecorator getFilterChainDecorator() {
+		if (this.observationRegistry.isNoop()) {
+			return new FilterChainProxy.VirtualFilterChainDecorator();
+		}
+		return new ObservationFilterChainDecorator(this.observationRegistry);
+	}
+
 	/**
 	 * Allows registering {@link RequestMatcher} instances that should be ignored by
 	 * Spring Security.

config/src/main/java/org/springframework/security/config/annotation/web/reactive/WebFluxSecurityConfiguration.java

@@ -19,6 +19,8 @@
 import java.util.Arrays;
 import java.util.List;
 
+import io.micrometer.observation.ObservationRegistry;
+
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.config.BeanFactoryPostProcessor;
 import org.springframework.context.ApplicationContext;
@@ -28,6 +30,7 @@
 import org.springframework.security.config.crypto.RsaKeyConversionServicePostProcessor;
 import org.springframework.security.config.web.server.ServerHttpSecurity;
 import org.springframework.security.web.reactive.result.view.CsrfRequestDataValueProcessor;
+import org.springframework.security.web.server.ObservationWebFilterChainDecorator;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 import org.springframework.security.web.server.WebFilterChainProxy;
 import org.springframework.util.ClassUtils;
@@ -55,6 +58,8 @@ class WebFluxSecurityConfiguration {
 
 	private List<SecurityWebFilterChain> securityWebFilterChains;
 
+	private ObservationRegistry observationRegistry = ObservationRegistry.NOOP;
+
 	@Autowired
 	ApplicationContext context;
 
@@ -63,10 +68,19 @@ void setSecurityWebFilterChains(List<SecurityWebFilterChain> securityWebFilterCh
 		this.securityWebFilterChains = securityWebFilterChains;
 	}
 
+	@Autowired(required = false)
+	void setObservationRegistry(ObservationRegistry observationRegistry) {
+		this.observationRegistry = observationRegistry;
+	}
+
 	@Bean(SPRING_SECURITY_WEBFILTERCHAINFILTER_BEAN_NAME)
 	@Order(WEB_FILTER_CHAIN_FILTER_ORDER)
 	WebFilterChainProxy springSecurityWebFilterChainFilter() {
-		return new WebFilterChainProxy(getSecurityWebFilterChains());
+		WebFilterChainProxy proxy = new WebFilterChainProxy(getSecurityWebFilterChains());
+		if (!this.observationRegistry.isNoop()) {
+			proxy.setFilterChainDecorator(new ObservationWebFilterChainDecorator(this.observationRegistry));
+		}
+		return proxy;
 	}
 
 	@Bean(name = AbstractView.REQUEST_DATA_VALUE_PROCESSOR_BEAN_NAME)

config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java

@@ -56,6 +56,7 @@
 import org.springframework.security.config.authentication.AuthenticationManagerFactoryBean;
 import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.FilterChainProxy;
+import org.springframework.security.web.ObservationFilterChainDecorator;
 import org.springframework.security.web.PortResolverImpl;
 import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 import org.springframework.util.StringUtils;
@@ -363,6 +364,10 @@ static void registerFilterChainProxyIfNecessary(ParserContext pc, Object source)
 		fcpBldr.getRawBeanDefinition().setSource(source);
 		fcpBldr.addConstructorArgReference(BeanIds.FILTER_CHAINS);
 		fcpBldr.addPropertyValue("filterChainValidator", new RootBeanDefinition(DefaultFilterChainValidator.class));
+		BeanDefinition filterChainDecorator = BeanDefinitionBuilder
+				.rootBeanDefinition(FilterChainDecoratorFactory.class)
+				.addPropertyValue("observationRegistry", getObservationRegistry(element)).getBeanDefinition();
+		fcpBldr.addPropertyValue("filterChainDecorator", filterChainDecorator);
 		BeanDefinition fcpBean = fcpBldr.getBeanDefinition();
 		pc.registerBeanComponent(new BeanComponentDefinition(fcpBean, BeanIds.FILTER_CHAIN_PROXY));
 		registry.registerAlias(BeanIds.FILTER_CHAIN_PROXY, BeanIds.SPRING_SECURITY_FILTER_CHAIN);
@@ -509,4 +514,28 @@ public Class<?> getObjectType() {
 
 	}
 
+	public static final class FilterChainDecoratorFactory
+			implements FactoryBean<FilterChainProxy.FilterChainDecorator> {
+
+		private ObservationRegistry observationRegistry = ObservationRegistry.NOOP;
+
+		@Override
+		public FilterChainProxy.FilterChainDecorator getObject() throws Exception {
+			if (this.observationRegistry.isNoop()) {
+				return new FilterChainProxy.VirtualFilterChainDecorator();
+			}
+			return new ObservationFilterChainDecorator(this.observationRegistry);
+		}
+
+		@Override
+		public Class<?> getObjectType() {
+			return FilterChainProxy.FilterChainDecorator.class;
+		}
+
+		public void setObservationRegistry(ObservationRegistry registry) {
+			this.observationRegistry = registry;
+		}
+
+	}
+
 }

config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityObservationTests.java

@@ -0,0 +1,115 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.web.configurers;
+
+import java.util.Iterator;
+
+import io.micrometer.observation.Observation;
+import io.micrometer.observation.ObservationHandler;
+import io.micrometer.observation.ObservationRegistry;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.ArgumentCaptor;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.test.SpringTestContext;
+import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.test.web.servlet.MockMvc;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.springframework.security.config.Customizer.withDefaults;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+/**
+ * @author Josh Cummings
+ *
+ */
+@ExtendWith(SpringTestContextExtension.class)
+public class HttpSecurityObservationTests {
+
+	@Autowired
+	MockMvc mvc;
+
+	public final SpringTestContext spring = new SpringTestContext(this);
+
+	@Test
+	public void getWhenUsingObservationRegistryThenObservesRequest() throws Exception {
+		this.spring.register(ObservationRegistryConfig.class).autowire();
+		// @formatter:off
+		this.mvc.perform(get("/").with(httpBasic("user", "password")))
+				.andExpect(status().isNotFound());
+		// @formatter:on
+		ObservationHandler<Observation.Context> handler = this.spring.getContext().getBean(ObservationHandler.class);
+		ArgumentCaptor<Observation.Context> captor = ArgumentCaptor.forClass(Observation.Context.class);
+		verify(handler, times(5)).onStart(captor.capture());
+		Iterator<Observation.Context> contexts = captor.getAllValues().iterator();
+		assertThat(contexts.next().getContextualName()).isEqualTo("spring.security.http.chains.before");
+		assertThat(contexts.next().getName()).isEqualTo("spring.security.authentications");
+		assertThat(contexts.next().getName()).isEqualTo("spring.security.authorizations");
+		assertThat(contexts.next().getName()).isEqualTo("spring.security.http.secured.requests");
+		assertThat(contexts.next().getContextualName()).isEqualTo("spring.security.http.chains.after");
+	}
+
+	@EnableWebSecurity
+	@Configuration
+	static class ObservationRegistryConfig {
+
+		private ObservationHandler<Observation.Context> handler = mock(ObservationHandler.class);
+
+		@Bean
+		SecurityFilterChain app(HttpSecurity http) throws Exception {
+			http.httpBasic(withDefaults()).authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
+			return http.build();
+		}
+
+		@Bean
+		UserDetailsService userDetailsService() {
+			return new InMemoryUserDetailsManager(
+					User.withDefaultPasswordEncoder().username("user").password("password").authorities("app").build());
+		}
+
+		@Bean
+		ObservationHandler<Observation.Context> observationHandler() {
+			return this.handler;
+		}
+
+		@Bean
+		ObservationRegistry observationRegistry() {
+			given(this.handler.supportsContext(any())).willReturn(true);
+			ObservationRegistry registry = ObservationRegistry.create();
+			registry.observationConfig().observationHandler(this.handler);
+			return registry;
+		}
+
+	}
+
+}

config/src/test/java/org/springframework/security/config/http/HttpConfigTests.java

@@ -16,13 +16,20 @@
 
 package org.springframework.security.config.http;
 
+import java.util.Iterator;
+
+import io.micrometer.observation.Observation;
+import io.micrometer.observation.ObservationHandler;
+import io.micrometer.observation.ObservationRegistry;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import jakarta.servlet.http.HttpServletResponseWrapper;
 import org.apache.http.HttpStatus;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.ArgumentCaptor;
 
+import org.springframework.beans.factory.FactoryBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
@@ -36,7 +43,10 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@@ -101,6 +111,24 @@ public void getWhenUsingMinimalConfigurationThenPreventsSessionAsUrlParameter()
 		assertThat(response.getRedirectedUrl()).isEqualTo("http://localhost/login");
 	}
 
+	@Test
+	public void getWhenUsingObservationRegistryThenObservesRequest() throws Exception {
+		this.spring.configLocations(this.xml("WithObservationRegistry")).autowire();
+		// @formatter:off
+		this.mvc.perform(get("/").with(httpBasic("user", "password")))
+				.andExpect(status().isNotFound());
+		// @formatter:on
+		ObservationHandler<Observation.Context> handler = this.spring.getContext().getBean(ObservationHandler.class);
+		ArgumentCaptor<Observation.Context> captor = ArgumentCaptor.forClass(Observation.Context.class);
+		verify(handler, times(5)).onStart(captor.capture());
+		Iterator<Observation.Context> contexts = captor.getAllValues().iterator();
+		assertThat(contexts.next().getContextualName()).isEqualTo("spring.security.http.chains.before");
+		assertThat(contexts.next().getName()).isEqualTo("spring.security.authentications");
+		assertThat(contexts.next().getName()).isEqualTo("spring.security.authorizations");
+		assertThat(contexts.next().getName()).isEqualTo("spring.security.http.secured.requests");
+		assertThat(contexts.next().getContextualName()).isEqualTo("spring.security.http.chains.after");
+	}
+
 	private String xml(String configName) {
 		return CONFIG_LOCATION_PREFIX + "-" + configName + ".xml";
 	}
@@ -133,4 +161,27 @@ public String encodeRedirectUrl(String url) {
 
 	}
 
+	public static final class MockObservationRegistry implements FactoryBean<ObservationRegistry> {
+
+		private ObservationHandler<Observation.Context> handler = mock(ObservationHandler.class);
+
+		@Override
+		public ObservationRegistry getObject() {
+			ObservationRegistry registry = ObservationRegistry.create();
+			registry.observationConfig().observationHandler(this.handler);
+			given(this.handler.supportsContext(any())).willReturn(true);
+			return registry;
+		}
+
+		@Override
+		public Class<?> getObjectType() {
+			return ObservationRegistry.class;
+		}
+
+		public void setHandler(ObservationHandler<Observation.Context> handler) {
+			this.handler = handler;
+		}
+
+	}
+
 }

config/src/test/resources/org/springframework/security/config/http/HttpConfigTests-WithObservationRegistry.xml

@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       https://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			https://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true" observation-registry-ref="ref" use-authorization-manager="true">
+		<intercept-url pattern="/**" access="hasRole('USER')"/>
+	</http>
+
+	<b:bean name="handler" class="org.mockito.Mockito" factory-method="mock">
+		<b:constructor-arg value="io.micrometer.observation.ObservationHandler"/>
+	</b:bean>
+
+	<b:bean name="ref" class="org.springframework.security.config.http.HttpConfigTests.MockObservationRegistry">
+		<b:property name="handler" ref="handler"/>
+	</b:bean>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>