Apply configurers from spring.factories to HttpSecurity bean

eleftherias · eleftherias · commit c2635ba6bf13 · 2022-02-09T14:40:57.000+01:00
Closes gh-10814
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,18 +17,21 @@
 package org.springframework.security.config.annotation.web.configuration;
 
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Scope;
+import org.springframework.core.io.support.SpringFactoriesLoader;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.annotation.web.configurers.DefaultLoginPageConfigurer;
 import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
 
@@ -97,6 +100,7 @@ HttpSecurity httpSecurity() throws Exception {
 			.apply(new DefaultLoginPageConfigurer<>());
 		http.logout(withDefaults());
 		// @formatter:on
+		applyDefaultConfigurers(http);
 		return http;
 	}
 
@@ -105,6 +109,15 @@ private AuthenticationManager authenticationManager() throws Exception {
 				: this.authenticationConfiguration.getAuthenticationManager();
 	}
 
+	private void applyDefaultConfigurers(HttpSecurity http) throws Exception {
+		ClassLoader classLoader = this.context.getClassLoader();
+		List<AbstractHttpConfigurer> defaultHttpConfigurers = SpringFactoriesLoader
+				.loadFactories(AbstractHttpConfigurer.class, classLoader);
+		for (AbstractHttpConfigurer configurer : defaultHttpConfigurers) {
+			http.apply(configurer);
+		}
+	}
+
 	private Map<Class<?>, Object> createSharedObjects() {
 		Map<Class<?>, Object> sharedObjects = new HashMap<>();
 		sharedObjects.put(ApplicationContext.class, this.context);
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,22 +16,28 @@
 
 package org.springframework.security.config.annotation.web.configuration;
 
+import java.util.Arrays;
 import java.util.concurrent.Callable;
 
 import javax.servlet.http.HttpServletRequest;
 
 import com.google.common.net.HttpHeaders;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.MockedStatic;
+import org.mockito.junit.jupiter.MockitoExtension;
 
 import org.springframework.beans.factory.BeanCreationException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.io.support.SpringFactoriesLoader;
 import org.springframework.mock.web.MockHttpSession;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -67,14 +73,17 @@
  *
  * @author Eleftheria Stein
  */
-@ExtendWith(SpringTestContextExtension.class)
+@ExtendWith({ MockitoExtension.class, SpringTestContextExtension.class })
 public class HttpSecurityConfigurationTests {
 
 	public final SpringTestContext spring = new SpringTestContext(this);
 
 	@Autowired
 	private MockMvc mockMvc;
 
+	@Mock
+	private MockedStatic<SpringFactoriesLoader> springFactoriesLoader;
+
 	@Test
 	public void postWhenDefaultFilterChainBeanThenRespondsWithForbidden() throws Exception {
 		this.spring.register(DefaultWithFilterChainConfig.class).autowire();
@@ -220,6 +229,17 @@ public void configureWhenAuthorizeHttpRequestsAfterAuthorizeRequestThenException
 						"authorizeHttpRequests cannot be used in conjunction with authorizeRequests. Please select just one.");
 	}
 
+	@Test
+	public void configureWhenDefaultConfigurerAsSpringFactoryThenDefaultConfigurerApplied() {
+		DefaultConfigurer configurer = new DefaultConfigurer();
+		this.springFactoriesLoader.when(
+				() -> SpringFactoriesLoader.loadFactories(AbstractHttpConfigurer.class, getClass().getClassLoader()))
+				.thenReturn(Arrays.asList(configurer));
+		this.spring.register(DefaultWithFilterChainConfig.class).autowire();
+		assertThat(configurer.init).isTrue();
+		assertThat(configurer.configure).isTrue();
+	}
+
 	@RestController
 	static class NameController {
 
@@ -349,4 +369,22 @@ void user(HttpServletRequest request) {
 
 	}
 
+	static class DefaultConfigurer extends AbstractHttpConfigurer<DefaultConfigurer, HttpSecurity> {
+
+		boolean init;
+
+		boolean configure;
+
+		@Override
+		public void init(HttpSecurity builder) {
+			this.init = true;
+		}
+
+		@Override
+		public void configure(HttpSecurity builder) {
+			this.configure = true;
+		}
+
+	}
+
 }
