Skip to content

Add authorize() DSL method that accepts HttpMethod #8350

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Apr 22, 2020
Merged

Add authorize() DSL method that accepts HttpMethod #8350

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fa4b5ee
Extract pattern type in request matcher DSL
adamu Apr 9, 2020
a4b2c60
Use named arguments in Kotlin authorization rule
adamu Apr 9, 2020
30e42c3
Add authorize() DSL method that accepts HttpMethod
adamu Apr 8, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .../main/kotlin/org/springframework/security/config/web/servlet/AbstractRequestMatcherDsl.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@

package org.springframework.security.config.web.servlet

import org.springframework.http.HttpMethod
import org.springframework.security.web.util.matcher.AnyRequestMatcher
import org.springframework.security.web.util.matcher.RequestMatcher

Expand All @@ -37,7 +38,8 @@ abstract class AbstractRequestMatcherDsl {

protected data class PatternAuthorizationRule(val pattern: String,
val patternType: PatternType,
val servletPath: String?,
val servletPath: String? = null,
val httpMethod: HttpMethod? = null,
override val rule: String) : AuthorizationRule(rule)

protected abstract class AuthorizationRule(open val rule: String)
Expand Down
78 changes: 62 additions & 16 deletions ...g/src/main/kotlin/org/springframework/security/config/web/servlet/AuthorizeRequestsDsl.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@

package org.springframework.security.config.web.servlet

import org.springframework.http.HttpMethod
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer
import org.springframework.security.web.util.matcher.AnyRequestMatcher
Expand All @@ -35,6 +36,7 @@ class AuthorizeRequestsDsl : AbstractRequestMatcherDsl() {
private val MVC_PRESENT = ClassUtils.isPresent(
HANDLER_MAPPING_INTROSPECTOR,
AuthorizeRequestsDsl::class.java.classLoader)
private val PATTERN_TYPE = if (MVC_PRESENT) PatternType.MVC else PatternType.ANT

/**
* Adds a request authorization rule.
Expand Down Expand Up @@ -64,11 +66,32 @@ class AuthorizeRequestsDsl : AbstractRequestMatcherDsl() {
* (i.e. "hasAuthority('ROLE_USER') and hasAuthority('ROLE_SUPER')")
*/
fun authorize(pattern: String, access: String = "authenticated") {
if (MVC_PRESENT) {
authorizationRules.add(PatternAuthorizationRule(pattern, PatternType.MVC, null, access))
} else {
authorizationRules.add(PatternAuthorizationRule(pattern, PatternType.ANT, null, access))
}
authorizationRules.add(PatternAuthorizationRule(pattern = pattern,
patternType = PATTERN_TYPE,
rule = access))
}

/**
* Adds a request authorization rule for an endpoint matching the provided
* pattern.
* If Spring MVC is on the classpath, it will use an MVC matcher.
* If Spring MVC is not an the classpath, it will use an ant matcher.
* The MVC will use the same rules that Spring MVC uses for matching.
* For example, often times a mapping of the path "/path" will match on
* "/path", "/path/", "/path.html", etc.
* If the current request will not be processed by Spring MVC, a reasonable default
* using the pattern as an ant pattern will be used.
*
* @param method the HTTP method to match the income requests against.
* @param pattern the pattern to match incoming requests against.
* @param access the SpEL expression to secure the matching request
* (i.e. "hasAuthority('ROLE_USER') and hasAuthority('ROLE_SUPER')")
*/
fun authorize(method: HttpMethod, pattern: String, access: String = "authenticated") {
authorizationRules.add(PatternAuthorizationRule(pattern = pattern,
patternType = PATTERN_TYPE,
httpMethod = method,
rule = access))
}

/**
Expand All @@ -89,11 +112,36 @@ class AuthorizeRequestsDsl : AbstractRequestMatcherDsl() {
* (i.e. "hasAuthority('ROLE_USER') and hasAuthority('ROLE_SUPER')")
*/
fun authorize(pattern: String, servletPath: String, access: String = "authenticated") {
if (MVC_PRESENT) {
authorizationRules.add(PatternAuthorizationRule(pattern, PatternType.MVC, servletPath, access))
} else {
authorizationRules.add(PatternAuthorizationRule(pattern, PatternType.ANT, servletPath, access))
}
authorizationRules.add(PatternAuthorizationRule(pattern = pattern,
patternType = PATTERN_TYPE,
servletPath = servletPath,
rule = access))
}

/**
* Adds a request authorization rule for an endpoint matching the provided
* pattern.
* If Spring MVC is on the classpath, it will use an MVC matcher.
* If Spring MVC is not an the classpath, it will use an ant matcher.
* The MVC will use the same rules that Spring MVC uses for matching.
* For example, often times a mapping of the path "/path" will match on
* "/path", "/path/", "/path.html", etc.
* If the current request will not be processed by Spring MVC, a reasonable default
* using the pattern as an ant pattern will be used.
*
* @param method the HTTP method to match the income requests against.
* @param pattern the pattern to match incoming requests against.
* @param servletPath the servlet path to match incoming requests against. This
* only applies when using an MVC pattern matcher.
* @param access the SpEL expression to secure the matching request
* (i.e. "hasAuthority('ROLE_USER') and hasAuthority('ROLE_SUPER')")
*/
fun authorize(method: HttpMethod, pattern: String, servletPath: String, access: String = "authenticated") {
authorizationRules.add(PatternAuthorizationRule(pattern = pattern,
patternType = PATTERN_TYPE,
servletPath = servletPath,
httpMethod = method,
rule = access))
}

/**
Expand Down Expand Up @@ -152,12 +200,10 @@ class AuthorizeRequestsDsl : AbstractRequestMatcherDsl() {
is MatcherAuthorizationRule -> requests.requestMatchers(rule.matcher).access(rule.rule)
is PatternAuthorizationRule -> {
when (rule.patternType) {
PatternType.ANT -> requests.antMatchers(rule.pattern).access(rule.rule)
PatternType.MVC -> {
val mvcMatchersAuthorizeUrl = requests.mvcMatchers(rule.pattern)
rule.servletPath?.also { mvcMatchersAuthorizeUrl.servletPath(rule.servletPath) }
mvcMatchersAuthorizeUrl.access(rule.rule)
}
PatternType.ANT -> requests.antMatchers(rule.httpMethod, rule.pattern).access(rule.rule)
PatternType.MVC -> requests.mvcMatchers(rule.httpMethod, rule.pattern)
.apply { if(rule.servletPath != null) servletPath(rule.servletPath) }
.access(rule.rule)
}
}
}
Expand Down
18 changes: 8 additions & 10 deletions config/src/main/kotlin/org/springframework/security/config/web/servlet/RequiresChannelDsl.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ class RequiresChannelDsl : AbstractRequestMatcherDsl() {
private val MVC_PRESENT = ClassUtils.isPresent(
HANDLER_MAPPING_INTROSPECTOR,
RequiresChannelDsl::class.java.classLoader)
private val PATTERN_TYPE = if (MVC_PRESENT) PatternType.MVC else PatternType.ANT

var channelProcessors: List<ChannelProcessor>? = null

Expand Down Expand Up @@ -71,11 +72,9 @@ class RequiresChannelDsl : AbstractRequestMatcherDsl() {
* (i.e. "REQUIRES_SECURE_CHANNEL")
*/
fun secure(pattern: String, attribute: String = "REQUIRES_SECURE_CHANNEL") {
if (MVC_PRESENT) {
channelSecurityRules.add(PatternAuthorizationRule(pattern, PatternType.MVC, null, attribute))
} else {
channelSecurityRules.add(PatternAuthorizationRule(pattern, PatternType.ANT, null, attribute))
}
channelSecurityRules.add(PatternAuthorizationRule(pattern = pattern,
patternType = PATTERN_TYPE,
rule = attribute))
}

/**
Expand All @@ -96,11 +95,10 @@ class RequiresChannelDsl : AbstractRequestMatcherDsl() {
* (i.e. "REQUIRES_SECURE_CHANNEL")
*/
fun secure(pattern: String, servletPath: String, attribute: String = "REQUIRES_SECURE_CHANNEL") {
if (MVC_PRESENT) {
channelSecurityRules.add(PatternAuthorizationRule(pattern, PatternType.MVC, servletPath, attribute))
} else {
channelSecurityRules.add(PatternAuthorizationRule(pattern, PatternType.ANT, servletPath, attribute))
}
channelSecurityRules.add(PatternAuthorizationRule(pattern = pattern,
patternType = PATTERN_TYPE,
servletPath = servletPath,
rule = attribute))
}

/**
Expand Down
112 changes: 112 additions & 0 deletions .../test/kotlin/org/springframework/security/config/web/servlet/AuthorizeRequestsDslTests.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,17 +20,21 @@ import org.junit.Rule
import org.junit.Test
import org.springframework.beans.factory.annotation.Autowired
import org.springframework.context.annotation.Bean
import org.springframework.http.HttpMethod
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
import org.springframework.security.config.test.SpringTestRule
import org.springframework.security.core.userdetails.User
import org.springframework.security.core.userdetails.UserDetailsService
import org.springframework.security.provisioning.InMemoryUserDetailsManager
import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf
import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic
import org.springframework.security.web.util.matcher.RegexRequestMatcher
import org.springframework.test.web.servlet.MockMvc
import org.springframework.test.web.servlet.get
import org.springframework.test.web.servlet.post
import org.springframework.test.web.servlet.put
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders
import org.springframework.test.web.servlet.result.MockMvcResultMatchers.status
import org.springframework.web.bind.annotation.GetMapping
Expand Down Expand Up @@ -72,12 +76,29 @@ class AuthorizeRequestsDslTests {
}
}

@Test
fun `request when allowed by regex matcher with http method then responds based on method`() {
this.spring.register(AuthorizeRequestsByRegexConfig::class.java).autowire()

this.mockMvc.post("/onlyPostPermitted") { with(csrf()) }
.andExpect {
status { isOk }
}

this.mockMvc.get("/onlyPostPermitted")
.andExpect {
status { isForbidden }
}
}

@EnableWebSecurity
open class AuthorizeRequestsByRegexConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
authorizeRequests {
authorize(RegexRequestMatcher("/path", null), permitAll)
authorize(RegexRequestMatcher("/onlyPostPermitted", "POST"), permitAll)
authorize(RegexRequestMatcher("/onlyPostPermitted", "GET"), denyAll)
authorize(RegexRequestMatcher(".*", null), authenticated)
}
}
Expand All @@ -88,6 +109,10 @@ class AuthorizeRequestsDslTests {
@RequestMapping("/path")
fun path() {
}

@RequestMapping("/onlyPostPermitted")
fun onlyPostPermitted() {
}
}
}

Expand Down Expand Up @@ -271,4 +296,91 @@ class AuthorizeRequestsDslTests {
}
}
}

@EnableWebSecurity
@EnableWebMvc
open class AuthorizeRequestsByMvcConfigWithHttpMethod : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
authorizeRequests {
authorize(HttpMethod.GET, "/path", permitAll)
authorize(HttpMethod.PUT, "/path", denyAll)
}
}
}

@RestController
internal class PathController {
@RequestMapping("/path")
fun path() {
}
}
}

@Test
fun `request when secured by mvc with http method then responds based on http method`() {
this.spring.register(AuthorizeRequestsByMvcConfigWithHttpMethod::class.java).autowire()

this.mockMvc.get("/path")
.andExpect {
status { isOk }
}

this.mockMvc.put("/path") { with(csrf()) }
.andExpect {
status { isForbidden }
}
}

@EnableWebSecurity
@EnableWebMvc
open class MvcMatcherServletPathHttpMethodConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
authorizeRequests {
authorize(HttpMethod.GET, "/path", "/spring", denyAll)
authorize(HttpMethod.PUT, "/path", "/spring", denyAll)
}
}
}

@RestController
internal class PathController {
@RequestMapping("/path")
fun path() {
}
}
}



@Test
fun `request when secured by mvc with servlet path and http method then responds based on path and method`() {
this.spring.register(MvcMatcherServletPathConfig::class.java).autowire()

this.mockMvc.perform(MockMvcRequestBuilders.get("/spring/path")
.with { request ->
request.apply {
servletPath = "/spring"
}
})
.andExpect(status().isForbidden)

this.mockMvc.perform(MockMvcRequestBuilders.put("/spring/path")
.with { request ->
request.apply {
servletPath = "/spring"
csrf()
}
})
.andExpect(status().isForbidden)

this.mockMvc.perform(MockMvcRequestBuilders.get("/other/path")
.with { request ->
request.apply {
servletPath = "/other"
}
})
.andExpect(status().isOk)
}
}