From 42524ac304f92323eab30ac30cb72d0556e3a3d7 Mon Sep 17 00:00:00 2001 From: Max Batischev Date: Thu, 28 Nov 2024 15:25:35 +0300 Subject: [PATCH] Add support checking same security matchers Closes gh-15982 --- .../annotation/web/builders/WebSecurity.java | 2 ++ .../web/builders/WebSecurityTests.java | 32 ++++++++++++++++++- .../web/util/matcher/OrRequestMatcher.java | 20 +++++++++++- 3 files changed, 52 insertions(+), 2 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java index 0974736d01..887c4440a6 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java @@ -44,6 +44,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration; import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; +import org.springframework.security.config.http.DefaultFilterChainValidator; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.web.DefaultSecurityFilterChain; import org.springframework.security.web.FilterChainProxy; @@ -338,6 +339,7 @@ else if (!this.observationRegistry.isNoop()) { filterChainProxy.setRequestRejectedHandler(requestRejectedHandler); } filterChainProxy.setFilterChainDecorator(getFilterChainDecorator()); + filterChainProxy.setFilterChainValidator(new DefaultFilterChainValidator()); filterChainProxy.afterPropertiesSet(); Filter result = filterChainProxy; diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java index 3219676502..af491d852c 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -27,9 +27,11 @@ import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; +import org.springframework.beans.factory.BeanCreationException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.core.annotation.Order; import org.springframework.http.HttpStatus; import org.springframework.mock.web.MockFilterChain; import org.springframework.mock.web.MockHttpServletRequest; @@ -52,6 +54,7 @@ import org.springframework.web.servlet.handler.HandlerMappingIntrospector; import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatExceptionOfType; /** * @author Rob Winch @@ -156,6 +159,12 @@ public void ignoringMvcMatcherServletPath() throws Exception { assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_UNAUTHORIZED); } + @Test + public void configureWhenSameSecurityMatchersConfiguredThenThrowsBeanCreationException() { + assertThatExceptionOfType(BeanCreationException.class) + .isThrownBy(() -> loadConfig(MultipleSecurityMatchersConfig.class)); + } + public void loadConfig(Class... configs) { this.context = new AnnotationConfigWebApplicationContext(); this.context.register(configs); @@ -169,6 +178,27 @@ static class DefaultConfig { } + @Configuration + @EnableWebMvc + @EnableWebSecurity + static class MultipleSecurityMatchersConfig { + + @Bean + @Order(0) + SecurityFilterChain app(HttpSecurity http) throws Exception { + http.securityMatcher("/app/**").authorizeHttpRequests((auth) -> auth.anyRequest().authenticated()); + return http.build(); + } + + @Bean + @Order(1) + SecurityFilterChain api(HttpSecurity http) throws Exception { + http.securityMatcher("/app/**").authorizeHttpRequests((auth) -> auth.anyRequest().authenticated()); + return http.build(); + } + + } + @EnableWebSecurity @Configuration @EnableWebMvc diff --git a/web/src/main/java/org/springframework/security/web/util/matcher/OrRequestMatcher.java b/web/src/main/java/org/springframework/security/web/util/matcher/OrRequestMatcher.java index e3add8edf3..53c0af8d92 100644 --- a/web/src/main/java/org/springframework/security/web/util/matcher/OrRequestMatcher.java +++ b/web/src/main/java/org/springframework/security/web/util/matcher/OrRequestMatcher.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,6 +18,7 @@ import java.util.Arrays; import java.util.List; +import java.util.Objects; import jakarta.servlet.http.HttpServletRequest; @@ -81,6 +82,23 @@ public MatchResult matcher(HttpServletRequest request) { return MatchResult.notMatch(); } + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + OrRequestMatcher that = (OrRequestMatcher) o; + return Objects.equals(this.requestMatchers, that.requestMatchers); + } + + @Override + public int hashCode() { + return Objects.hash(this.requestMatchers); + } + @Override public String toString() { return "Or " + this.requestMatchers;