Polish Authorization Event Support
- Added spring-security-config support - Renamed classes - Changed contracts to include the authenticated user and secured object - Added method security support Issue gh-9288
This commit is contained in:
Josh Cummings
+31
-2
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -17,14 +17,21 @@
|
||||
package org.springframework.security.web.access.intercept;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.function.Supplier;
|
||||
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.springframework.context.ApplicationEventPublisher;
|
||||
import org.springframework.security.access.AccessDeniedException;
|
||||
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
|
||||
import org.springframework.security.authorization.AuthorizationDecision;
|
||||
import org.springframework.security.authorization.AuthorizationEventPublisher;
|
||||
import org.springframework.security.authorization.AuthorizationManager;
|
||||
import org.springframework.security.authorization.event.AuthorizationDeniedEvent;
|
||||
import org.springframework.security.authorization.event.AuthorizationGrantedEvent;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.util.Assert;
|
||||
@@ -41,6 +48,8 @@ public class AuthorizationFilter extends OncePerRequestFilter {
|
||||
|
||||
private final AuthorizationManager<HttpServletRequest> authorizationManager;
|
||||
|
||||
private AuthorizationEventPublisher eventPublisher = AuthorizationFilter::noPublish;
|
||||
|
||||
/**
|
||||
* Creates an instance.
|
||||
* @param authorizationManager the {@link AuthorizationManager} to use
|
||||
@@ -54,7 +63,11 @@ public class AuthorizationFilter extends OncePerRequestFilter {
|
||||
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
|
||||
throws ServletException, IOException {
|
||||
|
||||
this.authorizationManager.verify(this::getAuthentication, request);
|
||||
AuthorizationDecision decision = this.authorizationManager.check(this::getAuthentication, request);
|
||||
this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, request, decision);
|
||||
if (decision != null && !decision.isGranted()) {
|
||||
throw new AccessDeniedException("Access Denied");
|
||||
}
|
||||
filterChain.doFilter(request, response);
|
||||
}
|
||||
|
||||
@@ -67,6 +80,17 @@ public class AuthorizationFilter extends OncePerRequestFilter {
|
||||
return authentication;
|
||||
}
|
||||
|
||||
/**
|
||||
* Use this {@link AuthorizationEventPublisher} to publish
|
||||
* {@link AuthorizationDeniedEvent}s and {@link AuthorizationGrantedEvent}s.
|
||||
* @param eventPublisher the {@link ApplicationEventPublisher} to use
|
||||
* @since 5.7
|
||||
*/
|
||||
public void setAuthorizationEventPublisher(AuthorizationEventPublisher eventPublisher) {
|
||||
Assert.notNull(eventPublisher, "eventPublisher cannot be null");
|
||||
this.eventPublisher = eventPublisher;
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the {@link AuthorizationManager} used by this filter
|
||||
* @return the {@link AuthorizationManager}
|
||||
@@ -75,4 +99,9 @@ public class AuthorizationFilter extends OncePerRequestFilter {
|
||||
return this.authorizationManager;
|
||||
}
|
||||
|
||||
private static <T> void noPublish(Supplier<Authentication> authentication, T object,
|
||||
AuthorizationDecision decision) {
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
+1
-26
@@ -28,7 +28,6 @@ import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import org.springframework.core.log.LogMessage;
|
||||
import org.springframework.security.authorization.AuthorizationDecision;
|
||||
import org.springframework.security.authorization.AuthorizationEventPublisher;
|
||||
import org.springframework.security.authorization.AuthorizationManager;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
@@ -49,8 +48,6 @@ public final class RequestMatcherDelegatingAuthorizationManager implements Autho
|
||||
|
||||
private final Map<RequestMatcher, AuthorizationManager<RequestAuthorizationContext>> mappings;
|
||||
|
||||
private AuthorizationEventPublisher authorizationEventPublisher;
|
||||
|
||||
private RequestMatcherDelegatingAuthorizationManager(
|
||||
Map<RequestMatcher, AuthorizationManager<RequestAuthorizationContext>> mappings) {
|
||||
Assert.notEmpty(mappings, "mappings cannot be empty");
|
||||
@@ -81,36 +78,14 @@ public final class RequestMatcherDelegatingAuthorizationManager implements Autho
|
||||
if (this.logger.isTraceEnabled()) {
|
||||
this.logger.trace(LogMessage.format("Checking authorization on %s using %s", request, manager));
|
||||
}
|
||||
AuthorizationDecision authorizationDecision = manager.check(authentication,
|
||||
return manager.check(authentication,
|
||||
new RequestAuthorizationContext(request, matchResult.getVariables()));
|
||||
publishAuthorizationEvent(authorizationDecision);
|
||||
return authorizationDecision;
|
||||
}
|
||||
}
|
||||
this.logger.trace("Abstaining since did not find matching RequestMatcher");
|
||||
return null;
|
||||
}
|
||||
|
||||
private void publishAuthorizationEvent(AuthorizationDecision authorizationDecision) {
|
||||
if (this.authorizationEventPublisher != null) {
|
||||
if (authorizationDecision.isGranted()) {
|
||||
this.authorizationEventPublisher.publishAuthorizationSuccess(authorizationDecision);
|
||||
}
|
||||
else {
|
||||
this.authorizationEventPublisher.publishAuthorizationFailure(authorizationDecision);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Set implementation of an {@link AuthorizationEventPublisher}
|
||||
* @param authorizationEventPublisher
|
||||
*/
|
||||
public void setAuthorizationEventPublisher(AuthorizationEventPublisher authorizationEventPublisher) {
|
||||
Assert.notNull(authorizationEventPublisher, "AuthorizationEventPublisher cannot be null");
|
||||
this.authorizationEventPublisher = authorizationEventPublisher;
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a builder for {@link RequestMatcherDelegatingAuthorizationManager}.
|
||||
* @return the new {@link Builder} instance
|
||||
|
||||
+36
-3
@@ -31,6 +31,8 @@ import org.springframework.security.access.AccessDeniedException;
|
||||
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||
import org.springframework.security.authorization.AuthenticatedAuthorizationManager;
|
||||
import org.springframework.security.authorization.AuthorizationDecision;
|
||||
import org.springframework.security.authorization.AuthorizationEventPublisher;
|
||||
import org.springframework.security.authorization.AuthorizationManager;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.context.SecurityContext;
|
||||
@@ -39,8 +41,10 @@ import org.springframework.security.core.context.SecurityContextImpl;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.ArgumentMatchers.eq;
|
||||
import static org.mockito.BDDMockito.given;
|
||||
import static org.mockito.BDDMockito.willThrow;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.verify;
|
||||
@@ -61,6 +65,8 @@ public class AuthorizationFilterTests {
|
||||
@Test
|
||||
public void filterWhenAuthorizationManagerVerifyPassesThenNextFilter() throws Exception {
|
||||
AuthorizationManager<HttpServletRequest> mockAuthorizationManager = mock(AuthorizationManager.class);
|
||||
given(mockAuthorizationManager.check(any(Supplier.class), any(HttpServletRequest.class)))
|
||||
.willReturn(new AuthorizationDecision(true));
|
||||
AuthorizationFilter filter = new AuthorizationFilter(mockAuthorizationManager);
|
||||
TestingAuthenticationToken authenticationToken = new TestingAuthenticationToken("user", "password");
|
||||
|
||||
@@ -75,7 +81,7 @@ public class AuthorizationFilterTests {
|
||||
filter.doFilter(mockRequest, mockResponse, mockFilterChain);
|
||||
|
||||
ArgumentCaptor<Supplier<Authentication>> authenticationCaptor = ArgumentCaptor.forClass(Supplier.class);
|
||||
verify(mockAuthorizationManager).verify(authenticationCaptor.capture(), eq(mockRequest));
|
||||
verify(mockAuthorizationManager).check(authenticationCaptor.capture(), eq(mockRequest));
|
||||
Supplier<Authentication> authentication = authenticationCaptor.getValue();
|
||||
assertThat(authentication.get()).isEqualTo(authenticationToken);
|
||||
|
||||
@@ -96,7 +102,7 @@ public class AuthorizationFilterTests {
|
||||
MockHttpServletResponse mockResponse = new MockHttpServletResponse();
|
||||
FilterChain mockFilterChain = mock(FilterChain.class);
|
||||
|
||||
willThrow(new AccessDeniedException("Access Denied")).given(mockAuthorizationManager).verify(any(),
|
||||
willThrow(new AccessDeniedException("Access Denied")).given(mockAuthorizationManager).check(any(),
|
||||
eq(mockRequest));
|
||||
|
||||
assertThatExceptionOfType(AccessDeniedException.class)
|
||||
@@ -104,7 +110,7 @@ public class AuthorizationFilterTests {
|
||||
.withMessage("Access Denied");
|
||||
|
||||
ArgumentCaptor<Supplier<Authentication>> authenticationCaptor = ArgumentCaptor.forClass(Supplier.class);
|
||||
verify(mockAuthorizationManager).verify(authenticationCaptor.capture(), eq(mockRequest));
|
||||
verify(mockAuthorizationManager).check(authenticationCaptor.capture(), eq(mockRequest));
|
||||
Supplier<Authentication> authentication = authenticationCaptor.getValue();
|
||||
assertThat(authentication.get()).isEqualTo(authenticationToken);
|
||||
|
||||
@@ -132,4 +138,31 @@ public class AuthorizationFilterTests {
|
||||
assertThat(authorizationFilter.getAuthorizationManager()).isSameAs(authorizationManager);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void configureWhenAuthorizationEventPublisherIsNullThenIllegalArgument() {
|
||||
AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);
|
||||
AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> authorizationFilter.setAuthorizationEventPublisher(null))
|
||||
.withMessage("eventPublisher cannot be null");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterWhenAuthorizationEventPublisherThenUses() throws Exception {
|
||||
AuthorizationFilter authorizationFilter = new AuthorizationFilter(
|
||||
AuthenticatedAuthorizationManager.authenticated());
|
||||
MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
|
||||
MockHttpServletResponse mockResponse = new MockHttpServletResponse();
|
||||
FilterChain mockFilterChain = mock(FilterChain.class);
|
||||
|
||||
SecurityContext securityContext = new SecurityContextImpl();
|
||||
securityContext.setAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"));
|
||||
SecurityContextHolder.setContext(securityContext);
|
||||
|
||||
AuthorizationEventPublisher eventPublisher = mock(AuthorizationEventPublisher.class);
|
||||
authorizationFilter.setAuthorizationEventPublisher(eventPublisher);
|
||||
authorizationFilter.doFilter(mockRequest, mockResponse, mockFilterChain);
|
||||
verify(eventPublisher).publishAuthorizationEvent(any(Supplier.class), any(HttpServletRequest.class),
|
||||
any(AuthorizationDecision.class));
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
-39
@@ -24,15 +24,12 @@ import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||
import org.springframework.security.authorization.AuthorityAuthorizationManager;
|
||||
import org.springframework.security.authorization.AuthorizationDecision;
|
||||
import org.springframework.security.authorization.AuthorizationEventPublisher;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.verify;
|
||||
|
||||
/**
|
||||
* Tests for {@link RequestMatcherDelegatingAuthorizationManager}.
|
||||
@@ -126,40 +123,4 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
|
||||
.withMessage("mappingsConsumer cannot be null");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testAuthorizationEventPublisherIsNotNull() {
|
||||
RequestMatcherDelegatingAuthorizationManager manager = RequestMatcherDelegatingAuthorizationManager.builder()
|
||||
.add(new MvcRequestMatcher(null, "/grant"), (a, o) -> new AuthorizationDecision(true)).build();
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> manager.setAuthorizationEventPublisher(null))
|
||||
.withMessage("AuthorizationEventPublisher cannot be null");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testAuthorizationSuccessEventWhenAuthorizationGranted() {
|
||||
RequestMatcherDelegatingAuthorizationManager manager = RequestMatcherDelegatingAuthorizationManager.builder()
|
||||
.add(new MvcRequestMatcher(null, "/grant"), (a, o) -> new AuthorizationDecision(true)).build();
|
||||
|
||||
AuthorizationEventPublisher authorizationEventPublisher = mock(AuthorizationEventPublisher.class);
|
||||
manager.setAuthorizationEventPublisher(authorizationEventPublisher);
|
||||
|
||||
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_USER");
|
||||
|
||||
AuthorizationDecision grant = manager.check(authentication, new MockHttpServletRequest(null, "/grant"));
|
||||
verify(authorizationEventPublisher).publishAuthorizationSuccess(grant);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testAuthorizationFailureEventWhenAuthorizationNotGranted() {
|
||||
RequestMatcherDelegatingAuthorizationManager manager = RequestMatcherDelegatingAuthorizationManager.builder()
|
||||
.add(new MvcRequestMatcher(null, "/deny"), (a, o) -> new AuthorizationDecision(false)).build();
|
||||
|
||||
AuthorizationEventPublisher authorizationEventPublisher = mock(AuthorizationEventPublisher.class);
|
||||
manager.setAuthorizationEventPublisher(authorizationEventPublisher);
|
||||
|
||||
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_USER");
|
||||
|
||||
AuthorizationDecision grant = manager.check(authentication, new MockHttpServletRequest(null, "/deny"));
|
||||
verify(authorizationEventPublisher).publishAuthorizationFailure(grant);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user