From 35f7e46d059867dc400e3f23f5d1a95e2e5be48f Mon Sep 17 00:00:00 2001 From: Marcus Da Coregio Date: Fri, 30 Sep 2022 10:31:15 -0300 Subject: [PATCH] Remove WebSecurityConfigurerAdapter Closes gh-10902 --- ...onProviderBuilderSecurityBuilderTests.java | 86 ++- ...AuthenticationProviderConfigurerTests.java | 33 +- ...dapAuthenticationProviderTestsConfigs.java | 30 +- .../resources/test-server.ldif | 13 + .../HttpSecurityConfiguration.java | 98 ++- .../WebSecurityConfiguration.java | 21 +- .../WebSecurityConfigurerAdapter.java | 631 ------------------ .../AuthenticationManagerBuilderTests.java | 15 +- .../NamespaceAuthenticationManagerTests.java | 13 +- .../NamespaceAuthenticationProviderTests.java | 18 +- .../NamespaceJdbcUserServiceTests.java | 21 +- .../NamespacePasswordEncoderTests.java | 21 +- .../PasswordEncoderConfigurerTests.java | 23 +- .../AuthenticationConfigurationTests.java | 3 +- .../annotation/issue50/SecurityConfig.java | 29 +- .../annotation/sec2758/Sec2758Tests.java | 11 +- ...RequestMatcherRegistryAnyMatcherTests.java | 40 +- .../web/HttpSecurityHeadersTests.java | 12 +- ...mpleWebSecurityConfigurerAdapterTests.java | 397 ----------- ...SecurityConfigurerAdapterMockitoTests.java | 161 ----- .../WebSecurityConfigurerAdapterTests.java | 450 ------------- .../web/builders/HttpConfigurationTests.java | 32 +- .../builders/HttpSecurityAddFilterTest.java | 24 +- ...ttpSecurityAuthenticationManagerTests.java | 26 +- .../web/builders/NamespaceHttpTests.java | 196 +++--- .../web/builders/TestHttpSecurity.java | 40 ++ .../web/builders/WebSecurityTests.java | 72 +- ...icationPrincipalArgumentResolverTests.java | 25 +- .../configuration/EnableWebSecurityTests.java | 59 +- .../OAuth2ClientConfigurationTests.java | 45 +- .../web/configuration/Sec2515Tests.java | 131 ---- ...ntextConfigurationResourceServerTests.java | 15 +- ...urityReactorContextConfigurationTests.java | 9 +- .../WebMvcSecurityConfigurationTests.java | 2 +- .../WebSecurityConfigurationTests.java | 470 +------------ .../sec2377/a/Sec2377AConfig.java | 5 +- .../sec2377/b/Sec2377BConfig.java | 5 +- .../configurers/AnonymousConfigurerTests.java | 54 +- .../configurers/AuthorizeRequestsTests.java | 197 +++--- .../ChannelSecurityConfigurerTests.java | 29 +- .../web/configurers/CorsConfigurerTests.java | 53 +- ...onfigurerIgnoringRequestMatchersTests.java | 31 +- .../CsrfConfigurerNoWebMvcTests.java | 18 +- .../web/configurers/CsrfConfigurerTests.java | 179 +++-- .../web/configurers/DefaultFiltersTests.java | 54 +- .../DefaultLoginPageConfigurerTests.java | 78 ++- ...ingConfigurerAccessDeniedHandlerTests.java | 26 +- .../ExceptionHandlingConfigurerTests.java | 47 +- ...essionUrlAuthorizationConfigurerTests.java | 261 +++++--- .../configurers/FormLoginConfigurerTests.java | 168 +++-- .../HeadersConfigurerEagerHeadersTests.java | 12 +- .../configurers/HeadersConfigurerTests.java | 288 ++++---- .../configurers/HttpBasicConfigurerTests.java | 83 +-- .../HttpSecurityAntMatchersTests.java | 40 +- .../configurers/HttpSecurityLogoutTests.java | 24 +- .../HttpSecurityRequestMatchersTests.java | 66 +- .../web/configurers/Issue55Tests.java | 177 ----- .../web/configurers/JeeConfigurerTests.java | 39 +- .../LogoutConfigurerClearSiteDataTests.java | 12 +- .../configurers/LogoutConfigurerTests.java | 108 +-- .../web/configurers/NamespaceDebugTests.java | 7 +- .../NamespaceHttpAnonymousTests.java | 54 +- .../configurers/NamespaceHttpBasicTests.java | 60 +- .../NamespaceHttpCustomFilterTests.java | 61 +- .../NamespaceHttpExpressionHandlerTests.java | 31 +- .../NamespaceHttpFirewallTests.java | 13 +- .../NamespaceHttpFormLoginTests.java | 35 +- .../NamespaceHttpHeadersTests.java | 73 +- .../NamespaceHttpInterceptUrlTests.java | 25 +- .../configurers/NamespaceHttpJeeTests.java | 18 +- .../configurers/NamespaceHttpLogoutTests.java | 49 +- .../NamespaceHttpPortMappingsTests.java | 27 +- .../NamespaceHttpRequestCacheTests.java | 43 +- ...aceHttpServerAccessDeniedHandlerTests.java | 30 +- .../configurers/NamespaceHttpX509Tests.java | 122 ++-- .../configurers/NamespaceRememberMeTests.java | 104 +-- .../NamespaceSessionManagementTests.java | 70 +- .../configurers/PermitAllSupportTests.java | 33 +- .../PortMapperConfigurerTests.java | 26 +- .../RememberMeConfigurerTests.java | 143 ++-- .../RequestCacheConfigurerTests.java | 67 +- .../RequestMatcherConfigurerTests.java | 19 +- .../SecurityContextConfigurerTests.java | 114 ++-- .../ServletApiConfigurerTests.java | 102 +-- ...ionManagementConfigurerServlet31Tests.java | 25 +- ...rerSessionAuthenticationStrategyTests.java | 25 +- ...tConfigurerSessionCreationPolicyTests.java | 23 +- .../SessionManagementConfigurerTests.java | 146 ++-- ...onfigurerTransientAuthenticationTests.java | 30 +- .../UrlAuthorizationConfigurerTests.java | 46 +- .../configurers/UrlAuthorizationsTests.java | 20 +- .../web/configurers/X509ConfigurerTests.java | 67 +- .../client/OAuth2ClientConfigurerTests.java | 18 +- .../client/OAuth2LoginConfigurerTests.java | 160 ++--- .../OAuth2ResourceServerConfigurerTests.java | 301 +++++---- .../saml2/Saml2LoginConfigurerTests.java | 31 +- ...uthenticationConfigurationGh3935Tests.java | 5 +- .../core/GrantedAuthorityDefaultsJcTests.java | 11 +- ...eyConversionServicePostProcessorTests.java | 2 +- .../CustomHttpSecurityConfigurerTests.java | 18 +- docs/modules/ROOT/pages/whats-new.adoc | 2 + .../web/servlet/request/Sec2935Tests.java | 12 +- ...rocessorsAuthenticationStatelessTests.java | 25 +- ...MockMvcRequestPostProcessorsCsrfTests.java | 12 +- ...equestPostProcessorsOAuth2ClientTests.java | 11 +- ...RequestPostProcessorsOAuth2LoginTests.java | 11 +- ...vcRequestPostProcessorsOidcLoginTests.java | 11 +- ...RequestPostProcessorsOpaqueTokenTests.java | 12 +- ...sorsTestSecurityContextStatelessTests.java | 13 +- .../web/servlet/response/Gh3409Tests.java | 12 +- .../SecurityMockMvcResultHandlersTest.java | 2 +- .../SecurityMockMvcResultMatchersTests.java | 8 +- ...WithAuthoritiesMvcResultMatchersTests.java | 8 +- .../SecurityMockMvcConfigurersTests.java | 2 +- .../showcase/csrf/CsrfShowcaseTests.java | 12 +- .../csrf/CustomCsrfShowcaseTests.java | 11 +- .../csrf/DefaultCsrfShowcaseTests.java | 12 +- .../showcase/login/AuthenticationTests.java | 2 +- .../CustomConfigAuthenticationTests.java | 14 +- ...oginRequestBuilderAuthenticationTests.java | 14 +- .../DefaultfSecurityRequestsTests.java | 12 +- .../secured/SecurityRequestsTests.java | 28 +- .../secured/WithUserAuthenticationTests.java | 12 +- ...WithUserClassLevelAuthenticationTests.java | 12 +- .../WithUserDetailsAuthenticationTests.java | 29 +- ...rDetailsClassLevelAuthenticationTests.java | 29 +- .../test/web/support/WebTestUtilsTests.java | 27 +- 127 files changed, 2947 insertions(+), 4988 deletions(-) delete mode 100644 config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java delete mode 100644 config/src/test/java/org/springframework/security/config/annotation/web/SampleWebSecurityConfigurerAdapterTests.java delete mode 100644 config/src/test/java/org/springframework/security/config/annotation/web/WebSecurityConfigurerAdapterMockitoTests.java delete mode 100644 config/src/test/java/org/springframework/security/config/annotation/web/WebSecurityConfigurerAdapterTests.java create mode 100644 config/src/test/java/org/springframework/security/config/annotation/web/builders/TestHttpSecurity.java delete mode 100644 config/src/test/java/org/springframework/security/config/annotation/web/configuration/Sec2515Tests.java delete mode 100644 config/src/test/java/org/springframework/security/config/annotation/web/configurers/Issue55Tests.java diff --git a/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/LdapAuthenticationProviderBuilderSecurityBuilderTests.java b/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/LdapAuthenticationProviderBuilderSecurityBuilderTests.java index f899908b2f..9937c4804b 100644 --- a/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/LdapAuthenticationProviderBuilderSecurityBuilderTests.java +++ b/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/LdapAuthenticationProviderBuilderSecurityBuilderTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -33,10 +33,10 @@ import org.springframework.context.annotation.Import; import org.springframework.ldap.core.support.BaseLdapPathContextSource; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; +import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration; import org.springframework.security.config.annotation.authentication.configuration.EnableGlobalAuthentication; import org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.authority.SimpleGrantedAuthority; @@ -70,7 +70,6 @@ public class LdapAuthenticationProviderBuilderSecurityBuilderTests { public void defaultConfiguration() { this.spring.register(DefaultLdapConfig.class).autowire(); LdapAuthenticationProvider provider = ldapProvider(); - LdapAuthoritiesPopulator authoritiesPopulator = getAuthoritiesPopulator(provider); assertThat(authoritiesPopulator).hasFieldOrPropertyWithValue("groupRoleAttribute", "cn"); assertThat(authoritiesPopulator).hasFieldOrPropertyWithValue("groupSearchBase", ""); @@ -160,8 +159,8 @@ public class LdapAuthenticationProviderBuilderSecurityBuilderTests { @EnableWebSecurity static class DefaultLdapConfig extends BaseLdapProviderConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth .ldapAuthentication() @@ -170,14 +169,20 @@ public class LdapAuthenticationProviderBuilderSecurityBuilderTests { // @formatter:on } + @Bean + AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) + throws Exception { + return authenticationConfiguration.getAuthenticationManager(); + } + } @Configuration @EnableWebSecurity static class GroupRolesConfig extends BaseLdapProviderConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth .ldapAuthentication() @@ -187,14 +192,20 @@ public class LdapAuthenticationProviderBuilderSecurityBuilderTests { // @formatter:on } + @Bean + AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) + throws Exception { + return authenticationConfiguration.getAuthenticationManager(); + } + } @Configuration @EnableWebSecurity static class GroupSearchConfig extends BaseLdapProviderConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth .ldapAuthentication() @@ -204,14 +215,20 @@ public class LdapAuthenticationProviderBuilderSecurityBuilderTests { // @formatter:on } + @Bean + AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) + throws Exception { + return authenticationConfiguration.getAuthenticationManager(); + } + } @Configuration @EnableWebSecurity static class GroupSubtreeSearchConfig extends BaseLdapProviderConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth .ldapAuthentication() @@ -222,14 +239,20 @@ public class LdapAuthenticationProviderBuilderSecurityBuilderTests { // @formatter:on } + @Bean + AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) + throws Exception { + return authenticationConfiguration.getAuthenticationManager(); + } + } @Configuration @EnableWebSecurity static class RolePrefixConfig extends BaseLdapProviderConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth .ldapAuthentication() @@ -239,14 +262,20 @@ public class LdapAuthenticationProviderBuilderSecurityBuilderTests { // @formatter:on } + @Bean + AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) + throws Exception { + return authenticationConfiguration.getAuthenticationManager(); + } + } @Configuration @EnableWebSecurity static class BindAuthenticationConfig extends BaseLdapServerConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth .ldapAuthentication() @@ -257,14 +286,20 @@ public class LdapAuthenticationProviderBuilderSecurityBuilderTests { // @formatter:on } + @Bean + AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) + throws Exception { + return authenticationConfiguration.getAuthenticationManager(); + } + } @Configuration @EnableWebSecurity static class PasswordEncoderConfig extends BaseLdapServerConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth .ldapAuthentication() @@ -276,6 +311,12 @@ public class LdapAuthenticationProviderBuilderSecurityBuilderTests { // @formatter:on } + @Bean + AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) + throws Exception { + return authenticationConfiguration.getAuthenticationManager(); + } + } @Configuration @@ -296,7 +337,7 @@ public class LdapAuthenticationProviderBuilderSecurityBuilderTests { @EnableWebSecurity @EnableGlobalAuthentication @Import(ObjectPostProcessorConfiguration.class) - abstract static class BaseLdapProviderConfig extends WebSecurityConfigurerAdapter { + abstract static class BaseLdapProviderConfig { @Bean BaseLdapPathContextSource contextSource() throws Exception { @@ -308,15 +349,6 @@ public class LdapAuthenticationProviderBuilderSecurityBuilderTests { return contextSource; } - @Bean - AuthenticationManager authenticationManager(AuthenticationManagerBuilder auth) throws Exception { - configure(auth); - return auth.build(); - } - - @Override - protected abstract void configure(AuthenticationManagerBuilder auth) throws Exception; - } } diff --git a/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/LdapAuthenticationProviderConfigurerTests.java b/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/LdapAuthenticationProviderConfigurerTests.java index f263bc63c3..4b13990758 100644 --- a/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/LdapAuthenticationProviderConfigurerTests.java +++ b/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/LdapAuthenticationProviderConfigurerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,7 +26,6 @@ import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.authentication.ldap.LdapAuthenticationProviderBuilderSecurityBuilderTests.BaseLdapProviderConfig; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.authority.AuthorityUtils; @@ -105,10 +104,10 @@ public class LdapAuthenticationProviderConfigurerTests { // @formatter:off SecurityMockMvcRequestBuilders.FormLoginRequestBuilder request = formLogin() - .user("ben") - .password("benspassword"); + .user("otherben") + .password("otherbenspassword"); SecurityMockMvcResultMatchers.AuthenticatedMatcher expectedUser = authenticated() - .withUsername("ben") + .withUsername("otherben") .withAuthorities( AuthorityUtils.createAuthorityList("ROLE_SUBMANAGERS", "ROLE_MANAGERS", "ROLE_DEVELOPERS")); // @formatter:on @@ -117,10 +116,10 @@ public class LdapAuthenticationProviderConfigurerTests { @Configuration @EnableWebSecurity - static class MultiLdapAuthenticationProvidersConfig extends WebSecurityConfigurerAdapter { + static class MultiLdapAuthenticationProvidersConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth .ldapAuthentication() @@ -139,10 +138,10 @@ public class LdapAuthenticationProviderConfigurerTests { @Configuration @EnableWebSecurity - static class MultiLdapWithCustomRolePrefixAuthenticationProvidersConfig extends WebSecurityConfigurerAdapter { + static class MultiLdapWithCustomRolePrefixAuthenticationProvidersConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth .ldapAuthentication() @@ -163,10 +162,10 @@ public class LdapAuthenticationProviderConfigurerTests { @Configuration @EnableWebSecurity - static class LdapWithRandomPortConfig extends WebSecurityConfigurerAdapter { + static class LdapWithRandomPortConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth .ldapAuthentication() @@ -174,7 +173,7 @@ public class LdapAuthenticationProviderConfigurerTests { .groupSearchFilter("(member={0})") .userDnPatterns("uid={0},ou=people") .contextSource() - .port(0); + .port(0); // @formatter:on } @@ -184,8 +183,8 @@ public class LdapAuthenticationProviderConfigurerTests { @EnableWebSecurity static class GroupSubtreeSearchConfig extends BaseLdapProviderConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth .ldapAuthentication() diff --git a/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/NamespaceLdapAuthenticationProviderTestsConfigs.java b/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/NamespaceLdapAuthenticationProviderTestsConfigs.java index 0b985f8bbc..9b439055c7 100644 --- a/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/NamespaceLdapAuthenticationProviderTestsConfigs.java +++ b/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/NamespaceLdapAuthenticationProviderTestsConfigs.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2013 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,10 +16,10 @@ package org.springframework.security.config.annotation.authentication.ldap; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator; import org.springframework.security.ldap.userdetails.PersonContextMapper; @@ -32,10 +32,10 @@ public class NamespaceLdapAuthenticationProviderTestsConfigs { @Configuration @EnableWebSecurity - static class LdapAuthenticationProviderConfig extends WebSecurityConfigurerAdapter { + static class LdapAuthenticationProviderConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth .ldapAuthentication() @@ -48,10 +48,10 @@ public class NamespaceLdapAuthenticationProviderTestsConfigs { @Configuration @EnableWebSecurity - static class CustomLdapAuthenticationProviderConfig extends WebSecurityConfigurerAdapter { + static class CustomLdapAuthenticationProviderConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth .ldapAuthentication() @@ -70,7 +70,7 @@ public class NamespaceLdapAuthenticationProviderTestsConfigs { .managerPassword("secret") // ldap-server@manager-password .port(0) // ldap-server@port .root("dc=springframework,dc=org"); // ldap-server@root - // .url("ldap://localhost:33389/dc-springframework,dc=org") this overrides root and port and is used for external + // .url("ldap://localhost:33389/dc-springframework,dc=org") this overrides root and port and is used for external // @formatter:on } @@ -78,12 +78,12 @@ public class NamespaceLdapAuthenticationProviderTestsConfigs { @Configuration @EnableWebSecurity - static class CustomAuthoritiesPopulatorConfig extends WebSecurityConfigurerAdapter { + static class CustomAuthoritiesPopulatorConfig { static LdapAuthoritiesPopulator LAP; - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth .ldapAuthentication() @@ -96,10 +96,10 @@ public class NamespaceLdapAuthenticationProviderTestsConfigs { @Configuration @EnableWebSecurity - static class PasswordCompareLdapConfig extends WebSecurityConfigurerAdapter { + static class PasswordCompareLdapConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth .ldapAuthentication() diff --git a/config/src/integration-test/resources/test-server.ldif b/config/src/integration-test/resources/test-server.ldif index 3d0f39969e..7d2f5a8f54 100644 --- a/config/src/integration-test/resources/test-server.ldif +++ b/config/src/integration-test/resources/test-server.ldif @@ -28,6 +28,16 @@ sn: Alex uid: ben userPassword: {SHA}nFCebWjxfaLbHHG1Qk5UU4trbvQ= +dn: uid=otherben,ou=people,dc=springframework,dc=org +objectclass: top +objectclass: person +objectclass: organizationalPerson +objectclass: inetOrgPerson +cn: Other Ben Alex +sn: Alex +uid: otherben +userPassword: otherbenspassword + dn: uid=bcrypt,ou=people,dc=springframework,dc=org objectclass: top objectclass: person @@ -75,6 +85,7 @@ cn: developers ou: developer member: uid=bcrypt,ou=people,dc=springframework,dc=org member: uid=ben,ou=people,dc=springframework,dc=org +member: uid=otherben,ou=people,dc=springframework,dc=org member: uid=bob,ou=people,dc=springframework,dc=org dn: cn=managers,ou=groups,dc=springframework,dc=org @@ -83,6 +94,7 @@ objectclass: groupOfNames cn: managers ou: manager member: uid=ben,ou=people,dc=springframework,dc=org +member: uid=otherben,ou=people,dc=springframework,dc=org member: cn=mouse\, jerry,ou=people,dc=springframework,dc=org dn: cn=submanagers,ou=subgroups,ou=groups,dc=springframework,dc=org @@ -91,3 +103,4 @@ objectclass: groupOfNames cn: submanagers ou: submanager member: uid=ben,ou=people,dc=springframework,dc=org +member: uid=otherben,ou=people,dc=springframework,dc=org diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java index 831375612c..36e56c1a13 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java @@ -20,6 +20,7 @@ import java.util.HashMap; import java.util.List; import java.util.Map; +import org.springframework.beans.factory.NoSuchBeanDefinitionException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.Bean; @@ -32,11 +33,17 @@ import org.springframework.security.authentication.DefaultAuthenticationEventPub import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration; +import org.springframework.security.config.annotation.authentication.configurers.provisioning.InMemoryUserDetailsManagerConfigurer; +import org.springframework.security.config.annotation.authentication.configurers.provisioning.JdbcUserDetailsManagerConfigurer; +import org.springframework.security.config.annotation.authentication.configurers.userdetails.DaoAuthenticationConfigurer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.annotation.web.configurers.DefaultLoginPageConfigurer; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolderStrategy; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.crypto.factory.PasswordEncoderFactories; +import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter; import org.springframework.web.accept.ContentNegotiationStrategy; import org.springframework.web.accept.HeaderContentNegotiationStrategy; @@ -95,9 +102,8 @@ class HttpSecurityConfiguration { @Bean(HTTPSECURITY_BEAN_NAME) @Scope("prototype") HttpSecurity httpSecurity() throws Exception { - WebSecurityConfigurerAdapter.LazyPasswordEncoder passwordEncoder = new WebSecurityConfigurerAdapter.LazyPasswordEncoder( - this.context); - AuthenticationManagerBuilder authenticationBuilder = new WebSecurityConfigurerAdapter.DefaultPasswordEncoderAuthenticationManagerBuilder( + LazyPasswordEncoder passwordEncoder = new LazyPasswordEncoder(this.context); + AuthenticationManagerBuilder authenticationBuilder = new DefaultPasswordEncoderAuthenticationManagerBuilder( this.objectPostProcessor, passwordEncoder); authenticationBuilder.parentAuthenticationManager(authenticationManager()); authenticationBuilder.authenticationEventPublisher(getAuthenticationEventPublisher()); @@ -149,4 +155,90 @@ class HttpSecurityConfiguration { return sharedObjects; } + static class DefaultPasswordEncoderAuthenticationManagerBuilder extends AuthenticationManagerBuilder { + + private PasswordEncoder defaultPasswordEncoder; + + /** + * Creates a new instance + * @param objectPostProcessor the {@link ObjectPostProcessor} instance to use. + */ + DefaultPasswordEncoderAuthenticationManagerBuilder(ObjectPostProcessor objectPostProcessor, + PasswordEncoder defaultPasswordEncoder) { + super(objectPostProcessor); + this.defaultPasswordEncoder = defaultPasswordEncoder; + } + + @Override + public InMemoryUserDetailsManagerConfigurer inMemoryAuthentication() + throws Exception { + return super.inMemoryAuthentication().passwordEncoder(this.defaultPasswordEncoder); + } + + @Override + public JdbcUserDetailsManagerConfigurer jdbcAuthentication() throws Exception { + return super.jdbcAuthentication().passwordEncoder(this.defaultPasswordEncoder); + } + + @Override + public DaoAuthenticationConfigurer userDetailsService( + T userDetailsService) throws Exception { + return super.userDetailsService(userDetailsService).passwordEncoder(this.defaultPasswordEncoder); + } + + } + + static class LazyPasswordEncoder implements PasswordEncoder { + + private ApplicationContext applicationContext; + + private PasswordEncoder passwordEncoder; + + LazyPasswordEncoder(ApplicationContext applicationContext) { + this.applicationContext = applicationContext; + } + + @Override + public String encode(CharSequence rawPassword) { + return getPasswordEncoder().encode(rawPassword); + } + + @Override + public boolean matches(CharSequence rawPassword, String encodedPassword) { + return getPasswordEncoder().matches(rawPassword, encodedPassword); + } + + @Override + public boolean upgradeEncoding(String encodedPassword) { + return getPasswordEncoder().upgradeEncoding(encodedPassword); + } + + private PasswordEncoder getPasswordEncoder() { + if (this.passwordEncoder != null) { + return this.passwordEncoder; + } + PasswordEncoder passwordEncoder = getBeanOrNull(PasswordEncoder.class); + if (passwordEncoder == null) { + passwordEncoder = PasswordEncoderFactories.createDelegatingPasswordEncoder(); + } + this.passwordEncoder = passwordEncoder; + return passwordEncoder; + } + + private T getBeanOrNull(Class type) { + try { + return this.applicationContext.getBean(type); + } + catch (NoSuchBeanDefinitionException ex) { + return null; + } + } + + @Override + public String toString() { + return getPasswordEncoder().toString(); + } + + } + } diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java index 882c58162e..3522d4b050 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java @@ -37,9 +37,11 @@ import org.springframework.core.annotation.AnnotationUtils; import org.springframework.core.annotation.Order; import org.springframework.core.type.AnnotationMetadata; import org.springframework.security.access.expression.SecurityExpressionHandler; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.SecurityConfigurer; import org.springframework.security.config.annotation.web.WebSecurityConfigurer; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.crypto.RsaKeyConversionServicePostProcessor; import org.springframework.security.context.DelegatingApplicationListener; @@ -48,7 +50,6 @@ import org.springframework.security.web.FilterInvocation; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator; import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer; -import org.springframework.util.Assert; /** * Uses a {@link WebSecurity} to create the {@link FilterChainProxy} that performs the web @@ -81,6 +82,9 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa @Autowired(required = false) private ObjectPostProcessor objectObjectPostProcessor; + @Autowired(required = false) + private HttpSecurity httpSecurity; + @Bean public static DelegatingApplicationListener delegatingApplicationListener() { return new DelegatingApplicationListener(); @@ -99,15 +103,14 @@ public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAwa */ @Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME) public Filter springSecurityFilterChain() throws Exception { - boolean hasConfigurers = this.webSecurityConfigurers != null && !this.webSecurityConfigurers.isEmpty(); boolean hasFilterChain = !this.securityFilterChains.isEmpty(); - Assert.state(!(hasConfigurers && hasFilterChain), - "Found WebSecurityConfigurerAdapter as well as SecurityFilterChain. Please select just one."); - if (!hasConfigurers && !hasFilterChain) { - WebSecurityConfigurerAdapter adapter = this.objectObjectPostProcessor - .postProcess(new WebSecurityConfigurerAdapter() { - }); - this.webSecurity.apply(adapter); + if (!hasFilterChain) { + this.webSecurity.addSecurityFilterChainBuilder(() -> { + this.httpSecurity.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated()); + this.httpSecurity.formLogin(Customizer.withDefaults()); + this.httpSecurity.httpBasic(Customizer.withDefaults()); + return this.httpSecurity.build(); + }); } for (SecurityFilterChain securityFilterChain : this.securityFilterChains) { this.webSecurity.addSecurityFilterChainBuilder(() -> securityFilterChain); diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java deleted file mode 100644 index e33d980278..0000000000 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java +++ /dev/null @@ -1,631 +0,0 @@ -/* - * Copyright 2002-2022 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.springframework.security.config.annotation.web.configuration; - -import java.lang.reflect.Field; -import java.util.Arrays; -import java.util.HashMap; -import java.util.HashSet; -import java.util.List; -import java.util.Map; -import java.util.Set; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -import org.springframework.aop.TargetSource; -import org.springframework.aop.framework.Advised; -import org.springframework.aop.target.LazyInitTargetSource; -import org.springframework.beans.FatalBeanException; -import org.springframework.beans.factory.BeanFactoryUtils; -import org.springframework.beans.factory.NoSuchBeanDefinitionException; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.context.ApplicationContext; -import org.springframework.core.annotation.Order; -import org.springframework.core.io.support.SpringFactoriesLoader; -import org.springframework.security.authentication.AuthenticationEventPublisher; -import org.springframework.security.authentication.AuthenticationManager; -import org.springframework.security.authentication.AuthenticationTrustResolver; -import org.springframework.security.authentication.AuthenticationTrustResolverImpl; -import org.springframework.security.authentication.DefaultAuthenticationEventPublisher; -import org.springframework.security.config.annotation.ObjectPostProcessor; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; -import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration; -import org.springframework.security.config.annotation.authentication.configurers.provisioning.InMemoryUserDetailsManagerConfigurer; -import org.springframework.security.config.annotation.authentication.configurers.provisioning.JdbcUserDetailsManagerConfigurer; -import org.springframework.security.config.annotation.authentication.configurers.userdetails.DaoAuthenticationConfigurer; -import org.springframework.security.config.annotation.web.WebSecurityConfigurer; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.builders.WebSecurity; -import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; -import org.springframework.security.config.annotation.web.configurers.DefaultLoginPageConfigurer; -import org.springframework.security.config.annotation.web.configurers.SecurityContextConfigurer; -import org.springframework.security.core.Authentication; -import org.springframework.security.core.AuthenticationException; -import org.springframework.security.core.userdetails.UserDetails; -import org.springframework.security.core.userdetails.UserDetailsService; -import org.springframework.security.core.userdetails.UsernameNotFoundException; -import org.springframework.security.crypto.factory.PasswordEncoderFactories; -import org.springframework.security.crypto.password.PasswordEncoder; -import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter; -import org.springframework.util.Assert; -import org.springframework.util.ReflectionUtils; -import org.springframework.web.accept.ContentNegotiationStrategy; -import org.springframework.web.accept.HeaderContentNegotiationStrategy; - -/** - * Provides a convenient base class for creating a {@link WebSecurityConfigurer} instance. - * The implementation allows customization by overriding methods. - * - *

- * Will automatically apply the result of looking up {@link AbstractHttpConfigurer} from - * {@link SpringFactoriesLoader} to allow developers to extend the defaults. To do this, - * you must create a class that extends AbstractHttpConfigurer and then create a file in - * the classpath at "META-INF/spring.factories" that looks something like: - *

- * 
- * org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer = sample.MyClassThatExtendsAbstractHttpConfigurer
- *
If you have multiple classes that should be added you can use "," to separate - * the values. For example: - * - * 
- * org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer = sample.MyClassThatExtendsAbstractHttpConfigurer, sample.OtherThatExtendsAbstractHttpConfigurer
- *
- * - * @author Rob Winch - * @see EnableWebSecurity - * @deprecated Use a {@link org.springframework.security.web.SecurityFilterChain} Bean to - * configure {@link HttpSecurity} or a {@link WebSecurityCustomizer} Bean to configure - * {@link WebSecurity} - */ -@Order(100) -@Deprecated -public abstract class WebSecurityConfigurerAdapter implements WebSecurityConfigurer { - - private final Log logger = LogFactory.getLog(WebSecurityConfigurerAdapter.class); - - private ApplicationContext context; - - private ContentNegotiationStrategy contentNegotiationStrategy = new HeaderContentNegotiationStrategy(); - - private ObjectPostProcessor objectPostProcessor = new ObjectPostProcessor() { - @Override - public T postProcess(T object) { - throw new IllegalStateException(ObjectPostProcessor.class.getName() - + " is a required bean. Ensure you have used @EnableWebSecurity and @Configuration"); - } - }; - - private AuthenticationConfiguration authenticationConfiguration; - - private AuthenticationManagerBuilder authenticationBuilder; - - private AuthenticationManagerBuilder localConfigureAuthenticationBldr; - - private boolean disableLocalConfigureAuthenticationBldr; - - private boolean authenticationManagerInitialized; - - private AuthenticationManager authenticationManager; - - private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl(); - - private HttpSecurity http; - - private boolean disableDefaults; - - /** - * Creates an instance with the default configuration enabled. - */ - protected WebSecurityConfigurerAdapter() { - this(false); - } - - /** - * Creates an instance which allows specifying if the default configuration should be - * enabled. Disabling the default configuration should be considered more advanced - * usage as it requires more understanding of how the framework is implemented. - * @param disableDefaults true if the default configuration should be disabled, else - * false - */ - protected WebSecurityConfigurerAdapter(boolean disableDefaults) { - this.disableDefaults = disableDefaults; - } - - /** - * Used by the default implementation of {@link #authenticationManager()} to attempt - * to obtain an {@link AuthenticationManager}. If overridden, the - * {@link AuthenticationManagerBuilder} should be used to specify the - * {@link AuthenticationManager}. - * - *

- * The {@link #authenticationManagerBean()} method can be used to expose the resulting - * {@link AuthenticationManager} as a Bean. The {@link #userDetailsServiceBean()} can - * be used to expose the last populated {@link UserDetailsService} that is created - * with the {@link AuthenticationManagerBuilder} as a Bean. The - * {@link UserDetailsService} will also automatically be populated on - * {@link HttpSecurity#getSharedObject(Class)} for use with other - * {@link SecurityContextConfigurer} (i.e. RememberMeConfigurer ) - *

- * - *

- * For example, the following configuration could be used to register in memory - * authentication that exposes an in memory {@link UserDetailsService}: - *

- * - * 
-	 * @Override
-	 * protected void configure(AuthenticationManagerBuilder auth) {
-	 * 	auth
-	 * 	// enable in memory based authentication with a user named
-	 * 	// "user" and "admin"
-	 * 	.inMemoryAuthentication().withUser("user").password("password").roles("USER").and()
-	 * 			.withUser("admin").password("password").roles("USER", "ADMIN");
-	 * }
-	 *
-	 * // Expose the UserDetailsService as a Bean
-	 * @Bean
-	 * @Override
-	 * public UserDetailsService userDetailsServiceBean() throws Exception {
-	 * 	return super.userDetailsServiceBean();
-	 * }
-	 *
-	 *
- * @param auth the {@link AuthenticationManagerBuilder} to use - * @throws Exception - */ - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - this.disableLocalConfigureAuthenticationBldr = true; - } - - /** - * Creates the {@link HttpSecurity} or returns the current instance - * @return the {@link HttpSecurity} - * @throws Exception - */ - @SuppressWarnings({ "rawtypes", "unchecked" }) - protected final HttpSecurity getHttp() throws Exception { - if (this.http != null) { - return this.http; - } - AuthenticationEventPublisher eventPublisher = getAuthenticationEventPublisher(); - this.localConfigureAuthenticationBldr.authenticationEventPublisher(eventPublisher); - AuthenticationManager authenticationManager = authenticationManager(); - this.authenticationBuilder.parentAuthenticationManager(authenticationManager); - Map, Object> sharedObjects = createSharedObjects(); - this.http = new HttpSecurity(this.objectPostProcessor, this.authenticationBuilder, sharedObjects); - if (!this.disableDefaults) { - applyDefaultConfiguration(this.http); - ClassLoader classLoader = this.context.getClassLoader(); - List defaultHttpConfigurers = SpringFactoriesLoader - .loadFactories(AbstractHttpConfigurer.class, classLoader); - for (AbstractHttpConfigurer configurer : defaultHttpConfigurers) { - this.http.apply(configurer); - } - } - configure(this.http); - return this.http; - } - - private void applyDefaultConfiguration(HttpSecurity http) throws Exception { - http.csrf(); - http.addFilter(new WebAsyncManagerIntegrationFilter()); - http.exceptionHandling(); - http.headers(); - http.sessionManagement(); - http.securityContext(); - http.requestCache(); - http.anonymous(); - http.servletApi(); - http.apply(new DefaultLoginPageConfigurer<>()); - http.logout(); - } - - /** - * Override this method to expose the {@link AuthenticationManager} from - * {@link #configure(AuthenticationManagerBuilder)} to be exposed as a Bean. For - * example: - * - * 
-	 * @Bean(name name="myAuthenticationManager")
-	 * @Override
-	 * public AuthenticationManager authenticationManagerBean() throws Exception {
-	 *     return super.authenticationManagerBean();
-	 * }
-	 *
- * @return the {@link AuthenticationManager} - * @throws Exception - */ - public AuthenticationManager authenticationManagerBean() throws Exception { - return new AuthenticationManagerDelegator(this.authenticationBuilder, this.context); - } - - /** - * Gets the {@link AuthenticationManager} to use. The default strategy is if - * {@link #configure(AuthenticationManagerBuilder)} method is overridden to use the - * {@link AuthenticationManagerBuilder} that was passed in. Otherwise, autowire the - * {@link AuthenticationManager} by type. - * @return the {@link AuthenticationManager} to use - * @throws Exception - */ - protected AuthenticationManager authenticationManager() throws Exception { - if (!this.authenticationManagerInitialized) { - configure(this.localConfigureAuthenticationBldr); - if (this.disableLocalConfigureAuthenticationBldr) { - this.authenticationManager = this.authenticationConfiguration.getAuthenticationManager(); - } - else { - this.authenticationManager = this.localConfigureAuthenticationBldr.build(); - } - this.authenticationManagerInitialized = true; - } - return this.authenticationManager; - } - - /** - * Override this method to expose a {@link UserDetailsService} created from - * {@link #configure(AuthenticationManagerBuilder)} as a bean. In general only the - * following override should be done of this method: - * - * 
-	 * @Bean(name = "myUserDetailsService")
-	 * // any or no name specified is allowed
-	 * @Override
-	 * public UserDetailsService userDetailsServiceBean() throws Exception {
-	 * 	return super.userDetailsServiceBean();
-	 * }
-	 *
- * - * To change the instance returned, developers should change - * {@link #userDetailsService()} instead - * @return the {@link UserDetailsService} - * @throws Exception - * @see #userDetailsService() - */ - public UserDetailsService userDetailsServiceBean() throws Exception { - AuthenticationManagerBuilder globalAuthBuilder = this.context.getBean(AuthenticationManagerBuilder.class); - return new UserDetailsServiceDelegator(Arrays.asList(this.localConfigureAuthenticationBldr, globalAuthBuilder)); - } - - /** - * Allows modifying and accessing the {@link UserDetailsService} from - * {@link #userDetailsServiceBean()} without interacting with the - * {@link ApplicationContext}. Developers should override this method when changing - * the instance of {@link #userDetailsServiceBean()}. - * @return the {@link UserDetailsService} to use - */ - protected UserDetailsService userDetailsService() { - AuthenticationManagerBuilder globalAuthBuilder = this.context.getBean(AuthenticationManagerBuilder.class); - return new UserDetailsServiceDelegator(Arrays.asList(this.localConfigureAuthenticationBldr, globalAuthBuilder)); - } - - @Override - public void init(WebSecurity web) throws Exception { - HttpSecurity http = getHttp(); - web.addSecurityFilterChainBuilder(http); - } - - /** - * Override this method to configure {@link WebSecurity}. For example, if you wish to - * ignore certain requests. - * - * Endpoints specified in this method will be ignored by Spring Security, meaning it - * will not protect them from CSRF, XSS, Clickjacking, and so on. - * - * Instead, if you want to protect endpoints against common vulnerabilities, then see - * {@link #configure(HttpSecurity)} and the {@link HttpSecurity#authorizeRequests} - * configuration method. - */ - @Override - public void configure(WebSecurity web) throws Exception { - } - - /** - * Override this method to configure the {@link HttpSecurity}. Typically subclasses - * should not invoke this method by calling super as it may override their - * configuration. The default configuration is: - * - * 
-	 * http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
-	 *
- * - * Any endpoint that requires defense against common vulnerabilities can be specified - * here, including public ones. See {@link HttpSecurity#authorizeRequests} and the - * `permitAll()` authorization rule for more details on public endpoints. - * @param http the {@link HttpSecurity} to modify - * @throws Exception if an error occurs - */ - protected void configure(HttpSecurity http) throws Exception { - this.logger.debug("Using default configure(HttpSecurity). " - + "If subclassed this will potentially override subclass configure(HttpSecurity)."); - http.authorizeRequests((requests) -> requests.anyRequest().authenticated()); - http.formLogin(); - http.httpBasic(); - } - - /** - * Gets the ApplicationContext - * @return the context - */ - protected final ApplicationContext getApplicationContext() { - return this.context; - } - - @Autowired - public void setApplicationContext(ApplicationContext context) { - this.context = context; - ObjectPostProcessor objectPostProcessor = context.getBean(ObjectPostProcessor.class); - LazyPasswordEncoder passwordEncoder = new LazyPasswordEncoder(context); - this.authenticationBuilder = new DefaultPasswordEncoderAuthenticationManagerBuilder(objectPostProcessor, - passwordEncoder); - this.localConfigureAuthenticationBldr = new DefaultPasswordEncoderAuthenticationManagerBuilder( - objectPostProcessor, passwordEncoder) { - - @Override - public AuthenticationManagerBuilder eraseCredentials(boolean eraseCredentials) { - WebSecurityConfigurerAdapter.this.authenticationBuilder.eraseCredentials(eraseCredentials); - return super.eraseCredentials(eraseCredentials); - } - - @Override - public AuthenticationManagerBuilder authenticationEventPublisher( - AuthenticationEventPublisher eventPublisher) { - WebSecurityConfigurerAdapter.this.authenticationBuilder.authenticationEventPublisher(eventPublisher); - return super.authenticationEventPublisher(eventPublisher); - } - - }; - } - - @Autowired(required = false) - public void setTrustResolver(AuthenticationTrustResolver trustResolver) { - this.trustResolver = trustResolver; - } - - @Autowired(required = false) - public void setContentNegotationStrategy(ContentNegotiationStrategy contentNegotiationStrategy) { - this.contentNegotiationStrategy = contentNegotiationStrategy; - } - - @Autowired - public void setObjectPostProcessor(ObjectPostProcessor objectPostProcessor) { - this.objectPostProcessor = objectPostProcessor; - } - - @Autowired - public void setAuthenticationConfiguration(AuthenticationConfiguration authenticationConfiguration) { - this.authenticationConfiguration = authenticationConfiguration; - } - - private AuthenticationEventPublisher getAuthenticationEventPublisher() { - if (this.context.getBeanNamesForType(AuthenticationEventPublisher.class).length > 0) { - return this.context.getBean(AuthenticationEventPublisher.class); - } - return this.objectPostProcessor.postProcess(new DefaultAuthenticationEventPublisher()); - } - - /** - * Creates the shared objects - * @return the shared Objects - */ - private Map, Object> createSharedObjects() { - Map, Object> sharedObjects = new HashMap<>(); - sharedObjects.putAll(this.localConfigureAuthenticationBldr.getSharedObjects()); - sharedObjects.put(UserDetailsService.class, userDetailsService()); - sharedObjects.put(ApplicationContext.class, this.context); - sharedObjects.put(ContentNegotiationStrategy.class, this.contentNegotiationStrategy); - sharedObjects.put(AuthenticationTrustResolver.class, this.trustResolver); - return sharedObjects; - } - - /** - * Delays the use of the {@link UserDetailsService} from the - * {@link AuthenticationManagerBuilder} to ensure that it has been fully configured. - * - * @author Rob Winch - * @since 3.2 - */ - static final class UserDetailsServiceDelegator implements UserDetailsService { - - private List delegateBuilders; - - private UserDetailsService delegate; - - private final Object delegateMonitor = new Object(); - - UserDetailsServiceDelegator(List delegateBuilders) { - Assert.isTrue(!delegateBuilders.contains(null), - () -> "delegateBuilders cannot contain null values. Got " + delegateBuilders); - this.delegateBuilders = delegateBuilders; - } - - @Override - public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { - if (this.delegate != null) { - return this.delegate.loadUserByUsername(username); - } - synchronized (this.delegateMonitor) { - if (this.delegate == null) { - for (AuthenticationManagerBuilder delegateBuilder : this.delegateBuilders) { - this.delegate = delegateBuilder.getDefaultUserDetailsService(); - if (this.delegate != null) { - break; - } - } - if (this.delegate == null) { - throw new IllegalStateException("UserDetailsService is required."); - } - this.delegateBuilders = null; - } - } - return this.delegate.loadUserByUsername(username); - } - - } - - /** - * Delays the use of the {@link AuthenticationManager} build from the - * {@link AuthenticationManagerBuilder} to ensure that it has been fully configured. - * - * @author Rob Winch - * @since 3.2 - */ - static final class AuthenticationManagerDelegator implements AuthenticationManager { - - private AuthenticationManagerBuilder delegateBuilder; - - private AuthenticationManager delegate; - - private final Object delegateMonitor = new Object(); - - private Set beanNames; - - AuthenticationManagerDelegator(AuthenticationManagerBuilder delegateBuilder, ApplicationContext context) { - Assert.notNull(delegateBuilder, "delegateBuilder cannot be null"); - Field parentAuthMgrField = ReflectionUtils.findField(AuthenticationManagerBuilder.class, - "parentAuthenticationManager"); - ReflectionUtils.makeAccessible(parentAuthMgrField); - this.beanNames = getAuthenticationManagerBeanNames(context); - validateBeanCycle(ReflectionUtils.getField(parentAuthMgrField, delegateBuilder), this.beanNames); - this.delegateBuilder = delegateBuilder; - } - - @Override - public Authentication authenticate(Authentication authentication) throws AuthenticationException { - if (this.delegate != null) { - return this.delegate.authenticate(authentication); - } - synchronized (this.delegateMonitor) { - if (this.delegate == null) { - this.delegate = this.delegateBuilder.getObject(); - this.delegateBuilder = null; - } - } - return this.delegate.authenticate(authentication); - } - - private static Set getAuthenticationManagerBeanNames(ApplicationContext applicationContext) { - String[] beanNamesForType = BeanFactoryUtils.beanNamesForTypeIncludingAncestors(applicationContext, - AuthenticationManager.class); - return new HashSet<>(Arrays.asList(beanNamesForType)); - } - - private static void validateBeanCycle(Object auth, Set beanNames) { - if (auth == null || beanNames.isEmpty() || !(auth instanceof Advised)) { - return; - } - TargetSource targetSource = ((Advised) auth).getTargetSource(); - if (!(targetSource instanceof LazyInitTargetSource)) { - return; - } - LazyInitTargetSource lits = (LazyInitTargetSource) targetSource; - if (beanNames.contains(lits.getTargetBeanName())) { - throw new FatalBeanException( - "A dependency cycle was detected when trying to resolve the AuthenticationManager. " - + "Please ensure you have configured authentication."); - } - } - - } - - static class DefaultPasswordEncoderAuthenticationManagerBuilder extends AuthenticationManagerBuilder { - - private PasswordEncoder defaultPasswordEncoder; - - /** - * Creates a new instance - * @param objectPostProcessor the {@link ObjectPostProcessor} instance to use. - */ - DefaultPasswordEncoderAuthenticationManagerBuilder(ObjectPostProcessor objectPostProcessor, - PasswordEncoder defaultPasswordEncoder) { - super(objectPostProcessor); - this.defaultPasswordEncoder = defaultPasswordEncoder; - } - - @Override - public InMemoryUserDetailsManagerConfigurer inMemoryAuthentication() - throws Exception { - return super.inMemoryAuthentication().passwordEncoder(this.defaultPasswordEncoder); - } - - @Override - public JdbcUserDetailsManagerConfigurer jdbcAuthentication() throws Exception { - return super.jdbcAuthentication().passwordEncoder(this.defaultPasswordEncoder); - } - - @Override - public DaoAuthenticationConfigurer userDetailsService( - T userDetailsService) throws Exception { - return super.userDetailsService(userDetailsService).passwordEncoder(this.defaultPasswordEncoder); - } - - } - - static class LazyPasswordEncoder implements PasswordEncoder { - - private ApplicationContext applicationContext; - - private PasswordEncoder passwordEncoder; - - LazyPasswordEncoder(ApplicationContext applicationContext) { - this.applicationContext = applicationContext; - } - - @Override - public String encode(CharSequence rawPassword) { - return getPasswordEncoder().encode(rawPassword); - } - - @Override - public boolean matches(CharSequence rawPassword, String encodedPassword) { - return getPasswordEncoder().matches(rawPassword, encodedPassword); - } - - @Override - public boolean upgradeEncoding(String encodedPassword) { - return getPasswordEncoder().upgradeEncoding(encodedPassword); - } - - private PasswordEncoder getPasswordEncoder() { - if (this.passwordEncoder != null) { - return this.passwordEncoder; - } - PasswordEncoder passwordEncoder = getBeanOrNull(PasswordEncoder.class); - if (passwordEncoder == null) { - passwordEncoder = PasswordEncoderFactories.createDelegatingPasswordEncoder(); - } - this.passwordEncoder = passwordEncoder; - return passwordEncoder; - } - - private T getBeanOrNull(Class type) { - try { - return this.applicationContext.getBean(type); - } - catch (NoSuchBeanDefinitionException ex) { - return null; - } - } - - @Override - public String toString() { - return getPasswordEncoder().toString(); - } - - } - -} diff --git a/config/src/test/java/org/springframework/security/config/annotation/authentication/AuthenticationManagerBuilderTests.java b/config/src/test/java/org/springframework/security/config/annotation/authentication/AuthenticationManagerBuilderTests.java index c895a3af85..e1409766ea 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/authentication/AuthenticationManagerBuilderTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/authentication/AuthenticationManagerBuilderTests.java @@ -40,7 +40,6 @@ import org.springframework.security.config.annotation.authentication.configurati import org.springframework.security.config.annotation.authentication.configuration.EnableGlobalAuthentication; import org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.Authentication; @@ -167,10 +166,10 @@ public class AuthenticationManagerBuilderTests { @Configuration @EnableWebSecurity - static class MultiAuthenticationProvidersConfig extends WebSecurityConfigurerAdapter { + static class MultiAuthenticationProvidersConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth .inMemoryAuthentication() @@ -185,7 +184,7 @@ public class AuthenticationManagerBuilderTests { @Configuration @EnableWebSecurity - static class PasswordEncoderGlobalConfig extends WebSecurityConfigurerAdapter { + static class PasswordEncoderGlobalConfig { @Autowired void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { @@ -205,10 +204,10 @@ public class AuthenticationManagerBuilderTests { @Configuration @EnableWebSecurity - static class PasswordEncoderConfig extends WebSecurityConfigurerAdapter { + static class PasswordEncoderConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth .inMemoryAuthentication() diff --git a/config/src/test/java/org/springframework/security/config/annotation/authentication/NamespaceAuthenticationManagerTests.java b/config/src/test/java/org/springframework/security/config/annotation/authentication/NamespaceAuthenticationManagerTests.java index 1796de7ed7..b31b2fe60c 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/authentication/NamespaceAuthenticationManagerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/authentication/NamespaceAuthenticationManagerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,7 +23,6 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.userdetails.PasswordEncodedUser; @@ -76,7 +75,7 @@ public class NamespaceAuthenticationManagerTests { @Configuration @EnableWebSecurity - static class EraseCredentialsTrueDefaultConfig extends WebSecurityConfigurerAdapter { + static class EraseCredentialsTrueDefaultConfig { @Autowired void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { @@ -91,10 +90,10 @@ public class NamespaceAuthenticationManagerTests { @Configuration @EnableWebSecurity - static class EraseCredentialsFalseConfig extends WebSecurityConfigurerAdapter { + static class EraseCredentialsFalseConfig { - @Override - public void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth .eraseCredentials(false) @@ -107,7 +106,7 @@ public class NamespaceAuthenticationManagerTests { @Configuration @EnableWebSecurity - static class GlobalEraseCredentialsFalseConfig extends WebSecurityConfigurerAdapter { + static class GlobalEraseCredentialsFalseConfig { @Autowired void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { diff --git a/config/src/test/java/org/springframework/security/config/annotation/authentication/NamespaceAuthenticationProviderTests.java b/config/src/test/java/org/springframework/security/config/annotation/authentication/NamespaceAuthenticationProviderTests.java index 46443425c9..2769903494 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/authentication/NamespaceAuthenticationProviderTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/authentication/NamespaceAuthenticationProviderTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -25,7 +25,6 @@ import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.userdetails.PasswordEncodedUser; @@ -63,10 +62,10 @@ public class NamespaceAuthenticationProviderTests { @Configuration @EnableWebSecurity - static class AuthenticationProviderRefConfig extends WebSecurityConfigurerAdapter { + static class AuthenticationProviderRefConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) { + @Autowired + void configure(AuthenticationManagerBuilder auth) { // @formatter:off auth .authenticationProvider(authenticationProvider()); @@ -84,19 +83,18 @@ public class NamespaceAuthenticationProviderTests { @Configuration @EnableWebSecurity - static class UserServiceRefConfig extends WebSecurityConfigurerAdapter { + static class UserServiceRefConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { // @formatter:off auth .userDetailsService(userDetailsService()); // @formatter:on } - @Override @Bean - public UserDetailsService userDetailsService() { + UserDetailsService userDetailsService() { return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } diff --git a/config/src/test/java/org/springframework/security/config/annotation/authentication/NamespaceJdbcUserServiceTests.java b/config/src/test/java/org/springframework/security/config/annotation/authentication/NamespaceJdbcUserServiceTests.java index 2530ad1d76..b6b8e53612 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/authentication/NamespaceJdbcUserServiceTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/authentication/NamespaceJdbcUserServiceTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -28,7 +28,6 @@ import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder; import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseType; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.userdetails.PasswordEncodedUser; @@ -72,19 +71,16 @@ public class NamespaceJdbcUserServiceTests { @Configuration @EnableWebSecurity - static class JdbcUserServiceConfig extends WebSecurityConfigurerAdapter { + static class JdbcUserServiceConfig { @Autowired - private DataSource dataSource; - - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + void configure(AuthenticationManagerBuilder auth, DataSource dataSource) throws Exception { // @formatter:off auth .jdbcAuthentication() .withDefaultSchema() .withUser(PasswordEncodedUser.user()) - .dataSource(this.dataSource); // jdbc-user-service@data-source-ref + .dataSource(dataSource); // jdbc-user-service@data-source-ref // @formatter:on } @@ -103,18 +99,15 @@ public class NamespaceJdbcUserServiceTests { @Configuration @EnableWebSecurity - static class CustomJdbcUserServiceSampleConfig extends WebSecurityConfigurerAdapter { + static class CustomJdbcUserServiceSampleConfig { @Autowired - private DataSource dataSource; - - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + void configure(AuthenticationManagerBuilder auth, DataSource dataSource) throws Exception { // @formatter:off auth .jdbcAuthentication() // jdbc-user-service@dataSource - .dataSource(this.dataSource) + .dataSource(dataSource) // jdbc-user-service@cache-ref .userCache(new CustomUserCache()) // jdbc-user-service@users-byusername-query diff --git a/config/src/test/java/org/springframework/security/config/annotation/authentication/NamespacePasswordEncoderTests.java b/config/src/test/java/org/springframework/security/config/annotation/authentication/NamespacePasswordEncoderTests.java index ba6b69d64b..fc5ef6c1c6 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/authentication/NamespacePasswordEncoderTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/authentication/NamespacePasswordEncoderTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -28,7 +28,6 @@ import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder; import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseType; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.userdetails.User; @@ -71,10 +70,10 @@ public class NamespacePasswordEncoderTests { @Configuration @EnableWebSecurity - static class PasswordEncoderWithInMemoryConfig extends WebSecurityConfigurerAdapter { + static class PasswordEncoderWithInMemoryConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); // @formatter:off auth @@ -88,10 +87,10 @@ public class NamespacePasswordEncoderTests { @Configuration @EnableWebSecurity - static class PasswordEncoderWithJdbcConfig extends WebSecurityConfigurerAdapter { + static class PasswordEncoderWithJdbcConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); // @formatter:off auth @@ -113,10 +112,10 @@ public class NamespacePasswordEncoderTests { @Configuration @EnableWebSecurity - static class PasswordEncoderWithUserDetailsServiceConfig extends WebSecurityConfigurerAdapter { + static class PasswordEncoderWithUserDetailsServiceConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); // @formatter:off UserDetails user = User.withUsername("user") diff --git a/config/src/test/java/org/springframework/security/config/annotation/authentication/PasswordEncoderConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/authentication/PasswordEncoderConfigurerTests.java index a064692457..c71b978eae 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/authentication/PasswordEncoderConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/authentication/PasswordEncoderConfigurerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -25,10 +25,10 @@ import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.web.servlet.MockMvc; import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin; @@ -58,21 +58,22 @@ public class PasswordEncoderConfigurerTests { @Configuration @EnableWebSecurity - static class PasswordEncoderConfig extends WebSecurityConfigurerAdapter { + static class PasswordEncoderConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { BCryptPasswordEncoder encoder = passwordEncoder(); // @formatter:off auth - .inMemoryAuthentication() + .inMemoryAuthentication() .withUser("user").password(encoder.encode("password")).roles("USER").and() .passwordEncoder(encoder); // @formatter:on } - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + return http.build(); } @Bean @@ -84,10 +85,10 @@ public class PasswordEncoderConfigurerTests { @Configuration @EnableWebSecurity - static class PasswordEncoderNoAuthManagerLoadsConfig extends WebSecurityConfigurerAdapter { + static class PasswordEncoderNoAuthManagerLoadsConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Autowired + void configure(AuthenticationManagerBuilder auth) throws Exception { BCryptPasswordEncoder encoder = passwordEncoder(); // @formatter:off auth diff --git a/config/src/test/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationTests.java index 2f2d6f7169..85fd834aa1 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationTests.java @@ -48,7 +48,6 @@ import org.springframework.security.config.annotation.authentication.builders.Au import org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; @@ -510,7 +509,7 @@ public class AuthenticationConfigurationTests { @Configuration @EnableWebSecurity - static class Sec2822WebSecurity extends WebSecurityConfigurerAdapter { + static class Sec2822WebSecurity { @Autowired void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { diff --git a/config/src/test/java/org/springframework/security/config/annotation/issue50/SecurityConfig.java b/config/src/test/java/org/springframework/security/config/annotation/issue50/SecurityConfig.java index a9d22cd03b..94ed5351cf 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/issue50/SecurityConfig.java +++ b/config/src/test/java/org/springframework/security/config/annotation/issue50/SecurityConfig.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2013 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,16 +23,15 @@ import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.TestingAuthenticationToken; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.issue50.domain.User; import org.springframework.security.config.annotation.issue50.repo.UserRepository; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.userdetails.UsernameNotFoundException; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.util.Assert; /** @@ -42,32 +41,26 @@ import org.springframework.util.Assert; @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) -public class SecurityConfig extends WebSecurityConfigurerAdapter { +public class SecurityConfig { @Autowired private UserRepository myUserRepository; - @Override - protected void configure(AuthenticationManagerBuilder auth) { - // @formatter:off - auth - .authenticationProvider(authenticationProvider()); - // @formatter:on - } - - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() - .antMatchers("/*").permitAll(); + .antMatchers("/*").permitAll() + .and() + .authenticationProvider(authenticationProvider()); // @formatter:on + return http.build(); } @Bean - @Override - public AuthenticationManager authenticationManagerBean() throws Exception { - return super.authenticationManagerBean(); + AuthenticationManager authenticationManager() { + return authenticationProvider()::authenticate; } @Bean diff --git a/config/src/test/java/org/springframework/security/config/annotation/sec2758/Sec2758Tests.java b/config/src/test/java/org/springframework/security/config/annotation/sec2758/Sec2758Tests.java index 981be0b82c..7d4ecd7423 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/sec2758/Sec2758Tests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/sec2758/Sec2758Tests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -33,11 +33,11 @@ import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.test.context.annotation.SecurityTestExecutionListeners; import org.springframework.security.test.context.support.WithMockUser; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.web.servlet.MockMvc; @@ -81,14 +81,15 @@ public class Sec2758Tests { @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true, jsr250Enabled = true) - static class SecurityConfig extends WebSecurityConfigurerAdapter { + static class SecurityConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().access("hasAnyRole('CUSTOM')"); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistryAnyMatcherTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistryAnyMatcherTests.java index 40cd85e862..ddb161951a 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistryAnyMatcherTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistryAnyMatcherTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -19,11 +19,12 @@ package org.springframework.security.config.annotation.web; import org.junit.jupiter.api.Test; import org.springframework.beans.factory.BeanCreationException; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.mock.web.MockServletContext; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.web.context.support.AnnotationConfigWebApplicationContext; @@ -76,15 +77,16 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests { @Configuration @EnableWebSecurity - static class AntMatchersAfterAnyRequestConfig extends WebSecurityConfigurerAdapter { + static class AntMatchersAfterAnyRequestConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated() .antMatchers("/demo/**").permitAll(); + return http.build(); // @formatter:on } @@ -92,15 +94,16 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests { @Configuration @EnableWebSecurity - static class MvcMatchersAfterAnyRequestConfig extends WebSecurityConfigurerAdapter { + static class MvcMatchersAfterAnyRequestConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated() .mvcMatchers("/demo/**").permitAll(); + return http.build(); // @formatter:on } @@ -108,15 +111,16 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests { @Configuration @EnableWebSecurity - static class RegexMatchersAfterAnyRequestConfig extends WebSecurityConfigurerAdapter { + static class RegexMatchersAfterAnyRequestConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated() .regexMatchers(".*").permitAll(); + return http.build(); // @formatter:on } @@ -124,15 +128,16 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests { @Configuration @EnableWebSecurity - static class AnyRequestAfterItselfConfig extends WebSecurityConfigurerAdapter { + static class AnyRequestAfterItselfConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated() .anyRequest().permitAll(); + return http.build(); // @formatter:on } @@ -140,15 +145,16 @@ public class AbstractRequestMatcherRegistryAnyMatcherTests { @Configuration @EnableWebSecurity - static class RequestMatchersAfterAnyRequestConfig extends WebSecurityConfigurerAdapter { + static class RequestMatchersAfterAnyRequestConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated() .requestMatchers(new AntPathRequestMatcher("/**")).permitAll(); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/HttpSecurityHeadersTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/HttpSecurityHeadersTests.java index b10cc82c42..7de6da29c1 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/HttpSecurityHeadersTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/HttpSecurityHeadersTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,11 +22,12 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpHeaders; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.context.web.WebAppConfiguration; @@ -88,10 +89,11 @@ public class HttpSecurityHeadersTests { @Configuration @EnableWebSecurity - static class WebSecurityConfig extends WebSecurityConfigurerAdapter { + static class WebSecurityConfig { - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + return http.build(); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/SampleWebSecurityConfigurerAdapterTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/SampleWebSecurityConfigurerAdapterTests.java deleted file mode 100644 index f9b5ae11e6..0000000000 --- a/config/src/test/java/org/springframework/security/config/annotation/web/SampleWebSecurityConfigurerAdapterTests.java +++ /dev/null @@ -1,397 +0,0 @@ -/* - * Copyright 2002-2018 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.springframework.security.config.annotation.web; - -import java.util.Base64; - -import jakarta.servlet.http.HttpServletResponse; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; -import org.junit.jupiter.api.extension.ExtendWith; - -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.context.annotation.Configuration; -import org.springframework.core.annotation.Order; -import org.springframework.mock.web.MockFilterChain; -import org.springframework.mock.web.MockHttpServletRequest; -import org.springframework.mock.web.MockHttpServletResponse; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.builders.WebSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -import org.springframework.security.config.test.SpringTestContext; -import org.springframework.security.config.test.SpringTestContextExtension; -import org.springframework.security.core.userdetails.PasswordEncodedUser; -import org.springframework.security.web.FilterChainProxy; -import org.springframework.security.web.csrf.CsrfToken; -import org.springframework.security.web.csrf.DefaultCsrfToken; -import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository; - -import static org.assertj.core.api.Assertions.assertThat; - -/** - * Demonstrate the samples. - * - * @author Rob Winch - * @author Joe Grandja - */ -@ExtendWith(SpringTestContextExtension.class) -public class SampleWebSecurityConfigurerAdapterTests { - - public final SpringTestContext spring = new SpringTestContext(this); - - @Autowired - private FilterChainProxy springSecurityFilterChain; - - private MockHttpServletRequest request; - - private MockHttpServletResponse response; - - private MockFilterChain chain; - - @BeforeEach - public void setup() { - this.request = new MockHttpServletRequest("GET", ""); - this.response = new MockHttpServletResponse(); - this.chain = new MockFilterChain(); - CsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "CSRF-TOKEN-TEST"); - new HttpSessionCsrfTokenRepository().saveToken(csrfToken, this.request, this.response); - this.request.setParameter(csrfToken.getParameterName(), csrfToken.getToken()); - } - - @Test - public void helloWorldSampleWhenRequestSecureResourceThenRedirectToLogin() throws Exception { - this.spring.register(HelloWorldWebSecurityConfigurerAdapter.class).autowire(); - this.request.addHeader("Accept", "text/html"); - this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); - assertThat(this.response.getRedirectedUrl()).isEqualTo("http://localhost/login"); - } - - @Test - public void helloWorldSampleWhenRequestLoginWithoutCredentialsThenRedirectToLogin() throws Exception { - this.spring.register(HelloWorldWebSecurityConfigurerAdapter.class).autowire(); - this.request.setServletPath("/login"); - this.request.setMethod("POST"); - this.request.addHeader("Accept", "text/html"); - this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); - assertThat(this.response.getRedirectedUrl()).isEqualTo("/login?error"); - } - - @Test - public void helloWorldSampleWhenRequestLoginWithValidCredentialsThenRedirectToIndex() throws Exception { - this.spring.register(HelloWorldWebSecurityConfigurerAdapter.class).autowire(); - this.request.setServletPath("/login"); - this.request.setMethod("POST"); - this.request.addHeader("Accept", "text/html"); - this.request.addParameter("username", "user"); - this.request.addParameter("password", "password"); - this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); - assertThat(this.response.getRedirectedUrl()).isEqualTo("/"); - } - - @Test - public void readmeSampleWhenRequestSecureResourceThenRedirectToLogin() throws Exception { - this.spring.register(SampleWebSecurityConfigurerAdapter.class).autowire(); - this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); - assertThat(this.response.getRedirectedUrl()).isEqualTo("http://localhost/login"); - } - - @Test - public void readmeSampleWhenRequestLoginWithoutCredentialsThenRedirectToLogin() throws Exception { - this.spring.register(SampleWebSecurityConfigurerAdapter.class).autowire(); - this.request.setServletPath("/login"); - this.request.setMethod("POST"); - this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); - assertThat(this.response.getRedirectedUrl()).isEqualTo("/login?error"); - } - - @Test - public void readmeSampleWhenRequestLoginWithValidCredentialsThenRedirectToIndex() throws Exception { - this.spring.register(SampleWebSecurityConfigurerAdapter.class).autowire(); - this.request.setServletPath("/login"); - this.request.setMethod("POST"); - this.request.addParameter("username", "user"); - this.request.addParameter("password", "password"); - this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); - assertThat(this.response.getRedirectedUrl()).isEqualTo("/"); - } - - @Test - public void multiHttpSampleWhenRequestSecureResourceThenRedirectToLogin() throws Exception { - this.spring.register(SampleMultiHttpSecurityConfig.class).autowire(); - this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); - assertThat(this.response.getRedirectedUrl()).isEqualTo("http://localhost/login"); - } - - @Test - public void multiHttpSampleWhenRequestLoginWithoutCredentialsThenRedirectToLogin() throws Exception { - this.spring.register(SampleMultiHttpSecurityConfig.class).autowire(); - this.request.setServletPath("/login"); - this.request.setMethod("POST"); - this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); - assertThat(this.response.getRedirectedUrl()).isEqualTo("/login?error"); - } - - @Test - public void multiHttpSampleWhenRequestLoginWithValidCredentialsThenRedirectToIndex() throws Exception { - this.spring.register(SampleMultiHttpSecurityConfig.class).autowire(); - this.request.setServletPath("/login"); - this.request.setMethod("POST"); - this.request.addParameter("username", "user"); - this.request.addParameter("password", "password"); - this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); - assertThat(this.response.getRedirectedUrl()).isEqualTo("/"); - } - - @Test - public void multiHttpSampleWhenRequestProtectedResourceThenStatusUnauthorized() throws Exception { - this.spring.register(SampleMultiHttpSecurityConfig.class).autowire(); - this.request.setServletPath("/api/admin/test"); - this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); - assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_UNAUTHORIZED); - } - - @Test - public void multiHttpSampleWhenRequestAdminResourceWithRegularUserThenStatusForbidden() throws Exception { - this.spring.register(SampleMultiHttpSecurityConfig.class).autowire(); - this.request.setServletPath("/api/admin/test"); - this.request.addHeader("Authorization", - "Basic " + Base64.getEncoder().encodeToString("user:password".getBytes())); - this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); - assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN); - } - - @Test - public void multiHttpSampleWhenRequestAdminResourceWithAdminUserThenStatusOk() throws Exception { - this.spring.register(SampleMultiHttpSecurityConfig.class).autowire(); - this.request.setServletPath("/api/admin/test"); - this.request.addHeader("Authorization", - "Basic " + Base64.getEncoder().encodeToString("admin:password".getBytes())); - this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain); - assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK); - } - - /** - * 
-	 *   <http>
-	 *     <intercept-url pattern="/resources/**" access="permitAll"/>
-	 *     <intercept-url pattern="/**" access="authenticated"/>
-	 *     <logout
-	 *         logout-success-url="/login?logout"
-	 *         logout-url="/logout"
-	 *     <form-login
-	 *         authentication-failure-url="/login?error"
-	 *         login-page="/login" <!-- Except Spring Security renders the login page -->
-	 *         login-processing-url="/login" <!-- but only POST -->
-	 *         password-parameter="password"
-	 *         username-parameter="username"
-	 *     />
-	 *   </http>
-	 *   <authentication-manager>
-	 *     <authentication-provider>
-	 *       <user-service>
-	 *         <user username="user" password="password" authorities="ROLE_USER"/>
-	 *       </user-service>
-	 *     </authentication-provider>
-	 *   </authentication-manager>
-	 *
- * - * @author Rob Winch - */ - @Configuration - @EnableWebSecurity - public static class HelloWorldWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on - } - - } - - /** - * 
-	 *   <http security="none" pattern="/resources/**"/>
-	 *   <http>
-	 *     <intercept-url pattern="/logout" access="permitAll"/>
-	 *     <intercept-url pattern="/login" access="permitAll"/>
-	 *     <intercept-url pattern="/signup" access="permitAll"/>
-	 *     <intercept-url pattern="/about" access="permitAll"/>
-	 *     <intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
-	 *     <logout
-	 *         logout-success-url="/login?logout"
-	 *         logout-url="/logout"
-	 *     <form-login
-	 *         authentication-failure-url="/login?error"
-	 *         login-page="/login"
-	 *         login-processing-url="/login" <!-- but only POST -->
-	 *         password-parameter="password"
-	 *         username-parameter="username"
-	 *     />
-	 *   </http>
-	 *   <authentication-manager>
-	 *     <authentication-provider>
-	 *       <user-service>
-	 *         <user username="user" password="password" authorities="ROLE_USER"/>
-	 *         <user username="admin" password="password" authorities=
-	"ROLE_USER,ROLE_ADMIN"/>
-	 *       </user-service>
-	 *     </authentication-provider>
-	 *   </authentication-manager>
-	 *
- * - * @author Rob Winch - */ - @Configuration - @EnableWebSecurity - public static class SampleWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { - - @Override - public void configure(WebSecurity web) { - web.ignoring().antMatchers("/resources/**"); - } - - @Override - protected void configure(HttpSecurity http) throws Exception { - // @formatter:off - http - .authorizeRequests() - .antMatchers("/signup", "/about").permitAll() - .anyRequest().hasRole("USER") - .and() - .formLogin() - .loginPage("/login") - // set permitAll for all URLs associated with Form Login - .permitAll(); - // @formatter:on - } - - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()) - .withUser(PasswordEncodedUser.admin()); - // @formatter:on - } - - } - - /** - * - * <http security="none" pattern="/resources/**"/> - * <http pattern="/api/**"> - * <intercept-url pattern="/api/admin/**" access="hasRole('ROLE_ADMIN')"/> - * <intercept-url pattern="/api/**" access="hasRole('ROLE_USER')"/> - * <http-basic /> - * </http> - * <http> - * <intercept-url pattern="/logout" access="permitAll"/> - * <intercept-url pattern="/login" access="permitAll"/> - * <intercept-url pattern="/signup" access="permitAll"/> - * <intercept-url pattern="/about" access="permitAll"/> - * <intercept-url pattern="/**" access="hasRole('ROLE_USER')"/> - * <logout - * logout-success-url="/login?logout" - * logout-url="/logout" - * <form-login - * authentication-failure-url="/login?error" - * login-page="/login" - * login-processing-url="/login" <!-- but only POST --> - * password-parameter="password" - * username-parameter="username" - * /> - * </http> - * <authentication-manager> - * <authentication-provider> - * <user-service> - * <user username="user" password="password" authorities="ROLE_USER"/> - * <user username="admin" password="password" authorities= - "ROLE_USER,ROLE_ADMIN"/> - * </user-service> - * </authentication-provider> - * </authentication-manager> - * - * - * @author Rob Winch - */ - @Configuration - @EnableWebSecurity - public static class SampleMultiHttpSecurityConfig { - - @Autowired - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()) - .withUser(PasswordEncodedUser.admin()); - // @formatter:on - } - - @Configuration - @Order(1) - public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - // @formatter:off - http - .antMatcher("/api/**") - .authorizeRequests() - .antMatchers("/api/admin/**").hasRole("ADMIN") - .antMatchers("/api/**").hasRole("USER") - .and() - .httpBasic(); - // @formatter:on - } - - } - - @Configuration - public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { - - @Override - public void configure(WebSecurity web) { - web.ignoring().antMatchers("/resources/**"); - } - - @Override - protected void configure(HttpSecurity http) throws Exception { - // @formatter:off - http - .authorizeRequests() - .antMatchers("/signup", "/about").permitAll() - .anyRequest().hasRole("USER") - .and() - .formLogin() - .loginPage("/login") - .permitAll(); - // @formatter:on - } - - } - - } - -} diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/WebSecurityConfigurerAdapterMockitoTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/WebSecurityConfigurerAdapterMockitoTests.java deleted file mode 100644 index 9b24d24f33..0000000000 --- a/config/src/test/java/org/springframework/security/config/annotation/web/WebSecurityConfigurerAdapterMockitoTests.java +++ /dev/null @@ -1,161 +0,0 @@ -/* - * Copyright 2002-2018 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.springframework.security.config.annotation.web; - -import java.util.Arrays; - -import org.junit.jupiter.api.AfterEach; -import org.junit.jupiter.api.Test; -import org.junit.jupiter.api.extension.ExtendWith; -import org.mockito.ArgumentCaptor; -import org.mockito.Mock; -import org.mockito.MockedStatic; -import org.mockito.junit.jupiter.MockitoExtension; - -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.context.annotation.Configuration; -import org.springframework.core.io.support.SpringFactoriesLoader; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; -import org.springframework.security.config.test.SpringTestContext; -import org.springframework.security.config.test.SpringTestContextExtension; -import org.springframework.security.core.userdetails.PasswordEncodedUser; -import org.springframework.security.web.context.request.async.SecurityContextCallableProcessingInterceptor; -import org.springframework.test.web.servlet.MockMvc; -import org.springframework.web.context.ConfigurableWebApplicationContext; -import org.springframework.web.context.request.async.CallableProcessingInterceptor; -import org.springframework.web.context.request.async.WebAsyncManager; -import org.springframework.web.context.request.async.WebAsyncUtils; -import org.springframework.web.context.support.AnnotationConfigWebApplicationContext; - -import static org.assertj.core.api.Assertions.assertThat; -import static org.mockito.ArgumentMatchers.any; -import static org.mockito.Mockito.atLeastOnce; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.verify; -import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; - -/** - * @author Rob Winch - * - */ -@ExtendWith({ MockitoExtension.class, SpringTestContextExtension.class }) -public class WebSecurityConfigurerAdapterMockitoTests { - - ConfigurableWebApplicationContext context; - - public final SpringTestContext spring = new SpringTestContext(this); - - @Autowired - private MockMvc mockMvc; - - @Mock - private MockedStatic springFactoriesLoader; - - @AfterEach - public void close() { - if (this.context != null) { - this.context.close(); - } - } - - @Test - public void loadConfigWhenDefaultConfigurerAsSpringFactoryhenDefaultConfigurerApplied() { - DefaultConfigurer configurer = new DefaultConfigurer(); - this.springFactoriesLoader.when( - () -> SpringFactoriesLoader.loadFactories(AbstractHttpConfigurer.class, getClass().getClassLoader())) - .thenReturn(Arrays.asList(configurer)); - loadConfig(Config.class); - assertThat(configurer.init).isTrue(); - assertThat(configurer.configure).isTrue(); - } - - @Test - public void loadConfigWhenDefaultConfigThenWebAsyncManagerIntegrationFilterAdded() throws Exception { - this.spring.register(WebAsyncPopulatedByDefaultConfig.class).autowire(); - WebAsyncManager webAsyncManager = mock(WebAsyncManager.class); - this.mockMvc.perform(get("/").requestAttr(WebAsyncUtils.WEB_ASYNC_MANAGER_ATTRIBUTE, webAsyncManager)); - ArgumentCaptor callableProcessingInterceptorArgCaptor = ArgumentCaptor - .forClass(CallableProcessingInterceptor.class); - verify(webAsyncManager, atLeastOnce()).registerCallableInterceptor(any(), - callableProcessingInterceptorArgCaptor.capture()); - CallableProcessingInterceptor callableProcessingInterceptor = callableProcessingInterceptorArgCaptor - .getAllValues().stream() - .filter((e) -> SecurityContextCallableProcessingInterceptor.class.isAssignableFrom(e.getClass())) - .findFirst().orElse(null); - assertThat(callableProcessingInterceptor).isNotNull(); - } - - private void loadConfig(Class... classes) { - AnnotationConfigWebApplicationContext context = new AnnotationConfigWebApplicationContext(); - context.setClassLoader(getClass().getClassLoader()); - context.register(classes); - context.refresh(); - this.context = context; - } - - @Configuration - @EnableWebSecurity - static class Config extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) { - } - - } - - static class DefaultConfigurer extends AbstractHttpConfigurer { - - boolean init; - - boolean configure; - - @Override - public void init(HttpSecurity builder) { - this.init = true; - } - - @Override - public void configure(HttpSecurity builder) { - this.configure = true; - } - - } - - @Configuration - @EnableWebSecurity - static class WebAsyncPopulatedByDefaultConfig extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on - } - - @Override - protected void configure(HttpSecurity http) { - } - - } - -} diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/WebSecurityConfigurerAdapterTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/WebSecurityConfigurerAdapterTests.java deleted file mode 100644 index 6504161077..0000000000 --- a/config/src/test/java/org/springframework/security/config/annotation/web/WebSecurityConfigurerAdapterTests.java +++ /dev/null @@ -1,450 +0,0 @@ -/* - * Copyright 2002-2018 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.springframework.security.config.annotation.web; - -import java.io.IOException; -import java.util.ArrayList; -import java.util.List; - -import jakarta.servlet.FilterChain; -import jakarta.servlet.ServletException; -import jakarta.servlet.http.HttpServletRequest; -import jakarta.servlet.http.HttpServletResponse; -import org.junit.jupiter.api.Test; -import org.junit.jupiter.api.extension.ExtendWith; - -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.context.ApplicationContext; -import org.springframework.context.ApplicationListener; -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.Configuration; -import org.springframework.core.annotation.AnnotationAwareOrderComparator; -import org.springframework.core.annotation.Order; -import org.springframework.security.authentication.AuthenticationEventPublisher; -import org.springframework.security.authentication.AuthenticationTrustResolver; -import org.springframework.security.authentication.event.AuthenticationSuccessEvent; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -import org.springframework.security.config.test.SpringTestContext; -import org.springframework.security.config.test.SpringTestContextExtension; -import org.springframework.security.core.Authentication; -import org.springframework.security.core.AuthenticationException; -import org.springframework.security.core.userdetails.PasswordEncodedUser; -import org.springframework.security.core.userdetails.UserDetailsService; -import org.springframework.security.core.userdetails.UsernameNotFoundException; -import org.springframework.security.provisioning.InMemoryUserDetailsManager; -import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; -import org.springframework.test.web.servlet.MockMvc; -import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder; -import org.springframework.web.accept.ContentNegotiationStrategy; -import org.springframework.web.accept.HeaderContentNegotiationStrategy; -import org.springframework.web.filter.OncePerRequestFilter; - -import static org.assertj.core.api.Assertions.assertThat; -import static org.assertj.core.api.Assertions.assertThatExceptionOfType; -import static org.mockito.ArgumentMatchers.any; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.verify; -import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin; -import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic; -import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header; -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; - -/** - * Tests for {@link WebSecurityConfigurerAdapter}. - * - * @author Rob Winch - * @author Joe Grandja - */ -@ExtendWith(SpringTestContextExtension.class) -public class WebSecurityConfigurerAdapterTests { - - public final SpringTestContext spring = new SpringTestContext(this); - - @Autowired - private MockMvc mockMvc; - - @Test - public void loadConfigWhenRequestSecureThenDefaultSecurityHeadersReturned() throws Exception { - this.spring.register(HeadersArePopulatedByDefaultConfig.class).autowire(); - // @formatter:off - this.mockMvc.perform(get("/").secure(true)) - .andExpect(header().string("X-Content-Type-Options", "nosniff")) - .andExpect(header().string("X-Frame-Options", "DENY")) - .andExpect(header().string("Strict-Transport-Security", "max-age=31536000 ; includeSubDomains")) - .andExpect(header().string("Cache-Control", "no-cache, no-store, max-age=0, must-revalidate")) - .andExpect(header().string("Pragma", "no-cache")).andExpect(header().string("Expires", "0")) - .andExpect(header().string("X-XSS-Protection", "1; mode=block")); - // @formatter:on - } - - @Test - public void loadConfigWhenRequestAuthenticateThenAuthenticationEventPublished() throws Exception { - this.spring.register(InMemoryAuthWithWebSecurityConfigurerAdapter.class).autowire(); - this.mockMvc.perform(formLogin()).andExpect(status().is3xxRedirection()); - assertThat(InMemoryAuthWithWebSecurityConfigurerAdapter.EVENTS).isNotEmpty(); - assertThat(InMemoryAuthWithWebSecurityConfigurerAdapter.EVENTS).hasSize(1); - } - - @Test - public void loadConfigWhenInMemoryConfigureProtectedThenPasswordUpgraded() throws Exception { - this.spring.register(InMemoryConfigureProtectedConfig.class).autowire(); - this.mockMvc.perform(formLogin()).andExpect(status().is3xxRedirection()); - UserDetailsService uds = this.spring.getContext().getBean(UserDetailsService.class); - assertThat(uds.loadUserByUsername("user").getPassword()).startsWith("{bcrypt}"); - } - - @Test - public void loadConfigWhenInMemoryConfigureGlobalThenPasswordUpgraded() throws Exception { - this.spring.register(InMemoryConfigureGlobalConfig.class).autowire(); - this.mockMvc.perform(formLogin()).andExpect(status().is3xxRedirection()); - UserDetailsService uds = this.spring.getContext().getBean(UserDetailsService.class); - assertThat(uds.loadUserByUsername("user").getPassword()).startsWith("{bcrypt}"); - } - - @Test - public void loadConfigWhenCustomContentNegotiationStrategyBeanThenOverridesDefault() { - OverrideContentNegotiationStrategySharedObjectConfig.CONTENT_NEGOTIATION_STRATEGY_BEAN = mock( - ContentNegotiationStrategy.class); - this.spring.register(OverrideContentNegotiationStrategySharedObjectConfig.class).autowire(); - OverrideContentNegotiationStrategySharedObjectConfig securityConfig = this.spring.getContext() - .getBean(OverrideContentNegotiationStrategySharedObjectConfig.class); - assertThat(securityConfig.contentNegotiationStrategySharedObject).isNotNull(); - assertThat(securityConfig.contentNegotiationStrategySharedObject) - .isSameAs(OverrideContentNegotiationStrategySharedObjectConfig.CONTENT_NEGOTIATION_STRATEGY_BEAN); - } - - @Test - public void loadConfigWhenDefaultContentNegotiationStrategyThenHeaderContentNegotiationStrategy() { - this.spring.register(ContentNegotiationStrategyDefaultSharedObjectConfig.class).autowire(); - ContentNegotiationStrategyDefaultSharedObjectConfig securityConfig = this.spring.getContext() - .getBean(ContentNegotiationStrategyDefaultSharedObjectConfig.class); - assertThat(securityConfig.contentNegotiationStrategySharedObject).isNotNull(); - assertThat(securityConfig.contentNegotiationStrategySharedObject) - .isInstanceOf(HeaderContentNegotiationStrategy.class); - } - - @Test - public void loadConfigWhenUserDetailsServiceHasCircularReferenceThenStillLoads() { - this.spring.register(RequiresUserDetailsServiceConfig.class, UserDetailsServiceConfig.class).autowire(); - MyFilter myFilter = this.spring.getContext().getBean(MyFilter.class); - myFilter.userDetailsService.loadUserByUsername("user"); - assertThatExceptionOfType(UsernameNotFoundException.class) - .isThrownBy(() -> myFilter.userDetailsService.loadUserByUsername("admin")); - } - - // SEC-2274: WebSecurityConfigurer adds ApplicationContext as a shared object - @Test - public void loadConfigWhenSharedObjectsCreatedThenApplicationContextAdded() { - this.spring.register(ApplicationContextSharedObjectConfig.class).autowire(); - ApplicationContextSharedObjectConfig securityConfig = this.spring.getContext() - .getBean(ApplicationContextSharedObjectConfig.class); - assertThat(securityConfig.applicationContextSharedObject).isNotNull(); - assertThat(securityConfig.applicationContextSharedObject).isSameAs(this.spring.getContext()); - } - - @Test - public void loadConfigWhenCustomAuthenticationTrustResolverBeanThenOverridesDefault() { - CustomTrustResolverConfig.AUTHENTICATION_TRUST_RESOLVER_BEAN = mock(AuthenticationTrustResolver.class); - this.spring.register(CustomTrustResolverConfig.class).autowire(); - CustomTrustResolverConfig securityConfig = this.spring.getContext().getBean(CustomTrustResolverConfig.class); - assertThat(securityConfig.authenticationTrustResolverSharedObject).isNotNull(); - assertThat(securityConfig.authenticationTrustResolverSharedObject) - .isSameAs(CustomTrustResolverConfig.AUTHENTICATION_TRUST_RESOLVER_BEAN); - } - - @Test - public void compareOrderWebSecurityConfigurerAdapterWhenLowestOrderToDefaultOrderThenGreaterThanZero() { - AnnotationAwareOrderComparator comparator = new AnnotationAwareOrderComparator(); - assertThat(comparator.compare(new LowestPriorityWebSecurityConfig(), new DefaultOrderWebSecurityConfig())) - .isGreaterThan(0); - } - - // gh-7515 - @Test - public void performWhenUsingAuthenticationEventPublisherBeanThenUses() throws Exception { - this.spring.register(CustomAuthenticationEventPublisherBean.class).autowire(); - AuthenticationEventPublisher authenticationEventPublisher = this.spring.getContext() - .getBean(AuthenticationEventPublisher.class); - this.mockMvc.perform(get("/").with(httpBasic("user", "password"))); - verify(authenticationEventPublisher).publishAuthenticationSuccess(any(Authentication.class)); - } - - // gh-4400 - @Test - public void performWhenUsingAuthenticationEventPublisherInDslThenUses() throws Exception { - this.spring.register(CustomAuthenticationEventPublisherDsl.class).autowire(); - AuthenticationEventPublisher authenticationEventPublisher = CustomAuthenticationEventPublisherDsl.EVENT_PUBLISHER; - MockHttpServletRequestBuilder userRequest = get("/").with(httpBasic("user", "password")); - // fails since no providers configured - this.mockMvc.perform(userRequest); - verify(authenticationEventPublisher).publishAuthenticationFailure(any(AuthenticationException.class), - any(Authentication.class)); - } - - @Configuration - @EnableWebSecurity - static class HeadersArePopulatedByDefaultConfig extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on - } - - @Override - protected void configure(HttpSecurity http) { - } - - } - - @Configuration - @EnableWebSecurity - static class InMemoryAuthWithWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter - implements ApplicationListener { - - static List EVENTS = new ArrayList<>(); - - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on - } - - @Override - public void onApplicationEvent(AuthenticationSuccessEvent event) { - EVENTS.add(event); - } - - } - - @Configuration - @EnableWebSecurity - static class InMemoryConfigureProtectedConfig extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on - } - - @Override - @Bean - public UserDetailsService userDetailsServiceBean() throws Exception { - return super.userDetailsServiceBean(); - } - - } - - @Configuration - @EnableWebSecurity - static class InMemoryConfigureGlobalConfig extends WebSecurityConfigurerAdapter { - - @Autowired - void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on - } - - @Override - @Bean - public UserDetailsService userDetailsServiceBean() throws Exception { - return super.userDetailsServiceBean(); - } - - } - - @Configuration - @EnableWebSecurity - static class OverrideContentNegotiationStrategySharedObjectConfig extends WebSecurityConfigurerAdapter { - - static ContentNegotiationStrategy CONTENT_NEGOTIATION_STRATEGY_BEAN; - - private ContentNegotiationStrategy contentNegotiationStrategySharedObject; - - @Bean - ContentNegotiationStrategy contentNegotiationStrategy() { - return CONTENT_NEGOTIATION_STRATEGY_BEAN; - } - - @Override - protected void configure(HttpSecurity http) throws Exception { - this.contentNegotiationStrategySharedObject = http.getSharedObject(ContentNegotiationStrategy.class); - super.configure(http); - } - - } - - @Configuration - @EnableWebSecurity - static class ContentNegotiationStrategyDefaultSharedObjectConfig extends WebSecurityConfigurerAdapter { - - private ContentNegotiationStrategy contentNegotiationStrategySharedObject; - - @Override - protected void configure(HttpSecurity http) throws Exception { - this.contentNegotiationStrategySharedObject = http.getSharedObject(ContentNegotiationStrategy.class); - super.configure(http); - } - - } - - @Configuration - static class RequiresUserDetailsServiceConfig { - - @Bean - MyFilter myFilter(UserDetailsService userDetailsService) { - return new MyFilter(userDetailsService); - } - - } - - @Configuration - @EnableWebSecurity - static class UserDetailsServiceConfig extends WebSecurityConfigurerAdapter { - - @Autowired - private MyFilter myFilter; - - @Bean - @Override - public UserDetailsService userDetailsServiceBean() throws Exception { - return super.userDetailsServiceBean(); - } - - @Override - public void configure(HttpSecurity http) { - http.addFilterBefore(this.myFilter, UsernamePasswordAuthenticationFilter.class); - } - - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on - } - - } - - static class MyFilter extends OncePerRequestFilter { - - private UserDetailsService userDetailsService; - - MyFilter(UserDetailsService userDetailsService) { - this.userDetailsService = userDetailsService; - } - - @Override - protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, - FilterChain filterChain) throws ServletException, IOException { - filterChain.doFilter(request, response); - } - - } - - @Configuration - @EnableWebSecurity - static class ApplicationContextSharedObjectConfig extends WebSecurityConfigurerAdapter { - - private ApplicationContext applicationContextSharedObject; - - @Override - protected void configure(HttpSecurity http) throws Exception { - this.applicationContextSharedObject = http.getSharedObject(ApplicationContext.class); - super.configure(http); - } - - } - - @Configuration - @EnableWebSecurity - static class CustomTrustResolverConfig extends WebSecurityConfigurerAdapter { - - static AuthenticationTrustResolver AUTHENTICATION_TRUST_RESOLVER_BEAN; - - private AuthenticationTrustResolver authenticationTrustResolverSharedObject; - - @Bean - AuthenticationTrustResolver authenticationTrustResolver() { - return AUTHENTICATION_TRUST_RESOLVER_BEAN; - } - - @Override - protected void configure(HttpSecurity http) throws Exception { - this.authenticationTrustResolverSharedObject = http.getSharedObject(AuthenticationTrustResolver.class); - super.configure(http); - } - - } - - static class DefaultOrderWebSecurityConfig extends WebSecurityConfigurerAdapter { - - } - - @Order - static class LowestPriorityWebSecurityConfig extends WebSecurityConfigurerAdapter { - - } - - @Configuration - @EnableWebSecurity - static class CustomAuthenticationEventPublisherBean extends WebSecurityConfigurerAdapter { - - @Bean - @Override - public UserDetailsService userDetailsService() { - return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); - } - - @Bean - AuthenticationEventPublisher authenticationEventPublisher() { - return mock(AuthenticationEventPublisher.class); - } - - } - - @Configuration - @EnableWebSecurity - static class CustomAuthenticationEventPublisherDsl extends WebSecurityConfigurerAdapter { - - static AuthenticationEventPublisher EVENT_PUBLISHER = mock(AuthenticationEventPublisher.class); - - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - auth.authenticationEventPublisher(EVENT_PUBLISHER); - } - - } - -} diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpConfigurationTests.java index 84d97445b7..fea8cafed9 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpConfigurationTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpConfigurationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -27,13 +27,15 @@ import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.BeanCreationException; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.userdetails.PasswordEncodedUser; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.web.servlet.MockMvc; import org.springframework.web.filter.OncePerRequestFilter; @@ -75,23 +77,20 @@ public class HttpConfigurationTests { @Configuration @EnableWebSecurity - static class UnregisteredFilterConfig extends WebSecurityConfigurerAdapter { + static class UnregisteredFilterConfig { - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .addFilter(new UnregisteredFilter()); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @@ -108,10 +107,10 @@ public class HttpConfigurationTests { @Configuration @EnableWebSecurity - static class RequestMatcherRegistryConfigs extends WebSecurityConfigurerAdapter { + static class RequestMatcherRegistryConfigs { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .requestMatchers() @@ -122,6 +121,7 @@ public class HttpConfigurationTests { .antMatchers("/**").hasRole("USER") .and() .httpBasic(); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpSecurityAddFilterTest.java b/config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpSecurityAddFilterTest.java index d4ae8f585c..83a1a66886 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpSecurityAddFilterTest.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpSecurityAddFilterTest.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,7 +32,6 @@ import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.web.FilterChainProxy; @@ -154,14 +153,15 @@ public class HttpSecurityAddFilterTest { @Configuration @EnableWebSecurity - static class MyFilterMultipleAfterConfig extends WebSecurityConfigurerAdapter { + static class MyFilterMultipleAfterConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .addFilterAfter(new MyFilter(), WebAsyncManagerIntegrationFilter.class) .addFilterAfter(new MyFilter(), ExceptionTranslationFilter.class); + return http.build(); // @formatter:on } @@ -169,14 +169,15 @@ public class HttpSecurityAddFilterTest { @Configuration @EnableWebSecurity - static class MyFilterMultipleBeforeConfig extends WebSecurityConfigurerAdapter { + static class MyFilterMultipleBeforeConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .addFilterBefore(new MyFilter(), WebAsyncManagerIntegrationFilter.class) .addFilterBefore(new MyFilter(), ExceptionTranslationFilter.class); + return http.build(); // @formatter:on } @@ -184,14 +185,15 @@ public class HttpSecurityAddFilterTest { @Configuration @EnableWebSecurity - static class MyFilterMultipleAtConfig extends WebSecurityConfigurerAdapter { + static class MyFilterMultipleAtConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .addFilterAt(new MyFilter(), ChannelProcessingFilter.class) .addFilterAt(new MyFilter(), UsernamePasswordAuthenticationFilter.class); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpSecurityAuthenticationManagerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpSecurityAuthenticationManagerTests.java index 0835a65700..384e954e8f 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpSecurityAuthenticationManagerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpSecurityAuthenticationManagerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,15 +20,15 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.TestingAuthenticationToken; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.web.servlet.MockMvc; import static org.mockito.ArgumentMatchers.any; @@ -76,12 +76,12 @@ public class HttpSecurityAuthenticationManagerTests { @Configuration @EnableWebSecurity - static class AuthenticationManagerConfig extends WebSecurityConfigurerAdapter { + static class AuthenticationManagerConfig { static final AuthenticationManager AUTHENTICATION_MANAGER = mock(AuthenticationManager.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authz) -> authz @@ -89,6 +89,7 @@ public class HttpSecurityAuthenticationManagerTests { ) .httpBasic(withDefaults()) .authenticationManager(AUTHENTICATION_MANAGER); + return http.build(); // @formatter:on } @@ -96,13 +97,13 @@ public class HttpSecurityAuthenticationManagerTests { @Configuration @EnableWebSecurity - static class AuthenticationManagerBuilderConfig extends WebSecurityConfigurerAdapter { + static class AuthenticationManagerBuilderConfig { static final AuthenticationManager AUTHENTICATION_MANAGER = mock(AuthenticationManager.class); static final UserDetailsService USER_DETAILS_SERVICE = mock(UserDetailsService.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authz) -> authz @@ -111,11 +112,12 @@ public class HttpSecurityAuthenticationManagerTests { .httpBasic(withDefaults()) .authenticationManager(AUTHENTICATION_MANAGER); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - auth.userDetailsService(USER_DETAILS_SERVICE); + @Bean + UserDetailsService userDetailsService() { + return USER_DETAILS_SERVICE; } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.java index ecf82cee88..00b7aeeafc 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -25,23 +25,28 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationContext; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.DependsOn; import org.springframework.security.access.AccessDecisionManager; import org.springframework.security.access.ConfigAttribute; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.jaas.JaasAuthenticationToken; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; import org.springframework.security.config.annotation.web.configurers.UrlAuthorizationConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.Authentication; import org.springframework.security.core.userdetails.PasswordEncodedUser; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.DefaultSecurityFilterChain; import org.springframework.security.web.FilterChainProxy; import org.springframework.security.web.FilterInvocation; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource; import org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource; import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource; @@ -278,17 +283,18 @@ public class NamespaceHttpTests { @Configuration @EnableWebSecurity - static class AccessDecisionManagerRefConfig extends WebSecurityConfigurerAdapter { + static class AccessDecisionManagerRefConfig { static AccessDecisionManager ACCESS_DECISION_MANAGER; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().permitAll() .accessDecisionManager(ACCESS_DECISION_MANAGER); + return http.build(); // @formatter:on } @@ -296,10 +302,10 @@ public class NamespaceHttpTests { @Configuration @EnableWebSecurity - static class AccessDeniedPageConfig extends WebSecurityConfigurerAdapter { + static class AccessDeniedPageConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -308,6 +314,7 @@ public class NamespaceHttpTests { .and() .exceptionHandling() .accessDeniedPage("/AccessDeniedPage"); + return http.build(); // @formatter:on } @@ -315,23 +322,24 @@ public class NamespaceHttpTests { @Configuration @EnableWebSecurity - static class AuthenticationManagerRefConfig extends WebSecurityConfigurerAdapter { + static class AuthenticationManagerRefConfig { static AuthenticationManager AUTHENTICATION_MANAGER; - @Override - protected AuthenticationManager authenticationManager() { + @Bean + AuthenticationManager authenticationManager() { return AUTHENTICATION_MANAGER; } - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin(); + return http.build(); // @formatter:on } @@ -339,10 +347,10 @@ public class NamespaceHttpTests { @Configuration @EnableWebSecurity - static class CreateSessionAlwaysConfig extends WebSecurityConfigurerAdapter { + static class CreateSessionAlwaysConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -350,6 +358,7 @@ public class NamespaceHttpTests { .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.ALWAYS); + return http.build(); // @formatter:on } @@ -357,10 +366,10 @@ public class NamespaceHttpTests { @Configuration @EnableWebSecurity - static class CreateSessionStatelessConfig extends WebSecurityConfigurerAdapter { + static class CreateSessionStatelessConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -368,6 +377,7 @@ public class NamespaceHttpTests { .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS); + return http.build(); // @formatter:on } @@ -375,10 +385,10 @@ public class NamespaceHttpTests { @Configuration @EnableWebSecurity - static class IfRequiredConfig extends WebSecurityConfigurerAdapter { + static class IfRequiredConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -389,6 +399,7 @@ public class NamespaceHttpTests { .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) .and() .formLogin(); + return http.build(); // @formatter:on } @@ -396,10 +407,10 @@ public class NamespaceHttpTests { @Configuration @EnableWebSecurity - static class CreateSessionNeverConfig extends WebSecurityConfigurerAdapter { + static class CreateSessionNeverConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -407,6 +418,7 @@ public class NamespaceHttpTests { .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.NEVER); + return http.build(); // @formatter:on } @@ -414,10 +426,10 @@ public class NamespaceHttpTests { @Configuration @EnableWebSecurity - static class EntryPointRefConfig extends WebSecurityConfigurerAdapter { + static class EntryPointRefConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -427,6 +439,7 @@ public class NamespaceHttpTests { .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/entry-point")) .and() .formLogin(); + return http.build(); // @formatter:on } @@ -434,13 +447,14 @@ public class NamespaceHttpTests { @Configuration @EnableWebSecurity - static class JaasApiProvisionConfig extends WebSecurityConfigurerAdapter { + static class JaasApiProvisionConfig { - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .addFilter(new JaasApiIntegrationFilter()); + return http.build(); // @formatter:on } @@ -448,10 +462,10 @@ public class NamespaceHttpTests { @Configuration @EnableWebSecurity - static class RealmConfig extends WebSecurityConfigurerAdapter { + static class RealmConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -459,6 +473,7 @@ public class NamespaceHttpTests { .and() .httpBasic() .realmName("RealmConfig"); + return http.build(); // @formatter:on } @@ -466,13 +481,14 @@ public class NamespaceHttpTests { @Configuration @EnableWebSecurity - static class RequestMatcherAntConfig extends WebSecurityConfigurerAdapter { + static class RequestMatcherAntConfig { - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .antMatcher("/api/**"); + return http.build(); // @formatter:on } @@ -480,13 +496,14 @@ public class NamespaceHttpTests { @Configuration @EnableWebSecurity - static class RequestMatcherRegexConfig extends WebSecurityConfigurerAdapter { + static class RequestMatcherRegexConfig { - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .regexMatcher("/regex/.*"); + return http.build(); // @formatter:on } @@ -494,13 +511,14 @@ public class NamespaceHttpTests { @Configuration @EnableWebSecurity - static class RequestMatcherRefConfig extends WebSecurityConfigurerAdapter { + static class RequestMatcherRefConfig { - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .requestMatcher(new MyRequestMatcher()); + return http.build(); // @formatter:on } @@ -517,25 +535,26 @@ public class NamespaceHttpTests { @Configuration @EnableWebSecurity - static class SecurityNoneConfig extends WebSecurityConfigurerAdapter { + static class SecurityNoneConfig { - @Override - public void configure(WebSecurity web) { - web.ignoring().antMatchers("/resources/**", "/public/**"); + @Bean + WebSecurityCustomizer webSecurityCustomizer() { + return (web) -> web.ignoring().antMatchers("/resources/**", "/public/**"); } - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + return http.build(); } } @Configuration @EnableWebSecurity - static class SecurityContextRepoConfig extends WebSecurityConfigurerAdapter { + static class SecurityContextRepoConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -546,25 +565,22 @@ public class NamespaceHttpTests { .and() .formLogin(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class ServletApiProvisionConfig extends WebSecurityConfigurerAdapter { + static class ServletApiProvisionConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -572,6 +588,7 @@ public class NamespaceHttpTests { .and() .servletApi() .disable(); + return http.build(); // @formatter:on } @@ -579,14 +596,15 @@ public class NamespaceHttpTests { @Configuration @EnableWebSecurity - static class ServletApiProvisionDefaultsConfig extends WebSecurityConfigurerAdapter { + static class ServletApiProvisionDefaultsConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().permitAll(); + return http.build(); // @formatter:on } @@ -607,27 +625,31 @@ public class NamespaceHttpTests { @Configuration @EnableWebSecurity - static class UseExpressionsConfig extends WebSecurityConfigurerAdapter { + static class UseExpressionsConfig { private Class filterInvocationSecurityMetadataSourceType; - @Override - protected void configure(HttpSecurity http) throws Exception { + private HttpSecurity httpSecurity; + + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .antMatchers("/users**", "/sessions/**").hasRole("USER") .antMatchers("/signup").permitAll() .anyRequest().hasRole("USER"); + this.httpSecurity = http; + return http.build(); // @formatter:on } - @Override - public void init(final WebSecurity web) throws Exception { - super.init(web); - final HttpSecurity http = this.getHttp(); - web.postBuildAction(() -> { - FilterSecurityInterceptor securityInterceptor = http.getSharedObject(FilterSecurityInterceptor.class); + @Bean + @DependsOn("filterChain") + WebSecurityCustomizer webSecurityCustomizer() { + return (web) -> web.postBuildAction(() -> { + FilterSecurityInterceptor securityInterceptor = this.httpSecurity + .getSharedObject(FilterSecurityInterceptor.class); UseExpressionsConfig.this.filterInvocationSecurityMetadataSourceType = securityInterceptor .getSecurityMetadataSource().getClass(); }); @@ -637,27 +659,31 @@ public class NamespaceHttpTests { @Configuration @EnableWebSecurity - static class DisableUseExpressionsConfig extends WebSecurityConfigurerAdapter { + static class DisableUseExpressionsConfig { private Class filterInvocationSecurityMetadataSourceType; - @Override - protected void configure(HttpSecurity http) throws Exception { + private HttpSecurity httpSecurity; + + @Bean + SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context) throws Exception { // @formatter:off http - .apply(new UrlAuthorizationConfigurer<>(getApplicationContext())).getRegistry() + .apply(new UrlAuthorizationConfigurer<>(context)).getRegistry() .antMatchers("/users**", "/sessions/**").hasRole("USER") .antMatchers("/signup").hasRole("ANONYMOUS") .anyRequest().hasRole("USER"); + this.httpSecurity = http; + return http.build(); // @formatter:on } - @Override - public void init(final WebSecurity web) throws Exception { - super.init(web); - final HttpSecurity http = this.getHttp(); - web.postBuildAction(() -> { - FilterSecurityInterceptor securityInterceptor = http.getSharedObject(FilterSecurityInterceptor.class); + @Bean + @DependsOn("filterChain") + WebSecurityCustomizer webSecurityCustomizer() { + return (web) -> web.postBuildAction(() -> { + FilterSecurityInterceptor securityInterceptor = this.httpSecurity + .getSharedObject(FilterSecurityInterceptor.class); DisableUseExpressionsConfig.this.filterInvocationSecurityMetadataSourceType = securityInterceptor .getSecurityMetadataSource().getClass(); }); diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/builders/TestHttpSecurity.java b/config/src/test/java/org/springframework/security/config/annotation/web/builders/TestHttpSecurity.java new file mode 100644 index 0000000000..7c3013e1e3 --- /dev/null +++ b/config/src/test/java/org/springframework/security/config/annotation/web/builders/TestHttpSecurity.java @@ -0,0 +1,40 @@ +/* + * Copyright 2002-2022 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.config.annotation.web.builders; + +import java.util.List; + +import org.springframework.security.config.annotation.web.configurers.DefaultLoginPageConfigurer; +import org.springframework.test.util.ReflectionTestUtils; + +public final class TestHttpSecurity { + + private TestHttpSecurity() { + + } + + public static void disableDefaults(HttpSecurity http) throws Exception { + List orderedFilters = (List) ReflectionTestUtils.getField(http, "filters"); + orderedFilters.clear(); + http.csrf((c) -> c.disable()).exceptionHandling((c) -> c.disable()).headers((c) -> c.disable()) + .sessionManagement((c) -> c.disable()).securityContext((c) -> c.disable()) + .requestCache((c) -> c.disable()).anonymous((c) -> c.disable()).servletApi((c) -> c.disable()) + .removeConfigurer(DefaultLoginPageConfigurer.class); + http.logout((c) -> c.disable()); + } + +} diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java index fcb394bee9..a6f9c37eb5 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -25,16 +25,20 @@ import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpStatus; import org.springframework.mock.web.MockFilterChain; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.mock.web.MockServletContext; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; +import org.springframework.security.core.userdetails.PasswordEncodedUser; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.FilterChainProxy; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.firewall.HttpStatusRequestRejectedHandler; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; @@ -140,33 +144,27 @@ public class WebSecurityTests { @EnableWebSecurity @Configuration @EnableWebMvc - static class MvcMatcherConfig extends WebSecurityConfigurerAdapter { + static class MvcMatcherConfig { - @Override - public void configure(WebSecurity web) { - // @formatter:off - web - .ignoring() - .mvcMatchers("/path"); - // @formatter:on + @Bean + WebSecurityCustomizer webSecurityCustomizer() { + return (web) -> web.ignoring().mvcMatchers("/path"); } - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic().and() .authorizeRequests() .anyRequest().denyAll(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } @RestController @@ -184,34 +182,27 @@ public class WebSecurityTests { @EnableWebSecurity @Configuration @EnableWebMvc - static class MvcMatcherServletPathConfig extends WebSecurityConfigurerAdapter { + static class MvcMatcherServletPathConfig { - @Override - public void configure(WebSecurity web) { - // @formatter:off - web - .ignoring() - .mvcMatchers("/path").servletPath("/spring") - .mvcMatchers("/notused"); - // @formatter:on + @Bean + WebSecurityCustomizer webSecurityCustomizer() { + return (web) -> web.ignoring().mvcMatchers("/path").servletPath("/spring").mvcMatchers("/notused"); } - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic().and() .authorizeRequests() .anyRequest().denyAll(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } @RestController @@ -239,11 +230,12 @@ public class WebSecurityTests { @Configuration @EnableWebSecurity - static class RequestRejectedHandlerConfig extends WebSecurityConfigurerAdapter { + static class RequestRejectedHandlerConfig { - @Override - public void configure(WebSecurity web) throws Exception { - web.requestRejectedHandler(new HttpStatusRequestRejectedHandler(HttpStatus.BAD_REQUEST.value())); + @Bean + WebSecurityCustomizer webSecurityCustomizer() { + return (web) -> web + .requestRejectedHandler(new HttpStatusRequestRejectedHandler(HttpStatus.BAD_REQUEST.value())); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/AuthenticationPrincipalArgumentResolverTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/AuthenticationPrincipalArgumentResolverTests.java index 0e53b9bb33..ce702302f0 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/AuthenticationPrincipalArgumentResolverTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/AuthenticationPrincipalArgumentResolverTests.java @@ -24,12 +24,14 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.core.annotation.AuthenticationPrincipal; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.core.userdetails.PasswordEncodedUser; import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.context.web.WebAppConfiguration; @@ -81,28 +83,35 @@ public class AuthenticationPrincipalArgumentResolverTests { @EnableWebMvc static class Config { - @Autowired - public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:off + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } + @Bean public UsernameExtractor usernameExtractor() { return new UsernameExtractor(); } + @RestController static class UserController { + @GetMapping("/users/self") - public String usersSelf(@AuthenticationPrincipal(expression = "@usernameExtractor.extract(#this)") String userName) { + public String usersSelf( + @AuthenticationPrincipal(expression = "@usernameExtractor.extract(#this)") String userName) { return userName; } + } + } + static class UsernameExtractor { + public String extract(User u) { return "extracted-" + u.getUsername(); } + } + } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurityTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurityTests.java index ac01ec215b..01b7043de6 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurityTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurityTests.java @@ -22,16 +22,11 @@ import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.TestingAuthenticationToken; -import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; -import org.springframework.security.core.Authentication; import org.springframework.security.core.annotation.AuthenticationPrincipal; -import org.springframework.security.core.userdetails.PasswordEncodedUser; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.debug.DebugFilter; import org.springframework.test.web.servlet.MockMvc; @@ -55,15 +50,6 @@ public class EnableWebSecurityTests { @Autowired private MockMvc mockMvc; - @Test - public void configureWhenOverrideAuthenticationManagerBeanThenAuthenticationManagerBeanRegistered() { - this.spring.register(SecurityConfig.class).autowire(); - AuthenticationManager authenticationManager = this.spring.getContext().getBean(AuthenticationManager.class); - Authentication authentication = authenticationManager - .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password")); - assertThat(authentication.isAuthenticated()).isTrue(); - } - @Test public void loadConfigWhenChildConfigExtendsSecurityConfigThenSecurityConfigInherited() { this.spring.register(ChildSecurityConfig.class).autowire(); @@ -100,38 +86,6 @@ public class EnableWebSecurityTests { assertThat(parentBean.getChild()).isNotSameAs(childBean); } - @Configuration - @EnableWebSecurity - static class SecurityConfig extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on - } - - @Bean - @Override - public AuthenticationManager authenticationManagerBean() throws Exception { - return super.authenticationManagerBean(); - } - - @Override - protected void configure(HttpSecurity http) throws Exception { - // @formatter:off - http - .authorizeRequests() - .antMatchers("/*").hasRole("USER") - .and() - .formLogin(); - // @formatter:on - } - - } - @Configuration static class ChildSecurityConfig extends DebugSecurityConfig { @@ -139,17 +93,18 @@ public class EnableWebSecurityTests { @Configuration @EnableWebSecurity(debug = true) - static class DebugSecurityConfig extends WebSecurityConfigurerAdapter { + static class DebugSecurityConfig { } @Configuration @EnableWebSecurity @EnableWebMvc - static class AuthenticationPrincipalConfig extends WebSecurityConfigurerAdapter { + static class AuthenticationPrincipalConfig { - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + return http.build(); } @RestController @@ -188,7 +143,7 @@ public class EnableWebSecurityTests { @Configuration @EnableWebSecurity - static class BeanProxyEnabledByDefaultConfig extends WebSecurityConfigurerAdapter { + static class BeanProxyEnabledByDefaultConfig { @Bean Child child() { @@ -204,7 +159,7 @@ public class EnableWebSecurityTests { @Configuration(proxyBeanMethods = false) @EnableWebSecurity - static class BeanProxyDisabledConfig extends WebSecurityConfigurerAdapter { + static class BeanProxyDisabledConfig { @Bean Child child() { diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfigurationTests.java index c3870a1735..08df86cdb7 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfigurationTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfigurationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -42,6 +42,7 @@ import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepo import org.springframework.security.oauth2.core.OAuth2AccessToken; import org.springframework.security.oauth2.core.TestOAuth2AccessTokens; import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder; import org.springframework.web.bind.annotation.GetMapping; @@ -216,14 +217,15 @@ public class OAuth2ClientConfigurationTests { @Configuration @EnableWebMvc @EnableWebSecurity - static class OAuth2AuthorizedClientArgumentResolverConfig extends WebSecurityConfigurerAdapter { + static class OAuth2AuthorizedClientArgumentResolverConfig { static ClientRegistrationRepository CLIENT_REGISTRATION_REPOSITORY; static OAuth2AuthorizedClientRepository AUTHORIZED_CLIENT_REPOSITORY; static OAuth2AccessTokenResponseClient ACCESS_TOKEN_RESPONSE_CLIENT; - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + return http.build(); } @Bean @@ -257,16 +259,17 @@ public class OAuth2ClientConfigurationTests { @Configuration @EnableWebMvc @EnableWebSecurity - static class OAuth2AuthorizedClientRepositoryRegisteredTwiceConfig extends WebSecurityConfigurerAdapter { + static class OAuth2AuthorizedClientRepositoryRegisteredTwiceConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated() .and() .oauth2Login(); + return http.build(); // @formatter:on } @@ -295,16 +298,17 @@ public class OAuth2ClientConfigurationTests { @Configuration @EnableWebMvc @EnableWebSecurity - static class ClientRegistrationRepositoryNotRegisteredConfig extends WebSecurityConfigurerAdapter { + static class ClientRegistrationRepositoryNotRegisteredConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated() .and() .oauth2Login(); + return http.build(); // @formatter:on } @@ -313,16 +317,17 @@ public class OAuth2ClientConfigurationTests { @Configuration @EnableWebMvc @EnableWebSecurity - static class ClientRegistrationRepositoryRegisteredTwiceConfig extends WebSecurityConfigurerAdapter { + static class ClientRegistrationRepositoryRegisteredTwiceConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated() .and() .oauth2Login(); + return http.build(); // @formatter:on } @@ -351,16 +356,17 @@ public class OAuth2ClientConfigurationTests { @Configuration @EnableWebMvc @EnableWebSecurity - static class AccessTokenResponseClientRegisteredTwiceConfig extends WebSecurityConfigurerAdapter { + static class AccessTokenResponseClientRegisteredTwiceConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated() .and() .oauth2Login(); + return http.build(); // @formatter:on } @@ -389,14 +395,15 @@ public class OAuth2ClientConfigurationTests { @Configuration @EnableWebMvc @EnableWebSecurity - static class OAuth2AuthorizedClientManagerRegisteredConfig extends WebSecurityConfigurerAdapter { + static class OAuth2AuthorizedClientManagerRegisteredConfig { static ClientRegistrationRepository CLIENT_REGISTRATION_REPOSITORY; static OAuth2AuthorizedClientRepository AUTHORIZED_CLIENT_REPOSITORY; static OAuth2AuthorizedClientManager AUTHORIZED_CLIENT_MANAGER; - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + return http.build(); } @Bean diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/Sec2515Tests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/Sec2515Tests.java deleted file mode 100644 index eebcdfc4d4..0000000000 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/Sec2515Tests.java +++ /dev/null @@ -1,131 +0,0 @@ -/* - * Copyright 2002-2018 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.springframework.security.config.annotation.web.configuration; - -import java.net.URL; -import java.net.URLClassLoader; - -import org.junit.jupiter.api.Test; -import org.junit.jupiter.api.extension.ExtendWith; - -import org.springframework.beans.FatalBeanException; -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.Configuration; -import org.springframework.security.authentication.AuthenticationManager; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; -import org.springframework.security.config.test.SpringTestContext; -import org.springframework.security.config.test.SpringTestContextExtension; -import org.springframework.web.context.support.AnnotationConfigWebApplicationContext; - -import static org.assertj.core.api.Assertions.assertThat; -import static org.assertj.core.api.Assertions.assertThatExceptionOfType; -import static org.mockito.Mockito.mock; - -/** - * @author Joe Grandja - */ -@ExtendWith(SpringTestContextExtension.class) -public class Sec2515Tests { - - public final SpringTestContext spring = new SpringTestContext(this); - - // SEC-2515 - @Test - public void loadConfigWhenAuthenticationManagerNotConfiguredAndRegisterBeanThenThrowFatalBeanException() { - assertThatExceptionOfType(FatalBeanException.class) - .isThrownBy(() -> this.spring.register(StackOverflowSecurityConfig.class).autowire()); - } - - @Test - public void loadConfigWhenAuthenticationManagerNotConfiguredAndRegisterBeanCustomNameThenThrowFatalBeanException() { - assertThatExceptionOfType(FatalBeanException.class) - .isThrownBy(() -> this.spring.register(CustomBeanNameStackOverflowSecurityConfig.class).autowire()); - } - - // SEC-2549 - @Test - public void loadConfigWhenChildClassLoaderSetThenContextLoads() { - CanLoadWithChildConfig.AUTHENTICATION_MANAGER = mock(AuthenticationManager.class); - this.spring.register(CanLoadWithChildConfig.class); - AnnotationConfigWebApplicationContext context = (AnnotationConfigWebApplicationContext) this.spring - .getContext(); - context.setClassLoader(new URLClassLoader(new URL[0], context.getClassLoader())); - this.spring.autowire(); - assertThat(this.spring.getContext().getBean(AuthenticationManager.class)).isNotNull(); - } // SEC-2515 - - @Test - public void loadConfigWhenAuthenticationManagerConfiguredAndRegisterBeanThenContextLoads() { - this.spring.register(SecurityConfig.class).autowire(); - } - - @Configuration - @EnableWebSecurity - static class StackOverflowSecurityConfig extends WebSecurityConfigurerAdapter { - - @Bean - @Override - public AuthenticationManager authenticationManagerBean() throws Exception { - return super.authenticationManagerBean(); - } - - } - - @Configuration - @EnableWebSecurity - static class CustomBeanNameStackOverflowSecurityConfig extends WebSecurityConfigurerAdapter { - - @Override - @Bean(name = "custom") - public AuthenticationManager authenticationManagerBean() throws Exception { - return super.authenticationManagerBean(); - } - - } - - @Configuration - @EnableWebSecurity - static class CanLoadWithChildConfig extends WebSecurityConfigurerAdapter { - - static AuthenticationManager AUTHENTICATION_MANAGER; - - @Override - @Bean - public AuthenticationManager authenticationManager() { - return AUTHENTICATION_MANAGER; - } - - } - - @Configuration - @EnableWebSecurity - static class SecurityConfig extends WebSecurityConfigurerAdapter { - - @Bean - @Override - public AuthenticationManager authenticationManagerBean() throws Exception { - return super.authenticationManagerBean(); - } - - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - auth.inMemoryAuthentication(); - } - - } - -} diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/SecurityReactorContextConfigurationResourceServerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/SecurityReactorContextConfigurationResourceServerTests.java index 101c217919..168948e735 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/SecurityReactorContextConfigurationResourceServerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/SecurityReactorContextConfigurationResourceServerTests.java @@ -36,6 +36,7 @@ import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication; import org.springframework.security.oauth2.server.resource.authentication.TestBearerTokenAuthentications; import org.springframework.security.oauth2.server.resource.web.reactive.function.client.ServletBearerExchangeFilterFunction; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder; import org.springframework.web.bind.annotation.GetMapping; @@ -106,11 +107,12 @@ public class SecurityReactorContextConfigurationResourceServerTests { @Configuration @EnableWebSecurity - static class BearerFilterConfig extends WebSecurityConfigurerAdapter { + static class BearerFilterConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.securityContext().requireExplicitSave(false); + return http.build(); } @Bean @@ -123,10 +125,11 @@ public class SecurityReactorContextConfigurationResourceServerTests { @Configuration @EnableWebSecurity - static class BearerFilterlessConfig extends WebSecurityConfigurerAdapter { + static class BearerFilterlessConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + return http.build(); } @Bean diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/SecurityReactorContextConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/SecurityReactorContextConfigurationTests.java index 85203fd6bf..104cb0b766 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/SecurityReactorContextConfigurationTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/SecurityReactorContextConfigurationTests.java @@ -33,6 +33,7 @@ import reactor.core.publisher.Operators; import reactor.test.StepVerifier; import reactor.util.context.Context; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.http.HttpStatus; @@ -48,6 +49,7 @@ import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.oauth2.client.web.reactive.function.client.MockExchangeFunction; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.web.context.request.RequestAttributes; import org.springframework.web.context.request.RequestContextHolder; import org.springframework.web.context.request.ServletRequestAttributes; @@ -271,10 +273,11 @@ public class SecurityReactorContextConfigurationTests { @Configuration @EnableWebSecurity - static class SecurityConfig extends WebSecurityConfigurerAdapter { + static class SecurityConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + return http.build(); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfigurationTests.java index 9db832d7d9..e25de2c0b5 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfigurationTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfigurationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java index 3365b8a574..451c84595f 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java @@ -45,20 +45,13 @@ import org.springframework.security.access.expression.AbstractSecurityExpression import org.springframework.security.access.expression.SecurityExpressionHandler; import org.springframework.security.access.hierarchicalroles.RoleHierarchy; import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl; -import org.springframework.security.authentication.AuthenticationManager; -import org.springframework.security.authentication.AuthenticationProvider; -import org.springframework.security.authentication.ProviderManager; import org.springframework.security.authentication.TestingAuthenticationToken; -import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; -import org.springframework.security.config.annotation.authentication.configuration.EnableGlobalAuthentication; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.config.users.AuthenticationTestConfiguration; import org.springframework.security.core.Authentication; -import org.springframework.security.core.AuthenticationException; import org.springframework.security.web.FilterChainProxy; import org.springframework.security.web.FilterInvocation; import org.springframework.security.web.SecurityFilterChain; @@ -96,29 +89,6 @@ public class WebSecurityConfigurationTests { @Autowired private MockMvc mockMvc; - @Test - public void loadConfigWhenWebSecurityConfigurersHaveOrderThenFilterChainsOrdered() { - this.spring.register(SortedWebSecurityConfigurerAdaptersConfig.class).autowire(); - FilterChainProxy filterChainProxy = this.spring.getContext().getBean(FilterChainProxy.class); - List filterChains = filterChainProxy.getFilterChains(); - assertThat(filterChains).hasSize(6); - MockHttpServletRequest request = new MockHttpServletRequest("GET", ""); - request.setServletPath("/ignore1"); - assertThat(filterChains.get(0).matches(request)).isTrue(); - assertThat(filterChains.get(0).getFilters()).isEmpty(); - request.setServletPath("/ignore2"); - assertThat(filterChains.get(1).matches(request)).isTrue(); - assertThat(filterChains.get(1).getFilters()).isEmpty(); - request.setServletPath("/role1/**"); - assertThat(filterChains.get(2).matches(request)).isTrue(); - request.setServletPath("/role2/**"); - assertThat(filterChains.get(3).matches(request)).isTrue(); - request.setServletPath("/role3/**"); - assertThat(filterChains.get(4).matches(request)).isTrue(); - request.setServletPath("/**"); - assertThat(filterChains.get(5).matches(request)).isTrue(); - } - @Test public void loadConfigWhenSecurityFilterChainsHaveOrderThenFilterChainsOrdered() { this.spring.register(SortedSecurityFilterChainConfig.class).autowire(); @@ -149,15 +119,6 @@ public class WebSecurityConfigurationTests { assertThat(filterChains.get(1).matches(request)).isTrue(); } - @Test - public void loadConfigWhenWebSecurityConfigurersHaveSameOrderThenThrowBeanCreationException() { - assertThatExceptionOfType(BeanCreationException.class) - .isThrownBy(() -> this.spring.register(DuplicateOrderConfig.class).autowire()).havingRootCause() - .withMessageContaining("@Order on WebSecurityConfigurers must be unique") - .withMessageContaining(DuplicateOrderConfig.WebConfigurer1.class.getName()) - .withMessageContaining(DuplicateOrderConfig.WebConfigurer2.class.getName()); - } - @Test public void loadConfigWhenWebInvocationPrivilegeEvaluatorSetThenIsRegistered() { PrivilegeEvaluatorConfigurerAdapterConfig.PRIVILEGE_EVALUATOR = mock(WebInvocationPrivilegeEvaluator.class); @@ -261,23 +222,6 @@ public class WebSecurityConfigurationTests { assertThat(Modifier.isStatic(method.getModifiers())).isTrue(); } - @Test - public void loadConfigWhenBeanProxyingEnabledAndSubclassThenFilterChainsCreated() { - this.spring.register(GlobalAuthenticationWebSecurityConfigurerAdaptersConfig.class, SubclassConfig.class) - .autowire(); - FilterChainProxy filterChainProxy = this.spring.getContext().getBean(FilterChainProxy.class); - List filterChains = filterChainProxy.getFilterChains(); - assertThat(filterChains).hasSize(4); - } - - @Test - public void loadConfigWhenBothAdapterAndFilterChainConfiguredThenException() { - assertThatExceptionOfType(BeanCreationException.class) - .isThrownBy(() -> this.spring.register(AdapterAndFilterChainConfig.class).autowire()) - .withRootCauseExactlyInstanceOf(IllegalStateException.class) - .withMessageContaining("Found WebSecurityConfigurerAdapter as well as SecurityFilterChain."); - } - @Test public void loadConfigWhenOnlyWebSecurityCustomizerThenDefaultFilterChainCreated() { this.spring.register(WebSecurityCustomizerConfig.class).autowire(); @@ -314,40 +258,6 @@ public class WebSecurityConfigurationTests { assertThat(filterChains.get(2).matches(request)).isFalse(); } - @Test - public void loadConfigWhenWebSecurityCustomizerAndWebSecurityConfigurerAdapterThenFilterChainsOrdered() { - this.spring.register(CustomizerAndAdapterConfig.class).autowire(); - FilterChainProxy filterChainProxy = this.spring.getContext().getBean(FilterChainProxy.class); - List filterChains = filterChainProxy.getFilterChains(); - assertThat(filterChains).hasSize(3); - MockHttpServletRequest request = new MockHttpServletRequest("GET", ""); - request.setServletPath("/ignore1"); - assertThat(filterChains.get(0).matches(request)).isTrue(); - assertThat(filterChains.get(0).getFilters()).isEmpty(); - request.setServletPath("/ignore2"); - assertThat(filterChains.get(1).matches(request)).isTrue(); - assertThat(filterChains.get(1).getFilters()).isEmpty(); - request.setServletPath("/role1/**"); - assertThat(filterChains.get(2).matches(request)).isTrue(); - request.setServletPath("/test/**"); - assertThat(filterChains.get(2).matches(request)).isFalse(); - } - - @Test - public void loadConfigWhenCustomizerAndAdapterConfigureWebSecurityThenBothConfigurationsApplied() { - this.spring.register(CustomizerAndAdapterIgnoringConfig.class).autowire(); - FilterChainProxy filterChainProxy = this.spring.getContext().getBean(FilterChainProxy.class); - List filterChains = filterChainProxy.getFilterChains(); - assertThat(filterChains).hasSize(3); - MockHttpServletRequest request = new MockHttpServletRequest("GET", ""); - request.setServletPath("/ignore1"); - assertThat(filterChains.get(0).matches(request)).isTrue(); - assertThat(filterChains.get(0).getFilters()).isEmpty(); - request.setServletPath("/ignore2"); - assertThat(filterChains.get(1).matches(request)).isTrue(); - assertThat(filterChains.get(1).getFilters()).isEmpty(); - } - @Test public void loadConfigWhenCustomizersHaveOrderThenCustomizersOrdered() { this.spring.register(OrderedCustomizerConfig.class).autowire(); @@ -363,19 +273,6 @@ public class WebSecurityConfigurationTests { assertThat(filterChains.get(1).getFilters()).isEmpty(); } - @Test - public void loadConfigWhenMultipleAuthenticationManagersAndWebSecurityConfigurerAdapterThenConfigurationApplied() { - this.spring.register(MultipleAuthenticationManagersConfig.class).autowire(); - FilterChainProxy filterChainProxy = this.spring.getContext().getBean(FilterChainProxy.class); - List filterChains = filterChainProxy.getFilterChains(); - assertThat(filterChains).hasSize(2); - MockHttpServletRequest request = new MockHttpServletRequest("GET", ""); - request.setServletPath("/role1"); - assertThat(filterChains.get(0).matches(request)).isTrue(); - request.setServletPath("/role2"); - assertThat(filterChains.get(1).matches(request)).isTrue(); - } - @Test public void loadConfigWhenTwoSecurityFilterChainsThenRequestMatcherDelegatingWebInvocationPrivilegeEvaluator() { this.spring.register(TwoSecurityFilterChainConfig.class).autowire(); @@ -439,80 +336,6 @@ public class WebSecurityConfigurationTests { assertThat(privilegeEvaluator.isAllowed("/another", user)).isTrue(); } - @Configuration - @EnableWebSecurity - @Import(AuthenticationTestConfiguration.class) - static class SortedWebSecurityConfigurerAdaptersConfig { - - @Configuration - @Order(1) - static class WebConfigurer1 extends WebSecurityConfigurerAdapter { - - @Override - public void configure(WebSecurity web) { - web.ignoring().antMatchers("/ignore1", "/ignore2"); - } - - @Override - protected void configure(HttpSecurity http) throws Exception { - // @formatter:off - http - .antMatcher("/role1/**") - .authorizeRequests() - .anyRequest().hasRole("1"); - // @formatter:on - } - - } - - @Configuration - @Order(2) - static class WebConfigurer2 extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - // @formatter:off - http - .antMatcher("/role2/**") - .authorizeRequests() - .anyRequest().hasRole("2"); - // @formatter:on - } - - } - - @Configuration - @Order(3) - static class WebConfigurer3 extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - // @formatter:off - http - .antMatcher("/role3/**") - .authorizeRequests() - .anyRequest().hasRole("3"); - // @formatter:on - } - - } - - @Configuration - static class WebConfigurer4 extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - // @formatter:off - http - .authorizeRequests() - .anyRequest().hasRole("4"); - // @formatter:on - } - - } - - } - @Configuration @EnableWebSecurity @Import(AuthenticationTestConfiguration.class) @@ -612,72 +435,36 @@ public class WebSecurityConfigurationTests { @Configuration @EnableWebSecurity - @Import(AuthenticationTestConfiguration.class) - static class DuplicateOrderConfig { - - @Configuration - static class WebConfigurer1 extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - // @formatter:off - http - .antMatcher("/role1/**") - .authorizeRequests() - .anyRequest().hasRole("1"); - // @formatter:on - } - - } - - @Configuration - static class WebConfigurer2 extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - // @formatter:off - http - .antMatcher("/role2/**") - .authorizeRequests() - .anyRequest().hasRole("2"); - // @formatter:on - } - - } - - } - - @Configuration - @EnableWebSecurity - static class PrivilegeEvaluatorConfigurerAdapterConfig extends WebSecurityConfigurerAdapter { + static class PrivilegeEvaluatorConfigurerAdapterConfig { static WebInvocationPrivilegeEvaluator PRIVILEGE_EVALUATOR; - @Override - public void configure(WebSecurity web) { - web.privilegeEvaluator(PRIVILEGE_EVALUATOR); + @Bean + WebSecurityCustomizer webSecurityCustomizer() { + return (web) -> web.privilegeEvaluator(PRIVILEGE_EVALUATOR); } } @Configuration @EnableWebSecurity - static class WebSecurityExpressionHandlerConfig extends WebSecurityConfigurerAdapter { + static class WebSecurityExpressionHandlerConfig { static SecurityExpressionHandler EXPRESSION_HANDLER; - @Override - public void configure(WebSecurity web) { - web.expressionHandler(EXPRESSION_HANDLER); + @Bean + WebSecurityCustomizer webSecurityCustomizer() { + return (web) -> web.expressionHandler(EXPRESSION_HANDLER); } - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated() .expressionHandler(EXPRESSION_HANDLER); + return http.build(); // @formatter:on } @@ -685,25 +472,26 @@ public class WebSecurityConfigurationTests { @Configuration @EnableWebSecurity - static class NullWebSecurityExpressionHandlerConfig extends WebSecurityConfigurerAdapter { + static class NullWebSecurityExpressionHandlerConfig { - @Override - public void configure(WebSecurity web) { - web.expressionHandler(null); + @Bean + WebSecurityCustomizer webSecurityCustomizer() { + return (web) -> web.expressionHandler(null); } } @Configuration @EnableWebSecurity - static class WebSecurityExpressionHandlerDefaultsConfig extends WebSecurityConfigurerAdapter { + static class WebSecurityExpressionHandlerDefaultsConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated(); + return http.build(); // @formatter:on } @@ -711,7 +499,7 @@ public class WebSecurityConfigurationTests { @Configuration @EnableWebSecurity - static class WebSecurityExpressionHandlerRoleHierarchyBeanConfig extends WebSecurityConfigurerAdapter { + static class WebSecurityExpressionHandlerRoleHierarchyBeanConfig { @Bean RoleHierarchy roleHierarchy() { @@ -724,7 +512,7 @@ public class WebSecurityConfigurationTests { @Configuration @EnableWebSecurity - static class WebSecurityExpressionHandlerPermissionEvaluatorBeanConfig extends WebSecurityConfigurerAdapter { + static class WebSecurityExpressionHandlerPermissionEvaluatorBeanConfig { static final PermissionEvaluator PERMIT_ALL_PERMISSION_EVALUATOR = new PermissionEvaluator() { @Override @@ -748,14 +536,15 @@ public class WebSecurityConfigurationTests { @Configuration @EnableWebSecurity - static class WebInvocationPrivilegeEvaluatorDefaultsConfig extends WebSecurityConfigurerAdapter { + static class WebInvocationPrivilegeEvaluatorDefaultsConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated(); + return http.build(); // @formatter:on } @@ -780,14 +569,15 @@ public class WebSecurityConfigurationTests { @Configuration @EnableWebSecurity - static class DefaultExpressionHandlerSetsBeanResolverConfig extends WebSecurityConfigurerAdapter { + static class DefaultExpressionHandlerSetsBeanResolverConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().access("request.method == 'GET' ? @b.grant() : @b.deny()"); + return http.build(); // @formatter:on } @@ -822,7 +612,7 @@ public class WebSecurityConfigurationTests { @Configuration @EnableWebSecurity - static class ParentConfig extends WebSecurityConfigurerAdapter { + static class ParentConfig { @Autowired void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { @@ -833,7 +623,7 @@ public class WebSecurityConfigurationTests { @Configuration @EnableWebSecurity - static class ChildConfig extends WebSecurityConfigurerAdapter { + static class ChildConfig { } @@ -842,85 +632,6 @@ public class WebSecurityConfigurationTests { } - @Configuration - @Import(AuthenticationTestConfiguration.class) - @EnableGlobalAuthentication - static class GlobalAuthenticationWebSecurityConfigurerAdaptersConfig { - - @Configuration - @Order(1) - static class WebConfigurer1 extends WebSecurityConfigurerAdapter { - - @Override - public void configure(WebSecurity web) { - web.ignoring().antMatchers("/ignore1", "/ignore2"); - } - - @Override - protected void configure(HttpSecurity http) throws Exception { - // @formatter:off - http - .antMatcher("/anonymous/**") - .authorizeRequests() - .anyRequest().anonymous(); - // @formatter:on - } - - } - - @Configuration - static class WebConfigurer2 extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - // @formatter:off - http - .authorizeRequests() - .anyRequest().authenticated(); - // @formatter:on - } - - } - - } - - @Configuration - @EnableWebSecurity - @Import(AuthenticationTestConfiguration.class) - static class AdapterAndFilterChainConfig { - - @Order(2) - @Bean - SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - // @formatter:off - return http - .antMatcher("/filter/**") - .authorizeRequests((authorize) -> authorize - .anyRequest().authenticated() - ) - .build(); - // @formatter:on - } - - @Order(1) - @Configuration - static class WebConfigurer extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - // @formatter:off - http - .antMatcher("/config/**") - .authorizeRequests((authorize) -> authorize - .anyRequest().permitAll() - ); - // @formatter:on - } - - } - - } - @Configuration @EnableWebSecurity @Import(AuthenticationTestConfiguration.class) @@ -957,56 +668,6 @@ public class WebSecurityConfigurationTests { } - @Configuration - @EnableWebSecurity - @Import(AuthenticationTestConfiguration.class) - static class CustomizerAndAdapterConfig { - - @Bean - public WebSecurityCustomizer webSecurityCustomizer() { - return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2"); - } - - @Configuration - static class SecurityConfig extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - // @formatter:off - http - .antMatcher("/role1/**") - .authorizeRequests((authorize) -> authorize - .anyRequest().hasRole("1") - ); - // @formatter:on - } - - } - - } - - @Configuration - @EnableWebSecurity - @Import(AuthenticationTestConfiguration.class) - static class CustomizerAndAdapterIgnoringConfig { - - @Bean - public WebSecurityCustomizer webSecurityCustomizer() { - return (web) -> web.ignoring().antMatchers("/ignore1"); - } - - @Configuration - static class SecurityConfig extends WebSecurityConfigurerAdapter { - - @Override - public void configure(WebSecurity web) throws Exception { - web.ignoring().antMatchers("/ignore2"); - } - - } - - } - @Configuration @EnableWebSecurity @Import(AuthenticationTestConfiguration.class) @@ -1026,75 +687,6 @@ public class WebSecurityConfigurationTests { } - @Configuration - @EnableWebSecurity - static class MultipleAuthenticationManagersConfig { - - @Bean("authManager1") - static AuthenticationManager authenticationManager1() { - return new ProviderManager(new AuthenticationProvider() { - @Override - public Authentication authenticate(Authentication authentication) throws AuthenticationException { - return UsernamePasswordAuthenticationToken.unauthenticated("user", "credentials"); - } - - @Override - public boolean supports(Class authentication) { - return false; - } - }); - } - - @Bean("authManager2") - static AuthenticationManager authenticationManager2() { - return new ProviderManager(new AuthenticationProvider() { - @Override - public Authentication authenticate(Authentication authentication) throws AuthenticationException { - return UsernamePasswordAuthenticationToken.unauthenticated("subuser", "credentials"); - } - - @Override - public boolean supports(Class authentication) { - return false; - } - }); - } - - @Configuration - @Order(1) - public static class SecurityConfig1 extends WebSecurityConfigurerAdapter { - - @Override - protected AuthenticationManager authenticationManager() { - return authenticationManager1(); - } - - @Override - protected void configure(HttpSecurity http) throws Exception { - // @formatter:off - http - .antMatcher("/role1/**") - .authorizeRequests((authorize) -> authorize - .anyRequest().hasRole("1") - ); - // @formatter:on - } - - } - - @Configuration - @Order(2) - public static class SecurityConfig2 extends WebSecurityConfigurerAdapter { - - @Override - protected AuthenticationManager authenticationManager() { - return authenticationManager2(); - } - - } - - } - @Configuration @EnableWebSecurity static class TwoSecurityFilterChainConfig { diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/sec2377/a/Sec2377AConfig.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/sec2377/a/Sec2377AConfig.java index 64a0481057..567dd987cc 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/sec2377/a/Sec2377AConfig.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/sec2377/a/Sec2377AConfig.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,10 +18,9 @@ package org.springframework.security.config.annotation.web.configuration.sec2377 import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @Configuration @EnableWebSecurity -public class Sec2377AConfig extends WebSecurityConfigurerAdapter { +public class Sec2377AConfig { } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/sec2377/b/Sec2377BConfig.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/sec2377/b/Sec2377BConfig.java index e3ac23da39..2bc5486ce5 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/sec2377/b/Sec2377BConfig.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/sec2377/b/Sec2377BConfig.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,10 +18,9 @@ package org.springframework.security.config.annotation.web.configuration.sec2377 import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @Configuration @EnableWebSecurity -public class Sec2377BConfig extends WebSecurityConfigurerAdapter { +public class Sec2377BConfig { } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurerTests.java index 207b9c4315..5fbb13ea89 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurerTests.java @@ -20,18 +20,20 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AnonymousAuthenticationToken; import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.annotation.AuthenticationPrincipal; import org.springframework.security.core.context.SecurityContextChangedListener; import org.springframework.security.core.userdetails.PasswordEncodedUser; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.web.servlet.MockMvc; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RestController; @@ -93,10 +95,10 @@ public class AnonymousConfigurerTests { @Configuration @EnableWebSecurity @EnableWebMvc - static class InvokeTwiceDoesNotOverride extends WebSecurityConfigurerAdapter { + static class InvokeTwiceDoesNotOverride { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .anonymous() @@ -104,6 +106,7 @@ public class AnonymousConfigurerTests { .principal("principal") .and() .anonymous(); + return http.build(); // @formatter:on } @@ -112,16 +115,17 @@ public class AnonymousConfigurerTests { @Configuration @EnableWebSecurity @EnableWebMvc - static class AnonymousPrincipalInLambdaConfig extends WebSecurityConfigurerAdapter { + static class AnonymousPrincipalInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .anonymous((anonymous) -> anonymous .principal("principal") ); + return http.build(); // @formatter:on } @@ -129,10 +133,10 @@ public class AnonymousConfigurerTests { @Configuration @EnableWebSecurity - static class AnonymousDisabledInLambdaConfig extends WebSecurityConfigurerAdapter { + static class AnonymousDisabledInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -141,25 +145,22 @@ public class AnonymousConfigurerTests { ) .anonymous(AbstractHttpConfigurer::disable); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class AnonymousWithDefaultsInLambdaConfig extends WebSecurityConfigurerAdapter { + static class AnonymousWithDefaultsInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -168,15 +169,12 @@ public class AnonymousConfigurerTests { ) .anonymous(withDefaults()); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java index ee183572e0..526c00fe79 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java @@ -32,14 +32,15 @@ import org.springframework.mock.web.MockServletContext; import org.springframework.security.access.hierarchicalroles.RoleHierarchy; import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextImpl; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.FilterChainProxy; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.web.bind.annotation.RequestMapping; @@ -281,33 +282,31 @@ public class AuthorizeRequestsTests { @EnableWebSecurity @Configuration - static class AntMatchersNoPatternsConfig extends WebSecurityConfigurerAdapter { + static class AntMatchersNoPatternsConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .antMatchers(HttpMethod.POST).denyAll(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } } @EnableWebSecurity @Configuration - static class AntMatchersNoPatternsInLambdaConfig extends WebSecurityConfigurerAdapter { + static class AntMatchersNoPatternsInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -315,85 +314,77 @@ public class AuthorizeRequestsTests { .antMatchers(HttpMethod.POST).denyAll() ); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } } @EnableWebSecurity @Configuration - static class AntPatchersPathVariables extends WebSecurityConfigurerAdapter { + static class AntPatchersPathVariables { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .requestMatchers(new AntPathRequestMatcher("/user/{user}", null, false)).access("#user == 'user'") .anyRequest().denyAll(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } } @EnableWebSecurity @Configuration - static class AntMatchersPathVariablesCamelCaseVariables extends WebSecurityConfigurerAdapter { + static class AntMatchersPathVariablesCamelCaseVariables { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .requestMatchers(new AntPathRequestMatcher("/user/{userName}", null, false)).access("#userName == 'user'") .anyRequest().denyAll(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } } @EnableWebSecurity @Configuration - static class RoleHiearchyConfig extends WebSecurityConfigurerAdapter { + static class RoleHiearchyConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().hasRole("ADMIN"); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } @Bean @@ -408,24 +399,22 @@ public class AuthorizeRequestsTests { @EnableWebSecurity @Configuration @EnableWebMvc - static class MvcMatcherConfig extends WebSecurityConfigurerAdapter { + static class MvcMatcherConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic().and() .authorizeRequests() .mvcMatchers("/path").denyAll(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } @RestController @@ -443,10 +432,10 @@ public class AuthorizeRequestsTests { @EnableWebSecurity @Configuration @EnableWebMvc - static class MvcMatcherInLambdaConfig extends WebSecurityConfigurerAdapter { + static class MvcMatcherInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic(withDefaults()) @@ -455,14 +444,12 @@ public class AuthorizeRequestsTests { .mvcMatchers("/path").denyAll() ); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } @RestController @@ -480,24 +467,22 @@ public class AuthorizeRequestsTests { @EnableWebSecurity @Configuration @EnableWebMvc - static class MvcMatcherServletPathConfig extends WebSecurityConfigurerAdapter { + static class MvcMatcherServletPathConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic().and() .authorizeRequests() .mvcMatchers("/path").servletPath("/spring").denyAll(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } @RestController @@ -515,10 +500,10 @@ public class AuthorizeRequestsTests { @EnableWebSecurity @Configuration @EnableWebMvc - static class MvcMatcherServletPathInLambdaConfig extends WebSecurityConfigurerAdapter { + static class MvcMatcherServletPathInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic(withDefaults()) @@ -527,14 +512,12 @@ public class AuthorizeRequestsTests { .mvcMatchers("/path").servletPath("/spring").denyAll() ); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } @RestController @@ -552,24 +535,22 @@ public class AuthorizeRequestsTests { @EnableWebSecurity @Configuration @EnableWebMvc - static class MvcMatcherPathVariablesConfig extends WebSecurityConfigurerAdapter { + static class MvcMatcherPathVariablesConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic().and() .authorizeRequests() .mvcMatchers("/user/{userName}").access("#userName == 'user'"); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } @RestController @@ -587,10 +568,10 @@ public class AuthorizeRequestsTests { @EnableWebSecurity @Configuration @EnableWebMvc - static class MvcMatcherPathVariablesInLambdaConfig extends WebSecurityConfigurerAdapter { + static class MvcMatcherPathVariablesInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic(withDefaults()) @@ -599,14 +580,12 @@ public class AuthorizeRequestsTests { .mvcMatchers("/user/{userName}").access("#userName == 'user'") ); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } @RestController @@ -624,24 +603,22 @@ public class AuthorizeRequestsTests { @EnableWebSecurity @Configuration @EnableWebMvc - static class MvcMatcherPathServletPathRequiredConfig extends WebSecurityConfigurerAdapter { + static class MvcMatcherPathServletPathRequiredConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic().and() .authorizeRequests() .mvcMatchers("/user").denyAll(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } @RestController diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ChannelSecurityConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ChannelSecurityConfigurerTests.java index 0db0d6756f..aa47d7e9fe 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ChannelSecurityConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ChannelSecurityConfigurerTests.java @@ -31,7 +31,6 @@ import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.web.PortMapperImpl; @@ -131,16 +130,17 @@ public class ChannelSecurityConfigurerTests { @Configuration @EnableWebSecurity - static class ObjectPostProcessorConfig extends WebSecurityConfigurerAdapter { + static class ObjectPostProcessorConfig { static ObjectPostProcessor objectPostProcessor; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .requiresChannel() .anyRequest().requiresSecure(); + return http.build(); // @formatter:on } @@ -162,16 +162,17 @@ public class ChannelSecurityConfigurerTests { @Configuration @EnableWebSecurity - static class DuplicateInvocationsDoesNotOverrideConfig extends WebSecurityConfigurerAdapter { + static class DuplicateInvocationsDoesNotOverrideConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .requiresChannel() .anyRequest().requiresSecure() .and() .requiresChannel(); + return http.build(); // @formatter:on } @@ -179,16 +180,17 @@ public class ChannelSecurityConfigurerTests { @Configuration @EnableWebSecurity - static class RequiresChannelInLambdaConfig extends WebSecurityConfigurerAdapter { + static class RequiresChannelInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .requiresChannel((requiresChannel) -> requiresChannel .anyRequest().requiresSecure() ); + return http.build(); // @formatter:on } @@ -196,10 +198,10 @@ public class ChannelSecurityConfigurerTests { @Configuration @EnableWebSecurity - static class RequiresChannelWithTestUrlRedirectStrategy extends WebSecurityConfigurerAdapter { + static class RequiresChannelWithTestUrlRedirectStrategy { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .portMapper() @@ -209,6 +211,7 @@ public class ChannelSecurityConfigurerTests { .redirectStrategy(new TestUrlRedirectStrategy()) .anyRequest() .requiresSecure(); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurerTests.java index 79797f331f..75ace8cdc5 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -30,9 +30,9 @@ import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.web.servlet.MockMvc; import org.springframework.web.bind.annotation.CrossOrigin; import org.springframework.web.bind.annotation.RequestMapping; @@ -184,16 +184,17 @@ public class CorsConfigurerTests { @Configuration @EnableWebSecurity - static class DefaultCorsConfig extends WebSecurityConfigurerAdapter { + static class DefaultCorsConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated() .and() .cors(); + return http.build(); // @formatter:on } @@ -202,16 +203,17 @@ public class CorsConfigurerTests { @Configuration @EnableWebMvc @EnableWebSecurity - static class MvcCorsConfig extends WebSecurityConfigurerAdapter { + static class MvcCorsConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated() .and() .cors(); + return http.build(); // @formatter:on } @@ -231,10 +233,10 @@ public class CorsConfigurerTests { @Configuration @EnableWebMvc @EnableWebSecurity - static class MvcCorsInLambdaConfig extends WebSecurityConfigurerAdapter { + static class MvcCorsInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -242,6 +244,7 @@ public class CorsConfigurerTests { .anyRequest().authenticated() ) .cors(withDefaults()); + return http.build(); // @formatter:on } @@ -260,16 +263,17 @@ public class CorsConfigurerTests { @Configuration @EnableWebSecurity - static class ConfigSourceConfig extends WebSecurityConfigurerAdapter { + static class ConfigSourceConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated() .and() .cors(); + return http.build(); // @formatter:on } @@ -287,10 +291,10 @@ public class CorsConfigurerTests { @Configuration @EnableWebSecurity - static class ConfigSourceInLambdaConfig extends WebSecurityConfigurerAdapter { + static class ConfigSourceInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -298,6 +302,7 @@ public class CorsConfigurerTests { .anyRequest().authenticated() ) .cors(withDefaults()); + return http.build(); // @formatter:on } @@ -315,16 +320,17 @@ public class CorsConfigurerTests { @Configuration @EnableWebSecurity - static class CorsFilterConfig extends WebSecurityConfigurerAdapter { + static class CorsFilterConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated() .and() .cors(); + return http.build(); // @formatter:on } @@ -342,10 +348,10 @@ public class CorsConfigurerTests { @Configuration @EnableWebSecurity - static class CorsFilterInLambdaConfig extends WebSecurityConfigurerAdapter { + static class CorsFilterInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -353,6 +359,7 @@ public class CorsConfigurerTests { .anyRequest().authenticated() ) .cors(withDefaults()); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerIgnoringRequestMatchersTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerIgnoringRequestMatchersTests.java index 7d608c9567..c9e359b607 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerIgnoringRequestMatchersTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerIgnoringRequestMatchersTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -25,7 +25,6 @@ import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.web.SecurityFilterChain; @@ -101,17 +100,18 @@ public class CsrfConfigurerIgnoringRequestMatchersTests { @Configuration @EnableWebSecurity - static class IgnoringRequestMatchers extends WebSecurityConfigurerAdapter { + static class IgnoringRequestMatchers { RequestMatcher requestMatcher = (request) -> HttpMethod.POST.name().equals(request.getMethod()); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .csrf() .requireCsrfProtectionMatcher(new AntPathRequestMatcher("/path")) .ignoringRequestMatchers(this.requestMatcher); + return http.build(); // @formatter:on } @@ -119,12 +119,12 @@ public class CsrfConfigurerIgnoringRequestMatchersTests { @Configuration @EnableWebSecurity - static class IgnoringRequestInLambdaMatchers extends WebSecurityConfigurerAdapter { + static class IgnoringRequestInLambdaMatchers { RequestMatcher requestMatcher = (request) -> HttpMethod.POST.name().equals(request.getMethod()); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .csrf((csrf) -> @@ -132,6 +132,7 @@ public class CsrfConfigurerIgnoringRequestMatchersTests { .requireCsrfProtectionMatcher(new AntPathRequestMatcher("/path")) .ignoringRequestMatchers(this.requestMatcher) ); + return http.build(); // @formatter:on } @@ -139,17 +140,18 @@ public class CsrfConfigurerIgnoringRequestMatchersTests { @Configuration @EnableWebSecurity - static class IgnoringPathsAndMatchers extends WebSecurityConfigurerAdapter { + static class IgnoringPathsAndMatchers { RequestMatcher requestMatcher = (request) -> HttpMethod.POST.name().equals(request.getMethod()); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .csrf() .ignoringAntMatchers("/no-csrf") .ignoringRequestMatchers(this.requestMatcher); + return http.build(); // @formatter:on } @@ -157,12 +159,12 @@ public class CsrfConfigurerIgnoringRequestMatchersTests { @Configuration @EnableWebSecurity - static class IgnoringPathsAndMatchersInLambdaConfig extends WebSecurityConfigurerAdapter { + static class IgnoringPathsAndMatchersInLambdaConfig { RequestMatcher requestMatcher = (request) -> HttpMethod.POST.name().equals(request.getMethod()); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .csrf((csrf) -> @@ -170,6 +172,7 @@ public class CsrfConfigurerIgnoringRequestMatchersTests { .ignoringAntMatchers("/no-csrf") .ignoringRequestMatchers(this.requestMatcher) ); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerNoWebMvcTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerNoWebMvcTests.java index 10ce534ee7..223540d1a5 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerNoWebMvcTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerNoWebMvcTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2013 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,7 +26,7 @@ import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Primary; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor; import org.springframework.web.servlet.support.RequestDataValueProcessor; @@ -76,10 +76,11 @@ public class CsrfConfigurerNoWebMvcTests { @Configuration @EnableWebSecurity - static class EnableWebConfig extends WebSecurityConfigurerAdapter { + static class EnableWebConfig { - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + return http.build(); } } @@ -98,10 +99,11 @@ public class CsrfConfigurerNoWebMvcTests { @Configuration @EnableWebSecurity - static class EnableWebMvcConfig extends WebSecurityConfigurerAdapter { + static class EnableWebMvcConfig { - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + return http.build(); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.java index 38776e6223..9ce192deaf 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.java @@ -33,11 +33,12 @@ import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.Authentication; import org.springframework.security.core.userdetails.PasswordEncodedUser; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.access.AccessDeniedHandler; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; @@ -479,24 +480,26 @@ public class CsrfConfigurerTests { @Configuration @EnableWebSecurity - static class CsrfAppliedDefaultConfig extends WebSecurityConfigurerAdapter { + static class CsrfAppliedDefaultConfig { - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + return http.build(); } } @Configuration @EnableWebSecurity - static class DisableCsrfConfig extends WebSecurityConfigurerAdapter { + static class DisableCsrfConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .csrf() .disable(); + return http.build(); // @formatter:on } @@ -504,13 +507,14 @@ public class CsrfConfigurerTests { @Configuration @EnableWebSecurity - static class DisableCsrfInLambdaConfig extends WebSecurityConfigurerAdapter { + static class DisableCsrfInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .csrf(AbstractHttpConfigurer::disable); + return http.build(); // @formatter:on } @@ -518,10 +522,10 @@ public class CsrfConfigurerTests { @Configuration @EnableWebSecurity - static class DisableCsrfEnablesRequestCacheConfig extends WebSecurityConfigurerAdapter { + static class DisableCsrfEnablesRequestCacheConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -532,27 +536,24 @@ public class CsrfConfigurerTests { .csrf() .disable(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class CsrfDisablesPostRequestFromRequestCacheConfig extends WebSecurityConfigurerAdapter { + static class CsrfDisablesPostRequestFromRequestCacheConfig { static CsrfTokenRepository REPO; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -563,31 +564,29 @@ public class CsrfConfigurerTests { .csrf() .csrfTokenRepository(REPO); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class InvalidSessionUrlConfig extends WebSecurityConfigurerAdapter { + static class InvalidSessionUrlConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .csrf() .and() .sessionManagement() .invalidSessionUrl("/error/sessionError"); + return http.build(); // @formatter:on } @@ -595,16 +594,17 @@ public class CsrfConfigurerTests { @Configuration @EnableWebSecurity - static class RequireCsrfProtectionMatcherConfig extends WebSecurityConfigurerAdapter { + static class RequireCsrfProtectionMatcherConfig { static RequestMatcher MATCHER; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .csrf() .requireCsrfProtectionMatcher(MATCHER); + return http.build(); // @formatter:on } @@ -612,15 +612,16 @@ public class CsrfConfigurerTests { @Configuration @EnableWebSecurity - static class RequireCsrfProtectionMatcherInLambdaConfig extends WebSecurityConfigurerAdapter { + static class RequireCsrfProtectionMatcherInLambdaConfig { static RequestMatcher MATCHER; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .csrf((csrf) -> csrf.requireCsrfProtectionMatcher(MATCHER)); + return http.build(); // @formatter:on } @@ -628,12 +629,12 @@ public class CsrfConfigurerTests { @Configuration @EnableWebSecurity - static class CsrfTokenRepositoryConfig extends WebSecurityConfigurerAdapter { + static class CsrfTokenRepositoryConfig { static CsrfTokenRepository REPO; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin() @@ -641,31 +642,29 @@ public class CsrfConfigurerTests { .csrf() .csrfTokenRepository(REPO); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class CsrfTokenRepositoryInLambdaConfig extends WebSecurityConfigurerAdapter { + static class CsrfTokenRepositoryInLambdaConfig { static CsrfTokenRepository REPO; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin(withDefaults()) .csrf((csrf) -> csrf.csrfTokenRepository(REPO)); + return http.build(); // @formatter:on } @@ -673,16 +672,17 @@ public class CsrfConfigurerTests { @Configuration @EnableWebSecurity - static class AccessDeniedHandlerConfig extends WebSecurityConfigurerAdapter { + static class AccessDeniedHandlerConfig { static AccessDeniedHandler DENIED_HANDLER; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .exceptionHandling() .accessDeniedHandler(DENIED_HANDLER); + return http.build(); // @formatter:on } @@ -690,18 +690,19 @@ public class CsrfConfigurerTests { @Configuration @EnableWebSecurity - static class DefaultAccessDeniedHandlerForConfig extends WebSecurityConfigurerAdapter { + static class DefaultAccessDeniedHandlerForConfig { static AccessDeniedHandler DENIED_HANDLER; static RequestMatcher MATCHER; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .exceptionHandling() .defaultAccessDeniedHandlerFor(DENIED_HANDLER, MATCHER); + return http.build(); // @formatter:on } @@ -709,13 +710,14 @@ public class CsrfConfigurerTests { @Configuration @EnableWebSecurity - static class FormLoginConfig extends WebSecurityConfigurerAdapter { + static class FormLoginConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin(); + return http.build(); // @formatter:on } @@ -723,16 +725,17 @@ public class CsrfConfigurerTests { @Configuration @EnableWebSecurity - static class LogoutAllowsGetConfig extends WebSecurityConfigurerAdapter { + static class LogoutAllowsGetConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin() .and() .logout() .logoutRequestMatcher(new AntPathRequestMatcher("/logout")); + return http.build(); // @formatter:on } @@ -740,14 +743,15 @@ public class CsrfConfigurerTests { @Configuration @EnableWebSecurity - static class NullRequireCsrfProtectionMatcherConfig extends WebSecurityConfigurerAdapter { + static class NullRequireCsrfProtectionMatcherConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .csrf() .requireCsrfProtectionMatcher(null); + return http.build(); // @formatter:on } @@ -755,10 +759,10 @@ public class CsrfConfigurerTests { @Configuration @EnableWebSecurity - static class DefaultDoesNotCreateSession extends WebSecurityConfigurerAdapter { + static class DefaultDoesNotCreateSession { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -768,29 +772,27 @@ public class CsrfConfigurerTests { .and() .httpBasic(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class NullAuthenticationStrategy extends WebSecurityConfigurerAdapter { + static class NullAuthenticationStrategy { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .csrf() .sessionAuthenticationStrategy(null); + return http.build(); // @formatter:on } @@ -798,12 +800,12 @@ public class CsrfConfigurerTests { @Configuration @EnableWebSecurity - static class CsrfAuthenticationStrategyConfig extends WebSecurityConfigurerAdapter { + static class CsrfAuthenticationStrategyConfig { static SessionAuthenticationStrategy STRATEGY; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin() @@ -811,15 +813,12 @@ public class CsrfConfigurerTests { .csrf() .sessionAuthenticationStrategy(STRATEGY); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java index fe6401d91b..0a2ce8421e 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -25,17 +25,15 @@ import jakarta.servlet.ServletException; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; -import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.mock.web.MockFilterChain; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.builders.WebSecurity; +import org.springframework.security.config.annotation.web.builders.TestHttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.userdetails.PasswordEncodedUser; @@ -133,13 +131,9 @@ public class DefaultFiltersTests { @EnableWebSecurity static class FilterChainProxyBuilderMissingConfig { - @Autowired - void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser("user").password("password").roles("USER"); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @@ -156,38 +150,33 @@ public class DefaultFiltersTests { @Configuration @EnableWebSecurity - static class NullWebInvocationPrivilegeEvaluatorConfig extends WebSecurityConfigurerAdapter { + static class NullWebInvocationPrivilegeEvaluatorConfig { - NullWebInvocationPrivilegeEvaluatorConfig() { - super(true); - } - - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + TestHttpSecurity.disableDefaults(http); http.formLogin(); + return http.build(); } } @Configuration @EnableWebSecurity - static class FilterChainProxyBuilderIgnoringConfig extends WebSecurityConfigurerAdapter { + static class FilterChainProxyBuilderIgnoringConfig { - @Override - public void configure(WebSecurity web) { - // @formatter:off - web - .ignoring() - .antMatchers("/resources/**"); - // @formatter:on + @Bean + WebSecurityCustomizer webSecurityCustomizer() { + return (web) -> web.ignoring().antMatchers("/resources/**"); } - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().hasRole("USER"); + return http.build(); // @formatter:on } @@ -195,10 +184,11 @@ public class DefaultFiltersTests { @Configuration @EnableWebSecurity - static class DefaultFiltersConfigPermitAll extends WebSecurityConfigurerAdapter { + static class DefaultFiltersConfigPermitAll { - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + return http.build(); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurerTests.java index 480f71ce5a..75746f223e 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -24,14 +24,15 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.mock.web.MockHttpSession; import org.springframework.security.config.annotation.ObjectPostProcessor; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.userdetails.PasswordEncodedUser; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.FilterChainProxy; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.access.ExceptionTranslationFilter; import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; @@ -313,10 +314,10 @@ public class DefaultLoginPageConfigurerTests { @Configuration @EnableWebSecurity - static class DefaultLoginPageConfig extends WebSecurityConfigurerAdapter { + static class DefaultLoginPageConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -324,25 +325,22 @@ public class DefaultLoginPageConfigurerTests { .and() .formLogin(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class DefaultLoginPageCustomLogoutSuccessHandlerConfig extends WebSecurityConfigurerAdapter { + static class DefaultLoginPageCustomLogoutSuccessHandlerConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -352,6 +350,7 @@ public class DefaultLoginPageConfigurerTests { .logoutSuccessHandler(new SimpleUrlLogoutSuccessHandler()) .and() .formLogin(); + return http.build(); // @formatter:on } @@ -359,10 +358,10 @@ public class DefaultLoginPageConfigurerTests { @Configuration @EnableWebSecurity - static class DefaultLoginPageCustomLogoutSuccessUrlConfig extends WebSecurityConfigurerAdapter { + static class DefaultLoginPageCustomLogoutSuccessUrlConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -372,6 +371,7 @@ public class DefaultLoginPageConfigurerTests { .logoutSuccessUrl("/login?logout") .and() .formLogin(); + return http.build(); // @formatter:on } @@ -379,10 +379,10 @@ public class DefaultLoginPageConfigurerTests { @Configuration @EnableWebSecurity - static class DefaultLoginPageWithRememberMeConfig extends WebSecurityConfigurerAdapter { + static class DefaultLoginPageWithRememberMeConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -391,17 +391,23 @@ public class DefaultLoginPageConfigurerTests { .formLogin() .and() .rememberMe(); + return http.build(); // @formatter:on } + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); + } + } @Configuration @EnableWebSecurity - static class DefaultLoginWithCustomAuthenticationEntryPointConfig extends WebSecurityConfigurerAdapter { + static class DefaultLoginWithCustomAuthenticationEntryPointConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .exceptionHandling() @@ -411,6 +417,7 @@ public class DefaultLoginPageConfigurerTests { .anyRequest().hasRole("USER") .and() .formLogin(); + return http.build(); // @formatter:on } @@ -418,17 +425,18 @@ public class DefaultLoginPageConfigurerTests { @Configuration @EnableWebSecurity - static class ObjectPostProcessorConfig extends WebSecurityConfigurerAdapter { + static class ObjectPostProcessorConfig { static ObjectPostProcessor objectPostProcessor; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .exceptionHandling() .and() .formLogin(); + return http.build(); // @formatter:on } @@ -441,16 +449,17 @@ public class DefaultLoginPageConfigurerTests { @Configuration @EnableWebSecurity - static class DefaultLogoutPageConfig extends WebSecurityConfigurerAdapter { + static class DefaultLogoutPageConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorize) -> authorize .anyRequest().authenticated() ) .formLogin(withDefaults()); + return http.build(); // @formatter:on } @@ -458,10 +467,10 @@ public class DefaultLoginPageConfigurerTests { @Configuration @EnableWebSecurity - static class LogoutDisabledConfig extends WebSecurityConfigurerAdapter { + static class LogoutDisabledConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorize) -> authorize @@ -471,6 +480,7 @@ public class DefaultLoginPageConfigurerTests { .logout((logout) -> logout .disable() ); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerAccessDeniedHandlerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerAccessDeniedHandlerTests.java index 0cc2b46e8a..e1d8e8a73a 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerAccessDeniedHandlerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerAccessDeniedHandlerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,15 +20,16 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpStatus; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.test.context.annotation.SecurityTestExecutionListeners; import org.springframework.security.test.context.support.WithMockUser; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.access.AccessDeniedHandler; import org.springframework.security.web.access.AccessDeniedHandlerImpl; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; @@ -77,13 +78,13 @@ public class ExceptionHandlingConfigurerAccessDeniedHandlerTests { @Configuration @EnableWebSecurity - static class RequestMatcherBasedAccessDeniedHandlerConfig extends WebSecurityConfigurerAdapter { + static class RequestMatcherBasedAccessDeniedHandlerConfig { AccessDeniedHandler teapotDeniedHandler = (request, response, exception) -> response .setStatus(HttpStatus.I_AM_A_TEAPOT.value()); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -96,6 +97,7 @@ public class ExceptionHandlingConfigurerAccessDeniedHandlerTests { .defaultAccessDeniedHandlerFor( new AccessDeniedHandlerImpl(), AnyRequestMatcher.INSTANCE); + return http.build(); // @formatter:on } @@ -103,13 +105,13 @@ public class ExceptionHandlingConfigurerAccessDeniedHandlerTests { @Configuration @EnableWebSecurity - static class RequestMatcherBasedAccessDeniedHandlerInLambdaConfig extends WebSecurityConfigurerAdapter { + static class RequestMatcherBasedAccessDeniedHandlerInLambdaConfig { AccessDeniedHandler teapotDeniedHandler = (request, response, exception) -> response .setStatus(HttpStatus.I_AM_A_TEAPOT.value()); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -127,6 +129,7 @@ public class ExceptionHandlingConfigurerAccessDeniedHandlerTests { AnyRequestMatcher.INSTANCE ) ); + return http.build(); // @formatter:on } @@ -134,13 +137,13 @@ public class ExceptionHandlingConfigurerAccessDeniedHandlerTests { @Configuration @EnableWebSecurity - static class SingleRequestMatcherAccessDeniedHandlerConfig extends WebSecurityConfigurerAdapter { + static class SingleRequestMatcherAccessDeniedHandlerConfig { AccessDeniedHandler teapotDeniedHandler = (request, response, exception) -> response .setStatus(HttpStatus.I_AM_A_TEAPOT.value()); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -150,6 +153,7 @@ public class ExceptionHandlingConfigurerAccessDeniedHandlerTests { .defaultAccessDeniedHandlerFor( this.teapotDeniedHandler, new AntPathRequestMatcher("/hello/**")); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerTests.java index be1edb44db..7d9b3c770e 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerTests.java @@ -29,18 +29,19 @@ import org.springframework.http.MediaType; import org.springframework.security.authentication.AnonymousAuthenticationToken; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.context.SecurityContextChangedListener; import org.springframework.security.core.context.SecurityContextHolderStrategy; +import org.springframework.security.core.userdetails.PasswordEncodedUser; import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.AuthenticationEntryPoint; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.access.ExceptionTranslationFilter; import org.springframework.test.web.servlet.MockMvc; import org.springframework.web.accept.ContentNegotiationStrategy; @@ -231,15 +232,16 @@ public class ExceptionHandlingConfigurerTests { @Configuration @EnableWebSecurity - static class ObjectPostProcessorConfig extends WebSecurityConfigurerAdapter { + static class ObjectPostProcessorConfig { static ObjectPostProcessor objectPostProcessor = spy(ReflectingObjectPostProcessor.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .exceptionHandling(); + return http.build(); // @formatter:on } @@ -277,15 +279,15 @@ public class ExceptionHandlingConfigurerTests { } @Configuration @EnableWebSecurity - static class HttpBasicAndFormLoginEntryPointsConfig extends WebSecurityConfigurerAdapter { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - auth - .inMemoryAuthentication() - .withUser("user").password("password").roles("USER"); + static class HttpBasicAndFormLoginEntryPointsConfig { + + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } - @Override - protected void configure(HttpSecurity http) throws Exception { + + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -295,13 +297,14 @@ public class ExceptionHandlingConfigurerTests { .and() .formLogin(); // @formatter:on + return http.build(); } } @Configuration @EnableWebSecurity - static class OverrideContentNegotiationStrategySharedObjectConfig extends WebSecurityConfigurerAdapter { + static class OverrideContentNegotiationStrategySharedObjectConfig { static ContentNegotiationStrategy CNS = mock(ContentNegotiationStrategy.class); @@ -314,16 +317,16 @@ public class ExceptionHandlingConfigurerTests { @Configuration @EnableWebSecurity - static class DefaultHttpConfig extends WebSecurityConfigurerAdapter { + static class DefaultHttpConfig { } @Configuration @EnableWebSecurity - static class BasicAuthenticationEntryPointBeforeFormLoginConfig extends WebSecurityConfigurerAdapter { + static class BasicAuthenticationEntryPointBeforeFormLoginConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -332,6 +335,7 @@ public class ExceptionHandlingConfigurerTests { .httpBasic() .and() .formLogin(); + return http.build(); // @formatter:on } @@ -339,12 +343,12 @@ public class ExceptionHandlingConfigurerTests { @Configuration @EnableWebSecurity - static class InvokeTwiceDoesNotOverrideConfig extends WebSecurityConfigurerAdapter { + static class InvokeTwiceDoesNotOverrideConfig { static AuthenticationEntryPoint AEP = mock(AuthenticationEntryPoint.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -353,6 +357,7 @@ public class ExceptionHandlingConfigurerTests { .exceptionHandling() .authenticationEntryPoint(AEP).and() .exceptionHandling(); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurerTests.java index 34bd999a25..99af6e42a3 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -17,7 +17,9 @@ package org.springframework.security.config.annotation.web.configurers; import java.io.Serializable; +import java.util.ArrayList; import java.util.Collections; +import java.util.List; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; @@ -38,17 +40,19 @@ import org.springframework.security.access.vote.AffirmativeBased; import org.springframework.security.authentication.AuthenticationTrustResolverImpl; import org.springframework.security.authentication.RememberMeAuthenticationToken; import org.springframework.security.config.annotation.ObjectPostProcessor; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.core.GrantedAuthorityDefaults; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.Authentication; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.core.userdetails.PasswordEncodedUser; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.FilterInvocation; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler; import org.springframework.security.web.access.expression.WebExpressionVoter; import org.springframework.security.web.access.expression.WebSecurityExpressionRoot; @@ -60,9 +64,9 @@ import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RestController; +import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatExceptionOfType; import static org.mockito.ArgumentMatchers.any; -import static org.mockito.Mockito.mock; import static org.mockito.Mockito.spy; import static org.mockito.Mockito.verify; import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication; @@ -439,9 +443,10 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Test public void configureWhenRegisteringObjectPostProcessorThenApplicationListenerInvokedOnAuthorizedEvent() throws Exception { + AuthorizedEventApplicationListener.clearEvents(); this.spring.register(AuthorizedRequestsWithPostProcessorConfig.class).autowire(); this.mvc.perform(get("/")); - verify(AuthorizedRequestsWithPostProcessorConfig.AL).onApplicationEvent(any(AuthorizedEvent.class)); + assertThat(AuthorizedEventApplicationListener.EVENTS).isNotEmpty(); } @Test @@ -552,14 +557,15 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class HasRoleStartingWithRoleConfig extends WebSecurityConfigurerAdapter { + static class HasRoleStartingWithRoleConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().hasRole("ROLE_USER"); + return http.build(); // @formatter:on } @@ -567,16 +573,17 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class NoSpecificAccessDecisionManagerConfig extends WebSecurityConfigurerAdapter { + static class NoSpecificAccessDecisionManagerConfig { static ObjectPostProcessor objectPostProcessor = spy(ReflectingObjectPostProcessor.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().hasRole("USER"); + return http.build(); // @formatter:on } @@ -589,13 +596,14 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class NoRequestsConfig extends WebSecurityConfigurerAdapter { + static class NoRequestsConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests(); + return http.build(); // @formatter:on } @@ -603,15 +611,16 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class IncompleteMappingConfig extends WebSecurityConfigurerAdapter { + static class IncompleteMappingConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .antMatchers("/a").authenticated() .anyRequest(); + return http.build(); // @formatter:on } @@ -619,16 +628,17 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class RoleUserAnyAuthorityConfig extends WebSecurityConfigurerAdapter { + static class RoleUserAnyAuthorityConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic() .and() .authorizeRequests() .anyRequest().hasAnyAuthority("ROLE_USER"); + return http.build(); // @formatter:on } @@ -636,16 +646,17 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class RoleUserAuthorityConfig extends WebSecurityConfigurerAdapter { + static class RoleUserAuthorityConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic() .and() .authorizeRequests() .anyRequest().hasAuthority("ROLE_USER"); + return http.build(); // @formatter:on } @@ -653,16 +664,17 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class RoleUserOrRoleAdminAuthorityConfig extends WebSecurityConfigurerAdapter { + static class RoleUserOrRoleAdminAuthorityConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic() .and() .authorizeRequests() .anyRequest().hasAnyAuthority("ROLE_USER", "ROLE_ADMIN"); + return http.build(); // @formatter:on } @@ -670,14 +682,15 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class RoleUserConfig extends WebSecurityConfigurerAdapter { + static class RoleUserConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().hasAnyRole("USER"); + return http.build(); // @formatter:on } @@ -685,14 +698,15 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class RoleUserWithTestRolePrefixConfig extends WebSecurityConfigurerAdapter { + static class RoleUserWithTestRolePrefixConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().hasAnyRole("USER"); + return http.build(); // @formatter:on } @@ -705,14 +719,15 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class RoleUserWithEmptyRolePrefixConfig extends WebSecurityConfigurerAdapter { + static class RoleUserWithEmptyRolePrefixConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().hasAnyRole("USER"); + return http.build(); // @formatter:on } @@ -725,14 +740,15 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class RoleUserOrAdminConfig extends WebSecurityConfigurerAdapter { + static class RoleUserOrAdminConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().hasAnyRole("USER", "ADMIN"); + return http.build(); // @formatter:on } @@ -740,14 +756,15 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class RoleUserOrAdminWithTestRolePrefixConfig extends WebSecurityConfigurerAdapter { + static class RoleUserOrAdminWithTestRolePrefixConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().hasAnyRole("USER", "ADMIN"); + return http.build(); // @formatter:on } @@ -760,14 +777,15 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class RoleUserOrAdminWithEmptyRolePrefixConfig extends WebSecurityConfigurerAdapter { + static class RoleUserOrAdminWithEmptyRolePrefixConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().hasAnyRole("USER", "ADMIN"); + return http.build(); // @formatter:on } @@ -780,16 +798,17 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class HasIpAddressConfig extends WebSecurityConfigurerAdapter { + static class HasIpAddressConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic() .and() .authorizeRequests() .anyRequest().hasIpAddress("192.168.1.0"); + return http.build(); // @formatter:on } @@ -797,16 +816,17 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class AnonymousConfig extends WebSecurityConfigurerAdapter { + static class AnonymousConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic() .and() .authorizeRequests() .anyRequest().anonymous(); + return http.build(); // @formatter:on } @@ -814,10 +834,10 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class RememberMeConfig extends WebSecurityConfigurerAdapter { + static class RememberMeConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .rememberMe() @@ -827,31 +847,29 @@ public class ExpressionUrlAuthorizationConfigurerTests { .authorizeRequests() .anyRequest().rememberMe(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser("user").password("password").roles("USER"); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class DenyAllConfig extends WebSecurityConfigurerAdapter { + static class DenyAllConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic() .and() .authorizeRequests() .anyRequest().denyAll(); + return http.build(); // @formatter:on } @@ -859,16 +877,17 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class NotDenyAllConfig extends WebSecurityConfigurerAdapter { + static class NotDenyAllConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic() .and() .authorizeRequests() .anyRequest().not().denyAll(); + return http.build(); // @formatter:on } @@ -876,10 +895,10 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class FullyAuthenticatedConfig extends WebSecurityConfigurerAdapter { + static class FullyAuthenticatedConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .rememberMe() @@ -888,17 +907,23 @@ public class ExpressionUrlAuthorizationConfigurerTests { .and() .authorizeRequests() .anyRequest().fullyAuthenticated(); + return http.build(); // @formatter:on } + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); + } + } @Configuration @EnableWebSecurity - static class AccessConfig extends WebSecurityConfigurerAdapter { + static class AccessConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .rememberMe() @@ -907,17 +932,23 @@ public class ExpressionUrlAuthorizationConfigurerTests { .and() .authorizeRequests() .anyRequest().access("hasRole('ROLE_USER') or request.method == 'GET'"); + return http.build(); // @formatter:on } + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); + } + } @Configuration @EnableWebSecurity - static class InvokeTwiceDoesNotResetConfig extends WebSecurityConfigurerAdapter { + static class InvokeTwiceDoesNotResetConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic() @@ -926,6 +957,7 @@ public class ExpressionUrlAuthorizationConfigurerTests { .anyRequest().authenticated() .and() .authorizeRequests(); + return http.build(); // @formatter:on } @@ -933,10 +965,10 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class AllPropertiesWorkConfig extends WebSecurityConfigurerAdapter { + static class AllPropertiesWorkConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { SecurityExpressionHandler handler = new DefaultWebSecurityExpressionHandler(); WebExpressionVoter expressionVoter = new WebExpressionVoter(); AffirmativeBased adm = new AffirmativeBased(Collections.singletonList(expressionVoter)); @@ -950,6 +982,7 @@ public class ExpressionUrlAuthorizationConfigurerTests { .anyRequest().permitAll() .and() .formLogin(); + return http.build(); // @formatter:on } @@ -957,12 +990,10 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class AuthorizedRequestsWithPostProcessorConfig extends WebSecurityConfigurerAdapter { + static class AuthorizedRequestsWithPostProcessorConfig { - static ApplicationListener AL = mock(ApplicationListener.class); - - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -975,22 +1006,38 @@ public class ExpressionUrlAuthorizationConfigurerTests { return fsi; } }); + return http.build(); // @formatter:on } @Bean ApplicationListener applicationListener() { - return AL; + return new AuthorizedEventApplicationListener(); + } + + } + + static class AuthorizedEventApplicationListener implements ApplicationListener { + + static final List EVENTS = new ArrayList<>(); + + @Override + public void onApplicationEvent(AuthorizedEvent event) { + EVENTS.add(event); + } + + static void clearEvents() { + EVENTS.clear(); } } @Configuration @EnableWebSecurity - static class UseBeansInExpressions extends WebSecurityConfigurerAdapter { + static class UseBeansInExpressions { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -998,6 +1045,7 @@ public class ExpressionUrlAuthorizationConfigurerTests { .antMatchers("/user").hasRole("USER") .antMatchers("/allow").access("@permission.check(authentication,'user')") .anyRequest().access("@permission.check(authentication,'admin')"); + return http.build(); // @formatter:on } @@ -1018,10 +1066,10 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class CustomExpressionRootConfig extends WebSecurityConfigurerAdapter { + static class CustomExpressionRootConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -1030,6 +1078,7 @@ public class ExpressionUrlAuthorizationConfigurerTests { .antMatchers("/user").hasRole("USER") .antMatchers("/allow").access("check('user')") .anyRequest().access("check('admin')"); + return http.build(); // @formatter:on } @@ -1067,27 +1116,25 @@ public class ExpressionUrlAuthorizationConfigurerTests { } - @Configuration + @Configuration(proxyBeanMethods = false) @EnableWebSecurity - static class Sec3011Config extends WebSecurityConfigurerAdapter { + static class Sec3011Config { static ObjectPostProcessor objectPostProcessor = spy(ReflectingObjectPostProcessor.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } @Bean @@ -1099,10 +1146,10 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class PermissionEvaluatorConfig extends WebSecurityConfigurerAdapter { + static class PermissionEvaluatorConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -1111,6 +1158,7 @@ public class ExpressionUrlAuthorizationConfigurerTests { .antMatchers("/deny").access("hasPermission('ID', 'TYPE', 'NO PERMISSION')") .antMatchers("/denyObject").access("hasPermission('TESTOBJ', 'NO PERMISSION')") .anyRequest().permitAll(); + return http.build(); // @formatter:on } @@ -1135,16 +1183,17 @@ public class ExpressionUrlAuthorizationConfigurerTests { @Configuration @EnableWebSecurity - static class RoleHierarchyConfig extends WebSecurityConfigurerAdapter { + static class RoleHierarchyConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .antMatchers("/allow").access("hasRole('MEMBER')") .antMatchers("/deny").access("hasRole('ADMIN')") .anyRequest().permitAll(); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java index 7fa2892624..b5c0d97513 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java @@ -25,19 +25,20 @@ import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.config.users.AuthenticationTestConfiguration; import org.springframework.security.core.context.SecurityContextChangedListener; import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.core.userdetails.PasswordEncodedUser; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders; import org.springframework.security.web.PortMapper; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.access.ExceptionTranslationFilter; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint; @@ -378,17 +379,18 @@ public class FormLoginConfigurerTests { @Configuration @EnableWebSecurity - static class RequestCacheConfig extends WebSecurityConfigurerAdapter { + static class RequestCacheConfig { private RequestCache requestCache = mock(RequestCache.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin().and() .requestCache() .requestCache(this.requestCache); + return http.build(); // @formatter:on } @@ -407,19 +409,15 @@ public class FormLoginConfigurerTests { @Configuration @EnableWebSecurity - static class FormLoginConfig extends WebSecurityConfigurerAdapter { + static class FormLoginConfig { - @Override - public void configure(WebSecurity web) { - // @formatter:off - web - .ignoring() - .antMatchers("/resources/**"); - // @formatter:on + @Bean + WebSecurityCustomizer webSecurityCustomizer() { + return (web) -> web.ignoring().antMatchers("/resources/**"); } - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -428,25 +426,22 @@ public class FormLoginConfigurerTests { .formLogin() .loginPage("/login"); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class FormLoginInLambdaConfig extends WebSecurityConfigurerAdapter { + static class FormLoginInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -455,25 +450,22 @@ public class FormLoginConfigurerTests { ) .formLogin(withDefaults()); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class FormLoginConfigPermitAll extends WebSecurityConfigurerAdapter { + static class FormLoginConfigPermitAll { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -481,6 +473,7 @@ public class FormLoginConfigurerTests { .and() .formLogin() .permitAll(); + return http.build(); // @formatter:on } @@ -488,10 +481,10 @@ public class FormLoginConfigurerTests { @Configuration @EnableWebSecurity - static class FormLoginDefaultsConfig extends WebSecurityConfigurerAdapter { + static class FormLoginDefaultsConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -503,6 +496,7 @@ public class FormLoginConfigurerTests { .and() .logout() .permitAll(); + return http.build(); // @formatter:on } @@ -510,10 +504,10 @@ public class FormLoginConfigurerTests { @Configuration @EnableWebSecurity - static class FormLoginDefaultsInLambdaConfig extends WebSecurityConfigurerAdapter { + static class FormLoginDefaultsInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -526,6 +520,7 @@ public class FormLoginConfigurerTests { .permitAll() ) .logout(LogoutConfigurer::permitAll); + return http.build(); // @formatter:on } @@ -533,10 +528,10 @@ public class FormLoginConfigurerTests { @Configuration @EnableWebSecurity - static class FormLoginLoginProcessingUrlConfig extends WebSecurityConfigurerAdapter { + static class FormLoginLoginProcessingUrlConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -555,25 +550,22 @@ public class FormLoginConfigurerTests { .logoutUrl("/logout") .deleteCookies("JSESSIONID"); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class FormLoginLoginProcessingUrlInLambdaConfig extends WebSecurityConfigurerAdapter { + static class FormLoginLoginProcessingUrlInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -594,27 +586,24 @@ public class FormLoginConfigurerTests { .deleteCookies("JSESSIONID") ); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class FormLoginUsesPortMapperConfig extends WebSecurityConfigurerAdapter { + static class FormLoginUsesPortMapperConfig { static PortMapper PORT_MAPPER; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -629,18 +618,19 @@ public class FormLoginConfigurerTests { LoginUrlAuthenticationEntryPoint authenticationEntryPoint = (LoginUrlAuthenticationEntryPoint) http .getConfigurer(FormLoginConfigurer.class).getAuthenticationEntryPoint(); authenticationEntryPoint.setForceHttps(true); + return http.build(); } } @Configuration @EnableWebSecurity - static class PermitAllIgnoresFailureHandlerConfig extends WebSecurityConfigurerAdapter { + static class PermitAllIgnoresFailureHandlerConfig { static AuthenticationFailureHandler FAILURE_HANDLER = mock(AuthenticationFailureHandler.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -649,6 +639,7 @@ public class FormLoginConfigurerTests { .formLogin() .failureHandler(FAILURE_HANDLER) .permitAll(); + return http.build(); // @formatter:on } @@ -656,10 +647,10 @@ public class FormLoginConfigurerTests { @Configuration @EnableWebSecurity - static class DuplicateInvocationsDoesNotOverrideConfig extends WebSecurityConfigurerAdapter { + static class DuplicateInvocationsDoesNotOverrideConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin() @@ -667,25 +658,22 @@ public class FormLoginConfigurerTests { .and() .formLogin(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class FormLoginUserForwardAuthenticationSuccessAndFailureConfig extends WebSecurityConfigurerAdapter { + static class FormLoginUserForwardAuthenticationSuccessAndFailureConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .csrf() @@ -698,32 +686,30 @@ public class FormLoginConfigurerTests { .successForwardUrl("/success_forward_url") .permitAll(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class ObjectPostProcessorConfig extends WebSecurityConfigurerAdapter { + static class ObjectPostProcessorConfig { static ObjectPostProcessor objectPostProcessor; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .exceptionHandling() .and() .formLogin(); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurerEagerHeadersTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurerEagerHeadersTests.java index e9ae9ade3a..e2f673a0bd 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurerEagerHeadersTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurerEagerHeadersTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,14 +20,15 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpHeaders; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.header.HeaderWriterFilter; import org.springframework.test.web.servlet.MockMvc; @@ -61,10 +62,10 @@ public class HeadersConfigurerEagerHeadersTests { @Configuration @EnableWebSecurity - public static class HeadersAtTheBeginningOfRequestConfig extends WebSecurityConfigurerAdapter { + public static class HeadersAtTheBeginningOfRequestConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() @@ -75,6 +76,7 @@ public class HeadersConfigurerEagerHeadersTests { return filter; } }); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurerTests.java index 84a2786baa..ca304bd0d2 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurerTests.java @@ -30,7 +30,6 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.web.SecurityFilterChain; @@ -567,13 +566,14 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class HeadersConfig extends WebSecurityConfigurerAdapter { + static class HeadersConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers(); + return http.build(); // @formatter:on } @@ -581,13 +581,14 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class HeadersInLambdaConfig extends WebSecurityConfigurerAdapter { + static class HeadersInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers(withDefaults()); + return http.build(); // @formatter:on } @@ -595,15 +596,16 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class ContentTypeOptionsConfig extends WebSecurityConfigurerAdapter { + static class ContentTypeOptionsConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .contentTypeOptions(); + return http.build(); // @formatter:on } @@ -611,10 +613,10 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class ContentTypeOptionsInLambdaConfig extends WebSecurityConfigurerAdapter { + static class ContentTypeOptionsInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers((headers) -> @@ -622,6 +624,7 @@ public class HeadersConfigurerTests { .defaultsDisabled() .contentTypeOptions(withDefaults()) ); + return http.build(); // @formatter:on } @@ -629,15 +632,16 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class FrameOptionsConfig extends WebSecurityConfigurerAdapter { + static class FrameOptionsConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .frameOptions(); + return http.build(); // @formatter:on } @@ -645,15 +649,16 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class HstsConfig extends WebSecurityConfigurerAdapter { + static class HstsConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .httpStrictTransportSecurity(); + return http.build(); // @formatter:on } @@ -661,15 +666,16 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class CacheControlConfig extends WebSecurityConfigurerAdapter { + static class CacheControlConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .cacheControl(); + return http.build(); // @formatter:on } @@ -677,10 +683,10 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class CacheControlInLambdaConfig extends WebSecurityConfigurerAdapter { + static class CacheControlInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers((headers) -> @@ -688,6 +694,7 @@ public class HeadersConfigurerTests { .defaultsDisabled() .cacheControl(withDefaults()) ); + return http.build(); // @formatter:on } @@ -695,15 +702,16 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class XssProtectionConfig extends WebSecurityConfigurerAdapter { + static class XssProtectionConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .xssProtection(); + return http.build(); // @formatter:on } @@ -711,10 +719,10 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class XssProtectionValueDisabledConfig extends WebSecurityConfigurerAdapter { + static class XssProtectionValueDisabledConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() @@ -722,15 +730,16 @@ public class HeadersConfigurerTests { .xssProtection() .headerValue(XXssProtectionHeaderWriter.HeaderValue.DISABLED); // @formatter:on + return http.build(); } } @EnableWebSecurity - static class XssProtectionInLambdaConfig extends WebSecurityConfigurerAdapter { + static class XssProtectionInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers((headers) -> @@ -738,6 +747,7 @@ public class HeadersConfigurerTests { .defaultsDisabled() .xssProtection(withDefaults()) ); + return http.build(); // @formatter:on } @@ -745,10 +755,10 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class XssProtectionValueDisabledInLambdaConfig extends WebSecurityConfigurerAdapter { + static class XssProtectionValueDisabledInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers((headers) -> @@ -759,19 +769,21 @@ public class HeadersConfigurerTests { ) ); // @formatter:on + return http.build(); } } @EnableWebSecurity - static class HeadersCustomSameOriginConfig extends WebSecurityConfigurerAdapter { + static class HeadersCustomSameOriginConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .frameOptions().sameOrigin(); + return http.build(); // @formatter:on } @@ -779,16 +791,17 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class HeadersCustomSameOriginInLambdaConfig extends WebSecurityConfigurerAdapter { + static class HeadersCustomSameOriginInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers((headers) -> headers .frameOptions((frameOptionsConfig) -> frameOptionsConfig.sameOrigin()) ); + return http.build(); // @formatter:on } @@ -796,15 +809,16 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class HpkpConfigNoPins extends WebSecurityConfigurerAdapter { + static class HpkpConfigNoPins { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .httpPublicKeyPinning(); + return http.build(); // @formatter:on } @@ -812,16 +826,17 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class HpkpConfig extends WebSecurityConfigurerAdapter { + static class HpkpConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .httpPublicKeyPinning() .addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="); + return http.build(); // @formatter:on } @@ -829,10 +844,10 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class HpkpConfigWithPins extends WebSecurityConfigurerAdapter { + static class HpkpConfigWithPins { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { Map pins = new LinkedHashMap<>(); pins.put("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=", "sha256"); pins.put("E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=", "sha256"); @@ -842,6 +857,7 @@ public class HeadersConfigurerTests { .defaultsDisabled() .httpPublicKeyPinning() .withPins(pins); + return http.build(); // @formatter:on } @@ -849,10 +865,10 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class HpkpConfigCustomAge extends WebSecurityConfigurerAdapter { + static class HpkpConfigCustomAge { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() @@ -860,6 +876,7 @@ public class HeadersConfigurerTests { .httpPublicKeyPinning() .addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=") .maxAgeInSeconds(604800); + return http.build(); // @formatter:on } @@ -867,10 +884,10 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class HpkpConfigTerminateConnection extends WebSecurityConfigurerAdapter { + static class HpkpConfigTerminateConnection { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() @@ -878,6 +895,7 @@ public class HeadersConfigurerTests { .httpPublicKeyPinning() .addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=") .reportOnly(false); + return http.build(); // @formatter:on } @@ -885,10 +903,10 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class HpkpConfigIncludeSubDomains extends WebSecurityConfigurerAdapter { + static class HpkpConfigIncludeSubDomains { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() @@ -896,6 +914,7 @@ public class HeadersConfigurerTests { .httpPublicKeyPinning() .addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=") .includeSubDomains(true); + return http.build(); // @formatter:on } @@ -903,10 +922,10 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class HpkpConfigWithReportURI extends WebSecurityConfigurerAdapter { + static class HpkpConfigWithReportURI { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() @@ -914,6 +933,7 @@ public class HeadersConfigurerTests { .httpPublicKeyPinning() .addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=") .reportUri(new URI("https://example.net/pkp-report")); + return http.build(); // @formatter:on } @@ -921,10 +941,10 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class HpkpConfigWithReportURIAsString extends WebSecurityConfigurerAdapter { + static class HpkpConfigWithReportURIAsString { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() @@ -932,6 +952,7 @@ public class HeadersConfigurerTests { .httpPublicKeyPinning() .addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=") .reportUri("https://example.net/pkp-report"); + return http.build(); // @formatter:on } @@ -939,10 +960,10 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class HpkpWithReportUriInLambdaConfig extends WebSecurityConfigurerAdapter { + static class HpkpWithReportUriInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers((headers) -> @@ -954,6 +975,7 @@ public class HeadersConfigurerTests { .reportUri("https://example.net/pkp-report") ) ); + return http.build(); // @formatter:on } @@ -961,15 +983,16 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class ContentSecurityPolicyDefaultConfig extends WebSecurityConfigurerAdapter { + static class ContentSecurityPolicyDefaultConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .contentSecurityPolicy("default-src 'self'"); + return http.build(); // @formatter:on } @@ -977,16 +1000,17 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class ContentSecurityPolicyReportOnlyConfig extends WebSecurityConfigurerAdapter { + static class ContentSecurityPolicyReportOnlyConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .contentSecurityPolicy("default-src 'self'; script-src trustedscripts.example.com") .reportOnly(); + return http.build(); // @formatter:on } @@ -994,10 +1018,10 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class ContentSecurityPolicyReportOnlyInLambdaConfig extends WebSecurityConfigurerAdapter { + static class ContentSecurityPolicyReportOnlyInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers((headers) -> @@ -1009,6 +1033,7 @@ public class HeadersConfigurerTests { .reportOnly() ) ); + return http.build(); // @formatter:on } @@ -1016,15 +1041,16 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class ContentSecurityPolicyInvalidConfig extends WebSecurityConfigurerAdapter { + static class ContentSecurityPolicyInvalidConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .contentSecurityPolicy(""); + return http.build(); // @formatter:on } @@ -1032,10 +1058,10 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class ContentSecurityPolicyInvalidInLambdaConfig extends WebSecurityConfigurerAdapter { + static class ContentSecurityPolicyInvalidInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers((headers) -> @@ -1045,6 +1071,7 @@ public class HeadersConfigurerTests { csp.policyDirectives("") ) ); + return http.build(); // @formatter:on } @@ -1052,10 +1079,10 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class ContentSecurityPolicyNoDirectivesInLambdaConfig extends WebSecurityConfigurerAdapter { + static class ContentSecurityPolicyNoDirectivesInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers((headers) -> @@ -1063,6 +1090,7 @@ public class HeadersConfigurerTests { .defaultsDisabled() .contentSecurityPolicy(withDefaults()) ); + return http.build(); // @formatter:on } @@ -1070,15 +1098,16 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class ReferrerPolicyDefaultConfig extends WebSecurityConfigurerAdapter { + static class ReferrerPolicyDefaultConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .referrerPolicy(); + return http.build(); // @formatter:on } @@ -1086,10 +1115,10 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class ReferrerPolicyDefaultInLambdaConfig extends WebSecurityConfigurerAdapter { + static class ReferrerPolicyDefaultInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers((headers) -> @@ -1097,6 +1126,7 @@ public class HeadersConfigurerTests { .defaultsDisabled() .referrerPolicy() ); + return http.build(); // @formatter:on } @@ -1104,15 +1134,16 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class ReferrerPolicyCustomConfig extends WebSecurityConfigurerAdapter { + static class ReferrerPolicyCustomConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .referrerPolicy(ReferrerPolicy.SAME_ORIGIN); + return http.build(); // @formatter:on } @@ -1120,10 +1151,10 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class ReferrerPolicyCustomInLambdaConfig extends WebSecurityConfigurerAdapter { + static class ReferrerPolicyCustomInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers((headers) -> @@ -1133,6 +1164,7 @@ public class HeadersConfigurerTests { referrerPolicy.policy(ReferrerPolicy.SAME_ORIGIN) ) ); + return http.build(); // @formatter:on } @@ -1140,15 +1172,16 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class FeaturePolicyConfig extends WebSecurityConfigurerAdapter { + static class FeaturePolicyConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .featurePolicy("geolocation 'self'"); + return http.build(); // @formatter:on } @@ -1156,15 +1189,16 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class FeaturePolicyInvalidConfig extends WebSecurityConfigurerAdapter { + static class FeaturePolicyInvalidConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .featurePolicy(""); + return http.build(); // @formatter:on } @@ -1172,15 +1206,16 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class PermissionsPolicyConfig extends WebSecurityConfigurerAdapter { + static class PermissionsPolicyConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .permissionsPolicy((permissionsPolicy) -> permissionsPolicy.policy("geolocation=(self)")); + return http.build(); // @formatter:on } @@ -1188,16 +1223,17 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class PermissionsPolicyStringConfig extends WebSecurityConfigurerAdapter { + static class PermissionsPolicyStringConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .permissionsPolicy() .policy("geolocation=(self)"); + return http.build(); // @formatter:on } @@ -1205,15 +1241,16 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class PermissionsPolicyInvalidConfig extends WebSecurityConfigurerAdapter { + static class PermissionsPolicyInvalidConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .permissionsPolicy((permissionsPolicy) -> permissionsPolicy.policy(null)); + return http.build(); // @formatter:on } @@ -1221,16 +1258,17 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class PermissionsPolicyInvalidStringConfig extends WebSecurityConfigurerAdapter { + static class PermissionsPolicyInvalidStringConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .permissionsPolicy() .policy(""); + return http.build(); // @formatter:on } @@ -1238,16 +1276,17 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class HstsWithPreloadConfig extends WebSecurityConfigurerAdapter { + static class HstsWithPreloadConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .httpStrictTransportSecurity() .preload(true); + return http.build(); // @formatter:on } @@ -1255,10 +1294,10 @@ public class HeadersConfigurerTests { @Configuration @EnableWebSecurity - static class HstsWithPreloadInLambdaConfig extends WebSecurityConfigurerAdapter { + static class HstsWithPreloadInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers((headers) -> @@ -1266,6 +1305,7 @@ public class HeadersConfigurerTests { .defaultsDisabled() .httpStrictTransportSecurity((hstsConfig) -> hstsConfig.preload(true)) ); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.java index 4fe152eec6..e7bd6cd4e0 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.java @@ -28,10 +28,8 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.AuthenticationException; @@ -149,15 +147,16 @@ public class HttpBasicConfigurerTests { @Configuration @EnableWebSecurity - static class ObjectPostProcessorConfig extends WebSecurityConfigurerAdapter { + static class ObjectPostProcessorConfig { static ObjectPostProcessor objectPostProcessor = spy(ReflectingObjectPostProcessor.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic(); + return http.build(); // @formatter:on } @@ -179,10 +178,10 @@ public class HttpBasicConfigurerTests { @Configuration @EnableWebSecurity - static class DefaultsLambdaEntryPointConfig extends WebSecurityConfigurerAdapter { + static class DefaultsLambdaEntryPointConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -191,24 +190,22 @@ public class HttpBasicConfigurerTests { ) .httpBasic(withDefaults()); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } } @Configuration @EnableWebSecurity - static class DefaultsEntryPointConfig extends WebSecurityConfigurerAdapter { + static class DefaultsEntryPointConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -216,26 +213,24 @@ public class HttpBasicConfigurerTests { .and() .httpBasic(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } } @Configuration @EnableWebSecurity - static class CustomAuthenticationEntryPointConfig extends WebSecurityConfigurerAdapter { + static class CustomAuthenticationEntryPointConfig { static AuthenticationEntryPoint ENTRY_POINT = mock(AuthenticationEntryPoint.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -244,26 +239,24 @@ public class HttpBasicConfigurerTests { .httpBasic() .authenticationEntryPoint(ENTRY_POINT); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } } @Configuration @EnableWebSecurity - static class DuplicateDoesNotOverrideConfig extends WebSecurityConfigurerAdapter { + static class DuplicateDoesNotOverrideConfig { static AuthenticationEntryPoint ENTRY_POINT = mock(AuthenticationEntryPoint.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -274,35 +267,33 @@ public class HttpBasicConfigurerTests { .and() .httpBasic(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } } @EnableWebSecurity @Configuration - static class BasicUsesRememberMeConfig extends WebSecurityConfigurerAdapter { + static class BasicUsesRememberMeConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic() .and() .rememberMe(); + return http.build(); // @formatter:on } - @Override @Bean - public UserDetailsService userDetailsService() { + UserDetailsService userDetailsService() { return new InMemoryUserDetailsManager( // @formatter:off org.springframework.security.core.userdetails.User.withDefaultPasswordEncoder() diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityAntMatchersTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityAntMatchersTests.java index 0969c1fa81..d58e1b7faa 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityAntMatchersTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityAntMatchersTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,16 +22,18 @@ import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.mock.web.MockFilterChain; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.FilterChainProxy; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.web.context.support.AnnotationConfigWebApplicationContext; import static org.assertj.core.api.Assertions.assertThat; @@ -94,10 +96,10 @@ public class HttpSecurityAntMatchersTests { @EnableWebSecurity @Configuration - static class AntMatchersNoPatternsConfig extends WebSecurityConfigurerAdapter { + static class AntMatchersNoPatternsConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .requestMatchers() @@ -106,24 +108,22 @@ public class HttpSecurityAntMatchersTests { .authorizeRequests() .anyRequest().denyAll(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } } @EnableWebSecurity @Configuration - static class AntMatchersEmptyPatternsConfig extends WebSecurityConfigurerAdapter { + static class AntMatchersEmptyPatternsConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .requestMatchers() @@ -133,14 +133,12 @@ public class HttpSecurityAntMatchersTests { .authorizeRequests() .anyRequest().denyAll(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityLogoutTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityLogoutTests.java index f4d4c5db0b..9df0b03d67 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityLogoutTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityLogoutTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,18 +21,20 @@ import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.mock.web.MockFilterChain; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.security.authentication.TestingAuthenticationToken; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.FilterChainProxy; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.web.context.support.AnnotationConfigWebApplicationContext; @@ -92,24 +94,22 @@ public class HttpSecurityLogoutTests { @EnableWebSecurity @Configuration - static class ClearAuthenticationFalseConfig extends WebSecurityConfigurerAdapter { + static class ClearAuthenticationFalseConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .csrf().disable() .logout() .clearAuthentication(false); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityRequestMatchersTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityRequestMatchersTests.java index 6e0c081489..434867a977 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityRequestMatchersTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityRequestMatchersTests.java @@ -30,10 +30,10 @@ import org.springframework.mock.web.MockFilterChain; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.mock.web.MockServletContext; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.FilterChainProxy; import org.springframework.security.web.SecurityFilterChain; import org.springframework.web.bind.annotation.RequestMapping; @@ -308,10 +308,10 @@ public class HttpSecurityRequestMatchersTests { @EnableWebSecurity @Configuration @EnableWebMvc - static class MvcMatcherConfig extends WebSecurityConfigurerAdapter { + static class MvcMatcherConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .mvcMatcher("/path") @@ -319,14 +319,12 @@ public class HttpSecurityRequestMatchersTests { .authorizeRequests() .anyRequest().denyAll(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } @RestController @@ -344,10 +342,10 @@ public class HttpSecurityRequestMatchersTests { @EnableWebSecurity @Configuration @EnableWebMvc - static class RequestMatchersMvcMatcherConfig extends WebSecurityConfigurerAdapter { + static class RequestMatchersMvcMatcherConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .requestMatchers() @@ -357,14 +355,12 @@ public class HttpSecurityRequestMatchersTests { .authorizeRequests() .anyRequest().denyAll(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } @RestController @@ -382,10 +378,10 @@ public class HttpSecurityRequestMatchersTests { @EnableWebSecurity @Configuration @EnableWebMvc - static class RequestMatchersMvcMatcherInLambdaConfig extends WebSecurityConfigurerAdapter { + static class RequestMatchersMvcMatcherInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .requestMatchers((requestMatchers) -> @@ -397,6 +393,7 @@ public class HttpSecurityRequestMatchersTests { authorizeRequests .anyRequest().denyAll() ); + return http.build(); // @formatter:on } @@ -415,10 +412,10 @@ public class HttpSecurityRequestMatchersTests { @EnableWebSecurity @Configuration @EnableWebMvc - static class RequestMatchersMvcMatcherServeltPathConfig extends WebSecurityConfigurerAdapter { + static class RequestMatchersMvcMatcherServeltPathConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .requestMatchers() @@ -429,14 +426,12 @@ public class HttpSecurityRequestMatchersTests { .authorizeRequests() .anyRequest().denyAll(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } @RestController @@ -454,10 +449,10 @@ public class HttpSecurityRequestMatchersTests { @EnableWebSecurity @Configuration @EnableWebMvc - static class RequestMatchersMvcMatcherServletPathInLambdaConfig extends WebSecurityConfigurerAdapter { + static class RequestMatchersMvcMatcherServletPathInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .requestMatchers((requestMatchers) -> @@ -470,6 +465,7 @@ public class HttpSecurityRequestMatchersTests { authorizeRequests .anyRequest().denyAll() ); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/Issue55Tests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/Issue55Tests.java deleted file mode 100644 index 822f7ce52e..0000000000 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/Issue55Tests.java +++ /dev/null @@ -1,177 +0,0 @@ -/* - * Copyright 2002-2019 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.springframework.security.config.annotation.web.configurers; - -import java.lang.reflect.InvocationTargetException; -import java.util.List; - -import jakarta.servlet.Filter; -import org.junit.jupiter.api.Test; -import org.junit.jupiter.api.extension.ExtendWith; - -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.Configuration; -import org.springframework.core.annotation.Order; -import org.springframework.security.authentication.AuthenticationManager; -import org.springframework.security.authentication.TestingAuthenticationToken; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -import org.springframework.security.config.test.SpringTestContext; -import org.springframework.security.config.test.SpringTestContextExtension; -import org.springframework.security.core.Authentication; -import org.springframework.security.core.AuthenticationException; -import org.springframework.security.web.FilterChainProxy; -import org.springframework.security.web.SecurityFilterChain; -import org.springframework.security.web.access.intercept.FilterSecurityInterceptor; -import org.springframework.stereotype.Component; - -import static org.assertj.core.api.Assertions.assertThat; - -/** - * @author Rob Winch - * @author Konstantin Volivach - */ -@ExtendWith(SpringTestContextExtension.class) -public class Issue55Tests { - - public final SpringTestContext spring = new SpringTestContext(this); - - @Test - public void webSecurityConfigurerAdapterDefaultToAutowired() { - TestingAuthenticationToken token = new TestingAuthenticationToken("test", "this"); - this.spring.register(WebSecurityConfigurerAdapterDefaultsAuthManagerConfig.class); - this.spring.getContext().getBean(FilterChainProxy.class); - FilterSecurityInterceptor filter = (FilterSecurityInterceptor) findFilter(FilterSecurityInterceptor.class, 0); - assertThat(filter.getAuthenticationManager().authenticate(token)).isEqualTo(CustomAuthenticationManager.RESULT); - } - - @Test - public void multiHttpWebSecurityConfigurerAdapterDefaultsToAutowired() - throws NoSuchMethodException, InvocationTargetException, IllegalAccessException { - TestingAuthenticationToken token = new TestingAuthenticationToken("test", "this"); - this.spring.register(MultiWebSecurityConfigurerAdapterDefaultsAuthManagerConfig.class); - this.spring.getContext().getBean(FilterChainProxy.class); - FilterSecurityInterceptor filter = (FilterSecurityInterceptor) findFilter(FilterSecurityInterceptor.class, 0); - assertThat(filter.getAuthenticationManager().authenticate(token)).isEqualTo(CustomAuthenticationManager.RESULT); - FilterSecurityInterceptor secondFilter = (FilterSecurityInterceptor) findFilter(FilterSecurityInterceptor.class, - 1); - assertThat(secondFilter.getAuthenticationManager().authenticate(token)) - .isEqualTo(CustomAuthenticationManager.RESULT); - } - - Filter findFilter(Class filter, int index) { - List filters = filterChain(index).getFilters(); - for (Filter it : filters) { - if (filter.isAssignableFrom(it.getClass())) { - return it; - } - } - return null; - } - - SecurityFilterChain filterChain(int index) { - return this.spring.getContext().getBean(FilterChainProxy.class).getFilterChains().get(index); - } - - @Configuration - @EnableWebSecurity - static class WebSecurityConfigurerAdapterDefaultsAuthManagerConfig { - - @Component - public static class WebSecurityAdapter extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - // @formatter:off - http - .authorizeRequests() - .anyRequest().hasRole("USER"); - // @formatter:on - } - - } - - @Configuration - public static class AuthenticationManagerConfiguration { - - @Bean - public AuthenticationManager authenticationManager() throws Exception { - return new CustomAuthenticationManager(); - } - - } - - } - - @Configuration - @EnableWebSecurity - static class MultiWebSecurityConfigurerAdapterDefaultsAuthManagerConfig { - - @Component - @Order(1) - public static class ApiWebSecurityAdapter extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - // @formatter:off - http.antMatcher("/api/**") - .authorizeRequests() - .anyRequest().hasRole("USER"); - // @formatter:on - } - - } - - @Component - public static class WebSecurityAdapter extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - // @formatter:off - http - .authorizeRequests() - .anyRequest().hasRole("USER"); - // @formatter:on - } - - } - - @Configuration - public static class AuthenticationManagerConfiguration { - - @Bean - public AuthenticationManager authenticationManager() throws Exception { - return new CustomAuthenticationManager(); - } - - } - - } - - static class CustomAuthenticationManager implements AuthenticationManager { - - static Authentication RESULT = new TestingAuthenticationToken("test", "this", "ROLE_USER"); - - @Override - public Authentication authenticate(Authentication authentication) throws AuthenticationException { - return RESULT; - } - - } - -} diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/JeeConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/JeeConfigurerTests.java index ffedc7de37..4c3286110e 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/JeeConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/JeeConfigurerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -27,13 +27,13 @@ import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.userdetails.AuthenticationUserDetailsService; import org.springframework.security.core.userdetails.User; import org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource; import org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter; import org.springframework.test.web.servlet.MockMvc; @@ -154,15 +154,16 @@ public class JeeConfigurerTests { @Configuration @EnableWebSecurity - static class ObjectPostProcessorConfig extends WebSecurityConfigurerAdapter { + static class ObjectPostProcessorConfig { static ObjectPostProcessor objectPostProcessor; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .jee(); + return http.build(); // @formatter:on } @@ -184,16 +185,17 @@ public class JeeConfigurerTests { @Configuration @EnableWebSecurity - static class InvokeTwiceDoesNotOverride extends WebSecurityConfigurerAdapter { + static class InvokeTwiceDoesNotOverride { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .jee() .mappableRoles("USER") .and() .jee(); + return http.build(); // @formatter:on } @@ -201,10 +203,10 @@ public class JeeConfigurerTests { @Configuration @EnableWebSecurity - public static class JeeMappableRolesConfig extends WebSecurityConfigurerAdapter { + public static class JeeMappableRolesConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -215,6 +217,7 @@ public class JeeConfigurerTests { jee .mappableRoles("USER") ); + return http.build(); // @formatter:on } @@ -222,10 +225,10 @@ public class JeeConfigurerTests { @Configuration @EnableWebSecurity - public static class JeeMappableAuthoritiesConfig extends WebSecurityConfigurerAdapter { + public static class JeeMappableAuthoritiesConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -236,6 +239,7 @@ public class JeeConfigurerTests { jee .mappableAuthorities("ROLE_USER") ); + return http.build(); // @formatter:on } @@ -243,13 +247,13 @@ public class JeeConfigurerTests { @Configuration @EnableWebSecurity - public static class JeeCustomAuthenticatedUserDetailsServiceConfig extends WebSecurityConfigurerAdapter { + public static class JeeCustomAuthenticatedUserDetailsServiceConfig { static AuthenticationUserDetailsService authenticationUserDetailsService = mock( AuthenticationUserDetailsService.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -260,6 +264,7 @@ public class JeeConfigurerTests { jee .authenticatedUserDetailsService(authenticationUserDetailsService) ); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerClearSiteDataTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerClearSiteDataTests.java index 7d27531347..2a8f102a0f 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerClearSiteDataTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerClearSiteDataTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,14 +20,15 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.test.context.annotation.SecurityTestExecutionListeners; import org.springframework.security.test.context.support.WithMockUser; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.logout.HeaderWriterLogoutHandler; import org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter; import org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter.Directive; @@ -90,14 +91,15 @@ public class LogoutConfigurerClearSiteDataTests { @Configuration @EnableWebSecurity - static class HttpLogoutConfig extends WebSecurityConfigurerAdapter { + static class HttpLogoutConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .logout() .addLogoutHandler(new HeaderWriterLogoutHandler(new ClearSiteDataHeaderWriter(SOURCE))); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.java index cf4fd12da2..67f351235a 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.java @@ -27,13 +27,15 @@ import org.springframework.context.annotation.Configuration; import org.springframework.http.MediaType; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.context.SecurityContextHolderStrategy; +import org.springframework.security.core.userdetails.PasswordEncodedUser; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.RememberMeServices; import org.springframework.security.web.authentication.logout.LogoutFilter; import org.springframework.security.web.authentication.logout.LogoutSuccessHandler; @@ -324,14 +326,15 @@ public class LogoutConfigurerTests { @Configuration @EnableWebSecurity - static class NullLogoutSuccessHandlerConfig extends WebSecurityConfigurerAdapter { + static class NullLogoutSuccessHandlerConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .logout() .defaultLogoutSuccessHandlerFor(null, mock(RequestMatcher.class)); + return http.build(); // @formatter:on } @@ -339,15 +342,16 @@ public class LogoutConfigurerTests { @Configuration @EnableWebSecurity - static class NullLogoutSuccessHandlerInLambdaConfig extends WebSecurityConfigurerAdapter { + static class NullLogoutSuccessHandlerInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .logout((logout) -> logout.defaultLogoutSuccessHandlerFor(null, mock(RequestMatcher.class)) ); + return http.build(); // @formatter:on } @@ -355,14 +359,15 @@ public class LogoutConfigurerTests { @Configuration @EnableWebSecurity - static class NullMatcherConfig extends WebSecurityConfigurerAdapter { + static class NullMatcherConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .logout() .defaultLogoutSuccessHandlerFor(mock(LogoutSuccessHandler.class), null); + return http.build(); // @formatter:on } @@ -370,15 +375,16 @@ public class LogoutConfigurerTests { @Configuration @EnableWebSecurity - static class NullMatcherInLambdaConfig extends WebSecurityConfigurerAdapter { + static class NullMatcherInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .logout((logout) -> logout.defaultLogoutSuccessHandlerFor(mock(LogoutSuccessHandler.class), null) ); + return http.build(); // @formatter:on } @@ -386,15 +392,16 @@ public class LogoutConfigurerTests { @Configuration @EnableWebSecurity - static class ObjectPostProcessorConfig extends WebSecurityConfigurerAdapter { + static class ObjectPostProcessorConfig { ObjectPostProcessor objectPostProcessor = spy(ReflectingObjectPostProcessor.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .logout(); + return http.build(); // @formatter:on } @@ -416,10 +423,10 @@ public class LogoutConfigurerTests { @Configuration @EnableWebSecurity - static class DuplicateDoesNotOverrideConfig extends WebSecurityConfigurerAdapter { + static class DuplicateDoesNotOverrideConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .logout() @@ -427,29 +434,28 @@ public class LogoutConfigurerTests { .and() .logout(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class CsrfDisabledConfig extends WebSecurityConfigurerAdapter { + static class CsrfDisabledConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .csrf() .disable() .logout(); + return http.build(); // @formatter:on } @@ -457,16 +463,17 @@ public class LogoutConfigurerTests { @Configuration @EnableWebSecurity - static class CsrfDisabledAndCustomLogoutConfig extends WebSecurityConfigurerAdapter { + static class CsrfDisabledAndCustomLogoutConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .csrf() .disable() .logout() .logoutUrl("/custom/logout"); + return http.build(); // @formatter:on } @@ -474,15 +481,16 @@ public class LogoutConfigurerTests { @Configuration @EnableWebSecurity - static class CsrfDisabledAndCustomLogoutInLambdaConfig extends WebSecurityConfigurerAdapter { + static class CsrfDisabledAndCustomLogoutInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .csrf() .disable() .logout((logout) -> logout.logoutUrl("/custom/logout")); + return http.build(); // @formatter:on } @@ -490,14 +498,15 @@ public class LogoutConfigurerTests { @Configuration @EnableWebSecurity - static class NullLogoutHandlerConfig extends WebSecurityConfigurerAdapter { + static class NullLogoutHandlerConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .logout() .addLogoutHandler(null); + return http.build(); // @formatter:on } @@ -505,13 +514,14 @@ public class LogoutConfigurerTests { @Configuration @EnableWebSecurity - static class NullLogoutHandlerInLambdaConfig extends WebSecurityConfigurerAdapter { + static class NullLogoutHandlerInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .logout((logout) -> logout.addLogoutHandler(null)); + return http.build(); // @formatter:on } @@ -519,16 +529,17 @@ public class LogoutConfigurerTests { @Configuration @EnableWebSecurity - static class RememberMeNoLogoutHandler extends WebSecurityConfigurerAdapter { + static class RememberMeNoLogoutHandler { static RememberMeServices REMEMBER_ME = mock(RememberMeServices.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .rememberMe() .rememberMeServices(REMEMBER_ME); + return http.build(); // @formatter:on } @@ -536,20 +547,21 @@ public class LogoutConfigurerTests { @Configuration @EnableWebSecurity - static class BasicSecurityConfig extends WebSecurityConfigurerAdapter { + static class BasicSecurityConfig { } @Configuration @EnableWebSecurity - static class LogoutDisabledConfig extends WebSecurityConfigurerAdapter { + static class LogoutDisabledConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .logout() .disable(); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceDebugTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceDebugTests.java index 652abb4405..86c2cd2356 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceDebugTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceDebugTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -27,7 +27,6 @@ import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.web.debug.DebugFilter; @@ -87,13 +86,13 @@ public class NamespaceDebugTests { @Configuration @EnableWebSecurity(debug = true) - static class DebugWebSecurity extends WebSecurityConfigurerAdapter { + static class DebugWebSecurity { } @Configuration @EnableWebSecurity - static class NoDebugWebSecurity extends WebSecurityConfigurerAdapter { + static class NoDebugWebSecurity { } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpAnonymousTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpAnonymousTests.java index a29f407d8d..0e3cd35719 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpAnonymousTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpAnonymousTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,17 +22,19 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AnonymousAuthenticationToken; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.PasswordEncodedUser; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.web.servlet.MockMvc; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RestController; @@ -89,15 +91,16 @@ public class NamespaceHttpAnonymousTests { @Configuration @EnableWebSecurity - static class AnonymousConfig extends WebSecurityConfigurerAdapter { + static class AnonymousConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .antMatchers("/type").anonymous() .anyRequest().denyAll(); + return http.build(); // @formatter:on } @@ -105,10 +108,10 @@ public class NamespaceHttpAnonymousTests { @Configuration @EnableWebSecurity - static class AnonymousDisabledConfig extends WebSecurityConfigurerAdapter { + static class AnonymousDisabledConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -116,26 +119,22 @@ public class NamespaceHttpAnonymousTests { .and() .anonymous().disable(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()) - .withUser(PasswordEncodedUser.admin()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user(), PasswordEncodedUser.admin()); } } @Configuration @EnableWebSecurity - static class AnonymousGrantedAuthorityConfig extends WebSecurityConfigurerAdapter { + static class AnonymousGrantedAuthorityConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -144,6 +143,7 @@ public class NamespaceHttpAnonymousTests { .and() .anonymous() .authorities("ROLE_ANON"); + return http.build(); // @formatter:on } @@ -151,10 +151,10 @@ public class NamespaceHttpAnonymousTests { @Configuration @EnableWebSecurity - static class AnonymousKeyConfig extends WebSecurityConfigurerAdapter { + static class AnonymousKeyConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -162,6 +162,7 @@ public class NamespaceHttpAnonymousTests { .anyRequest().denyAll() .and() .anonymous().key("AnonymousKeyConfig"); + return http.build(); // @formatter:on } @@ -169,10 +170,10 @@ public class NamespaceHttpAnonymousTests { @Configuration @EnableWebSecurity - static class AnonymousUsernameConfig extends WebSecurityConfigurerAdapter { + static class AnonymousUsernameConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -180,6 +181,7 @@ public class NamespaceHttpAnonymousTests { .anyRequest().denyAll() .and() .anonymous().principal("AnonymousUsernameConfig"); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpBasicTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpBasicTests.java index 493f1e8702..1c06c67704 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpBasicTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpBasicTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -27,13 +27,13 @@ import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationDetailsSource; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.AuthenticationEntryPoint; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder; @@ -177,16 +177,17 @@ public class NamespaceHttpBasicTests { @Configuration @EnableWebSecurity - static class HttpBasicConfig extends WebSecurityConfigurerAdapter { + static class HttpBasicConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().hasRole("USER") .and() .httpBasic(); + return http.build(); // @formatter:on } @@ -194,10 +195,10 @@ public class NamespaceHttpBasicTests { @Configuration @EnableWebSecurity - static class HttpBasicLambdaConfig extends WebSecurityConfigurerAdapter { + static class HttpBasicLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -205,6 +206,7 @@ public class NamespaceHttpBasicTests { .anyRequest().hasRole("USER") ) .httpBasic(withDefaults()); + return http.build(); // @formatter:on } @@ -212,16 +214,17 @@ public class NamespaceHttpBasicTests { @Configuration @EnableWebSecurity - static class CustomHttpBasicConfig extends WebSecurityConfigurerAdapter { + static class CustomHttpBasicConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().hasRole("USER") .and() .httpBasic().realmName("Custom Realm"); + return http.build(); // @formatter:on } @@ -229,10 +232,10 @@ public class NamespaceHttpBasicTests { @Configuration @EnableWebSecurity - static class CustomHttpBasicLambdaConfig extends WebSecurityConfigurerAdapter { + static class CustomHttpBasicLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -240,6 +243,7 @@ public class NamespaceHttpBasicTests { .anyRequest().hasRole("USER") ) .httpBasic((httpBasicConfig) -> httpBasicConfig.realmName("Custom Realm")); + return http.build(); // @formatter:on } @@ -247,17 +251,18 @@ public class NamespaceHttpBasicTests { @Configuration @EnableWebSecurity - static class AuthenticationDetailsSourceHttpBasicConfig extends WebSecurityConfigurerAdapter { + static class AuthenticationDetailsSourceHttpBasicConfig { AuthenticationDetailsSource authenticationDetailsSource = mock( AuthenticationDetailsSource.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic() .authenticationDetailsSource(this.authenticationDetailsSource); + return http.build(); // @formatter:on } @@ -270,17 +275,18 @@ public class NamespaceHttpBasicTests { @Configuration @EnableWebSecurity - static class AuthenticationDetailsSourceHttpBasicLambdaConfig extends WebSecurityConfigurerAdapter { + static class AuthenticationDetailsSourceHttpBasicLambdaConfig { AuthenticationDetailsSource authenticationDetailsSource = mock( AuthenticationDetailsSource.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic((httpBasicConfig) -> httpBasicConfig.authenticationDetailsSource(this.authenticationDetailsSource)); + return http.build(); // @formatter:on } @@ -293,12 +299,12 @@ public class NamespaceHttpBasicTests { @Configuration @EnableWebSecurity - static class EntryPointRefHttpBasicConfig extends WebSecurityConfigurerAdapter { + static class EntryPointRefHttpBasicConfig { AuthenticationEntryPoint authenticationEntryPoint = (request, response, ex) -> response.setStatus(999); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -306,6 +312,7 @@ public class NamespaceHttpBasicTests { .and() .httpBasic() .authenticationEntryPoint(this.authenticationEntryPoint); + return http.build(); // @formatter:on } @@ -313,12 +320,12 @@ public class NamespaceHttpBasicTests { @Configuration @EnableWebSecurity - static class EntryPointRefHttpBasicLambdaConfig extends WebSecurityConfigurerAdapter { + static class EntryPointRefHttpBasicLambdaConfig { AuthenticationEntryPoint authenticationEntryPoint = (request, response, ex) -> response.setStatus(999); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -327,6 +334,7 @@ public class NamespaceHttpBasicTests { ) .httpBasic((httpBasicConfig) -> httpBasicConfig.authenticationEntryPoint(this.authenticationEntryPoint)); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpCustomFilterTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpCustomFilterTests.java index 8587767995..807c9a01c4 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpCustomFilterTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpCustomFilterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,8 +32,8 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.builders.TestHttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.Authentication; @@ -43,6 +43,7 @@ import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.FilterChainProxy; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.web.filter.OncePerRequestFilter; @@ -100,14 +101,15 @@ public class NamespaceHttpCustomFilterTests { @Configuration @EnableWebSecurity - static class CustomFilterBeforeConfig extends WebSecurityConfigurerAdapter { + static class CustomFilterBeforeConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .addFilterBefore(new CustomFilter(), UsernamePasswordAuthenticationFilter.class) .formLogin(); + return http.build(); // @formatter:on } @@ -115,14 +117,15 @@ public class NamespaceHttpCustomFilterTests { @Configuration @EnableWebSecurity - static class CustomFilterAfterConfig extends WebSecurityConfigurerAdapter { + static class CustomFilterAfterConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .addFilterAfter(new CustomFilter(), UsernamePasswordAuthenticationFilter.class) .formLogin(); + return http.build(); // @formatter:on } @@ -130,20 +133,17 @@ public class NamespaceHttpCustomFilterTests { @Configuration @EnableWebSecurity - static class CustomFilterPositionConfig extends WebSecurityConfigurerAdapter { + static class CustomFilterPositionConfig { - CustomFilterPositionConfig() { - // do not add the default filters to make testing easier - super(true); - } - - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off + TestHttpSecurity.disableDefaults(http); http // this works so long as the CustomFilter extends one of the standard filters // if not, use addFilterBefore or addFilterAfter .addFilter(new CustomFilter()); + return http.build(); // @formatter:on } @@ -151,18 +151,15 @@ public class NamespaceHttpCustomFilterTests { @Configuration @EnableWebSecurity - static class CustomFilterPositionAtConfig extends WebSecurityConfigurerAdapter { + static class CustomFilterPositionAtConfig { - CustomFilterPositionAtConfig() { - // do not add the default filters to make testing easier - super(true); - } - - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off + TestHttpSecurity.disableDefaults(http); http .addFilterAt(new OtherCustomFilter(), UsernamePasswordAuthenticationFilter.class); + return http.build(); // @formatter:on } @@ -170,25 +167,23 @@ public class NamespaceHttpCustomFilterTests { @Configuration @EnableWebSecurity - static class NoAuthenticationManagerInHttpConfigurationConfig extends WebSecurityConfigurerAdapter { + static class NoAuthenticationManagerInHttpConfigurationConfig { - NoAuthenticationManagerInHttpConfigurationConfig() { - super(true); - } - - @Override - protected AuthenticationManager authenticationManager() { + @Bean + AuthenticationManager authenticationManager() { return new CustomAuthenticationManager(); } - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off + TestHttpSecurity.disableDefaults(http); http .authorizeRequests() .anyRequest().hasRole("USER") .and() .addFilterBefore(new CustomFilter(), UsernamePasswordAuthenticationFilter.class); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpExpressionHandlerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpExpressionHandlerTests.java index 5763a9fe10..21207141e1 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpExpressionHandlerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpExpressionHandlerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,14 +26,17 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.expression.ExpressionParser; import org.springframework.expression.spel.standard.SpelExpressionParser; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; +import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.test.context.annotation.SecurityTestExecutionListeners; import org.springframework.security.test.context.support.WithMockUser; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.web.servlet.MockMvc; @@ -78,22 +81,17 @@ public class NamespaceHttpExpressionHandlerTests { @Configuration @EnableWebMvc @EnableWebSecurity - private static class ExpressionHandlerConfig extends WebSecurityConfigurerAdapter { + static class ExpressionHandlerConfig { - ExpressionHandlerConfig() { + @Bean + UserDetailsService userDetailsService() { + UserDetails user = User.withDefaultPasswordEncoder().username("rod").password("password") + .roles("USER", "ADMIN").build(); + return new InMemoryUserDetailsManager(user); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser("rod").password("password").roles("USER", "ADMIN"); - // @formatter:on - } - - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { DefaultWebSecurityExpressionHandler handler = new DefaultWebSecurityExpressionHandler(); handler.setExpressionParser(expressionParser()); // @formatter:off @@ -102,6 +100,7 @@ public class NamespaceHttpExpressionHandlerTests { .expressionHandler(handler) .anyRequest().access("hasRole('USER')"); // @formatter:on + return http.build(); } @Bean diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFirewallTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFirewallTests.java index f2fb171c16..48758ad268 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFirewallTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFirewallTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2013 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,9 +23,8 @@ import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.web.firewall.DefaultHttpFirewall; @@ -78,11 +77,11 @@ public class NamespaceHttpFirewallTests { @Configuration @EnableWebSecurity - static class CustomHttpFirewallConfig extends WebSecurityConfigurerAdapter { + static class CustomHttpFirewallConfig { - @Override - public void configure(WebSecurity web) { - web.httpFirewall(new CustomHttpFirewall()); + @Bean + WebSecurityCustomizer webSecurityCustomizer() { + return (web) -> web.httpFirewall(new CustomHttpFirewall()); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFormLoginTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFormLoginTests.java index 8c53c2be8d..c5e90d0174 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFormLoginTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFormLoginTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -24,14 +24,14 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler; import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler; import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; @@ -111,21 +111,22 @@ public class NamespaceHttpFormLoginTests { @Configuration @EnableWebSecurity - static class FormLoginConfig extends WebSecurityConfigurerAdapter { + static class FormLoginConfig { - @Override - public void configure(WebSecurity web) { - web.ignoring().antMatchers("/resources/**"); + @Bean + WebSecurityCustomizer webSecurityCustomizer() { + return (web) -> web.ignoring().antMatchers("/resources/**"); } - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().hasRole("USER") .and() .formLogin(); + return http.build(); // @formatter:on } @@ -133,10 +134,10 @@ public class NamespaceHttpFormLoginTests { @Configuration @EnableWebSecurity - static class FormLoginCustomConfig extends WebSecurityConfigurerAdapter { + static class FormLoginCustomConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { boolean alwaysUseDefaultSuccess = true; // @formatter:off http @@ -149,7 +150,8 @@ public class NamespaceHttpFormLoginTests { .loginPage("/authentication/login") // form-login@login-page .failureUrl("/authentication/login?failed") // form-login@authentication-failure-url .loginProcessingUrl("/authentication/login/process") // form-login@login-processing-url - .defaultSuccessUrl("/default", alwaysUseDefaultSuccess); // form-login@default-target-url / form-login@always-use-default-target + .defaultSuccessUrl("/default", alwaysUseDefaultSuccess); + return http.build(); // form-login@default-target-url / form-login@always-use-default-target // @formatter:on } @@ -157,10 +159,10 @@ public class NamespaceHttpFormLoginTests { @Configuration @EnableWebSecurity - static class FormLoginCustomRefsConfig extends WebSecurityConfigurerAdapter { + static class FormLoginCustomRefsConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler(); successHandler.setDefaultTargetUrl("/custom/targetUrl"); // @formatter:off @@ -174,6 +176,7 @@ public class NamespaceHttpFormLoginTests { .successHandler(successHandler) // form-login@authentication-success-handler-ref .authenticationDetailsSource(authenticationDetailsSource()) // form-login@authentication-details-source-ref .and(); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpHeadersTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpHeadersTests.java index 2053fa4779..e13ad004ab 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpHeadersTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpHeadersTests.java @@ -25,12 +25,13 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.header.writers.StaticHeadersWriter; import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter; import org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy; @@ -154,13 +155,14 @@ public class NamespaceHttpHeadersTests { @Configuration @EnableWebSecurity - static class HeadersDefaultConfig extends WebSecurityConfigurerAdapter { + static class HeadersDefaultConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers(); + return http.build(); // @formatter:on } @@ -168,15 +170,16 @@ public class NamespaceHttpHeadersTests { @Configuration @EnableWebSecurity - static class HeadersCacheControlConfig extends WebSecurityConfigurerAdapter { + static class HeadersCacheControlConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .cacheControl(); + return http.build(); // @formatter:on } @@ -184,15 +187,16 @@ public class NamespaceHttpHeadersTests { @Configuration @EnableWebSecurity - static class HstsConfig extends WebSecurityConfigurerAdapter { + static class HstsConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .httpStrictTransportSecurity(); + return http.build(); // @formatter:on } @@ -200,10 +204,10 @@ public class NamespaceHttpHeadersTests { @Configuration @EnableWebSecurity - static class HstsCustomConfig extends WebSecurityConfigurerAdapter { + static class HstsCustomConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() @@ -213,6 +217,7 @@ public class NamespaceHttpHeadersTests { .requestMatcher(AnyRequestMatcher.INSTANCE) .maxAgeInSeconds(15768000) .includeSubDomains(false); + return http.build(); // @formatter:on } @@ -220,10 +225,10 @@ public class NamespaceHttpHeadersTests { @Configuration @EnableWebSecurity - static class FrameOptionsSameOriginConfig extends WebSecurityConfigurerAdapter { + static class FrameOptionsSameOriginConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() @@ -231,6 +236,7 @@ public class NamespaceHttpHeadersTests { .defaultsDisabled() .frameOptions() .sameOrigin(); + return http.build(); // @formatter:on } @@ -238,10 +244,10 @@ public class NamespaceHttpHeadersTests { @Configuration @EnableWebSecurity - static class FrameOptionsAllowFromConfig extends WebSecurityConfigurerAdapter { + static class FrameOptionsAllowFromConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() @@ -249,6 +255,7 @@ public class NamespaceHttpHeadersTests { .defaultsDisabled() .addHeaderWriter(new XFrameOptionsHeaderWriter( new StaticAllowFromStrategy(URI.create("https://example.com")))); + return http.build(); // @formatter:on } @@ -256,16 +263,17 @@ public class NamespaceHttpHeadersTests { @Configuration @EnableWebSecurity - static class XssProtectionConfig extends WebSecurityConfigurerAdapter { + static class XssProtectionConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() // xss-protection .defaultsDisabled() .xssProtection(); + return http.build(); // @formatter:on } @@ -273,10 +281,10 @@ public class NamespaceHttpHeadersTests { @Configuration @EnableWebSecurity - static class XssProtectionCustomConfig extends WebSecurityConfigurerAdapter { + static class XssProtectionCustomConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() @@ -285,22 +293,24 @@ public class NamespaceHttpHeadersTests { .xssProtection() .headerValue(XXssProtectionHeaderWriter.HeaderValue.ENABLED); // @formatter:on + return http.build(); } } @Configuration @EnableWebSecurity - static class ContentTypeOptionsConfig extends WebSecurityConfigurerAdapter { + static class ContentTypeOptionsConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() // content-type-options .defaultsDisabled() .contentTypeOptions(); + return http.build(); // @formatter:on } @@ -308,15 +318,16 @@ public class NamespaceHttpHeadersTests { @Configuration @EnableWebSecurity - static class HeaderRefConfig extends WebSecurityConfigurerAdapter { + static class HeaderRefConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .headers() .defaultsDisabled() .addHeaderWriter(new StaticHeadersWriter("customHeaderName", "customHeaderValue")); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpInterceptUrlTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpInterceptUrlTests.java index 081fb8d966..40ced55859 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpInterceptUrlTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpInterceptUrlTests.java @@ -20,17 +20,20 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.Authentication; import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.security.core.userdetails.PasswordEncodedUser; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder; import org.springframework.web.bind.annotation.GetMapping; @@ -107,10 +110,10 @@ public class NamespaceHttpInterceptUrlTests { @Configuration @EnableWebSecurity - static class HttpInterceptUrlConfig extends WebSecurityConfigurerAdapter { + static class HttpInterceptUrlConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests().antMatchers( @@ -132,16 +135,12 @@ HttpMethod.POST, "/admin/post", "/admin/another-post/**").hasRole("ADMIN") //" requires-channel="https"/> .requiresSecure().anyRequest().requiresInsecure(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser("user").password("password").roles("USER").and() - .withUser("admin").password("password").roles("USER", "ADMIN"); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user(), PasswordEncodedUser.admin()); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpJeeTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpJeeTests.java index b9442cfa9f..b4daa324aa 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpJeeTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpJeeTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -27,13 +27,13 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.Authentication; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.userdetails.AuthenticationUserDetailsService; import org.springframework.security.core.userdetails.User; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.web.servlet.MockMvc; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RestController; @@ -97,10 +97,10 @@ public class NamespaceHttpJeeTests { @Configuration @EnableWebSecurity - public static class JeeMappableRolesConfig extends WebSecurityConfigurerAdapter { + public static class JeeMappableRolesConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -108,6 +108,7 @@ public class NamespaceHttpJeeTests { .and() .jee() .mappableRoles("user", "admin"); + return http.build(); // @formatter:on } @@ -115,13 +116,13 @@ public class NamespaceHttpJeeTests { @Configuration @EnableWebSecurity - public static class JeeUserServiceRefConfig extends WebSecurityConfigurerAdapter { + public static class JeeUserServiceRefConfig { private final AuthenticationUserDetailsService authenticationUserDetailsService = mock( AuthenticationUserDetailsService.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -130,6 +131,7 @@ public class NamespaceHttpJeeTests { .jee() .mappableAuthorities("ROLE_user", "ROLE_admin") .authenticatedUserDetailsService(this.authenticationUserDetailsService); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpLogoutTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpLogoutTests.java index eec4f5c94f..957adcace2 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpLogoutTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpLogoutTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,16 +26,17 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.test.context.annotation.SecurityTestExecutionListeners; import org.springframework.security.test.context.support.WithMockUser; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.web.servlet.MockMvc; @@ -165,38 +166,41 @@ public class NamespaceHttpLogoutTests { @Configuration @EnableWebSecurity - static class HttpLogoutConfig extends WebSecurityConfigurerAdapter { + static class HttpLogoutConfig { - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + return http.build(); } } @Configuration @EnableWebSecurity - static class HttpLogoutDisabledInLambdaConfig extends WebSecurityConfigurerAdapter { + static class HttpLogoutDisabledInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.logout(AbstractHttpConfigurer::disable); + return http.build(); } } @Configuration @EnableWebSecurity - static class CustomHttpLogoutConfig extends WebSecurityConfigurerAdapter { + static class CustomHttpLogoutConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .logout() .deleteCookies("remove") // logout@delete-cookies .invalidateHttpSession(false) // logout@invalidate-session=false (default is true) .logoutUrl("/custom-logout") // logout@logout-url (default is /logout) - .logoutSuccessUrl("/logout-success"); // logout@success-url (default is /login?logout) + .logoutSuccessUrl("/logout-success"); + return http.build(); // logout@success-url (default is /login?logout) // @formatter:on } @@ -204,10 +208,10 @@ public class NamespaceHttpLogoutTests { @Configuration @EnableWebSecurity - static class CustomHttpLogoutInLambdaConfig extends WebSecurityConfigurerAdapter { + static class CustomHttpLogoutInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .logout((logout) -> @@ -216,6 +220,7 @@ public class NamespaceHttpLogoutTests { .logoutUrl("/custom-logout") .logoutSuccessUrl("/logout-success") ); + return http.build(); // @formatter:on } @@ -223,16 +228,17 @@ public class NamespaceHttpLogoutTests { @Configuration @EnableWebSecurity - static class SuccessHandlerRefHttpLogoutConfig extends WebSecurityConfigurerAdapter { + static class SuccessHandlerRefHttpLogoutConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { SimpleUrlLogoutSuccessHandler logoutSuccessHandler = new SimpleUrlLogoutSuccessHandler(); logoutSuccessHandler.setDefaultTargetUrl("/SuccessHandlerRefHttpLogoutConfig"); // @formatter:off http .logout() .logoutSuccessHandler(logoutSuccessHandler); + return http.build(); // @formatter:on } @@ -240,15 +246,16 @@ public class NamespaceHttpLogoutTests { @Configuration @EnableWebSecurity - static class SuccessHandlerRefHttpLogoutInLambdaConfig extends WebSecurityConfigurerAdapter { + static class SuccessHandlerRefHttpLogoutInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { SimpleUrlLogoutSuccessHandler logoutSuccessHandler = new SimpleUrlLogoutSuccessHandler(); logoutSuccessHandler.setDefaultTargetUrl("/SuccessHandlerRefHttpLogoutConfig"); // @formatter:off http .logout((logout) -> logout.logoutSuccessHandler(logoutSuccessHandler)); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpPortMappingsTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpPortMappingsTests.java index 68b4c67615..344fe30d52 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpPortMappingsTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpPortMappingsTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,13 +20,16 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; +import org.springframework.security.core.userdetails.PasswordEncodedUser; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.web.servlet.MockMvc; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; @@ -59,10 +62,10 @@ public class NamespaceHttpPortMappingsTests { @Configuration @EnableWebSecurity - static class HttpInterceptUrlWithPortMapperConfig extends WebSecurityConfigurerAdapter { + static class HttpInterceptUrlWithPortMapperConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -75,16 +78,12 @@ public class NamespaceHttpPortMappingsTests { .antMatchers("/login", "/secured/**").requiresSecure() .anyRequest().requiresInsecure(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser("user").password("password").roles("USER").and() - .withUser("admin").password("password").roles("USER", "ADMIN"); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user(), PasswordEncodedUser.admin()); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpRequestCacheTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpRequestCacheTests.java index b254e86795..1c463544f4 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpRequestCacheTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpRequestCacheTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -25,13 +25,14 @@ import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.userdetails.PasswordEncodedUser; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.savedrequest.RequestCache; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.MvcResult; @@ -81,10 +82,10 @@ public class NamespaceHttpRequestCacheTests { @Configuration @EnableWebSecurity - static class RequestCacheRefConfig extends WebSecurityConfigurerAdapter { + static class RequestCacheRefConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -93,16 +94,12 @@ public class NamespaceHttpRequestCacheTests { .requestCache() .requestCache(requestCache()); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()) - .withUser(PasswordEncodedUser.admin()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user(), PasswordEncodedUser.admin()); } @Bean @@ -114,25 +111,21 @@ public class NamespaceHttpRequestCacheTests { @Configuration @EnableWebSecurity - static class DefaultRequestCacheRefConfig extends WebSecurityConfigurerAdapter { + static class DefaultRequestCacheRefConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()) - .withUser(PasswordEncodedUser.admin()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user(), PasswordEncodedUser.admin()); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java index 8c47bc8209..1df9a4a4cf 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java @@ -28,11 +28,11 @@ import org.springframework.security.access.AccessDeniedException; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.Authentication; import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.access.AccessDeniedHandler; import org.springframework.test.web.servlet.MockMvc; @@ -106,10 +106,10 @@ public class NamespaceHttpServerAccessDeniedHandlerTests { @Configuration @EnableWebSecurity - static class AccessDeniedPageConfig extends WebSecurityConfigurerAdapter { + static class AccessDeniedPageConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -117,6 +117,7 @@ public class NamespaceHttpServerAccessDeniedHandlerTests { .and() .exceptionHandling() .accessDeniedPage("/AccessDeniedPageConfig"); + return http.build(); // @formatter:on } @@ -124,10 +125,10 @@ public class NamespaceHttpServerAccessDeniedHandlerTests { @Configuration @EnableWebSecurity - static class AccessDeniedPageInLambdaConfig extends WebSecurityConfigurerAdapter { + static class AccessDeniedPageInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -137,6 +138,7 @@ public class NamespaceHttpServerAccessDeniedHandlerTests { .exceptionHandling((exceptionHandling) -> exceptionHandling.accessDeniedPage("/AccessDeniedPageConfig") ); + return http.build(); // @formatter:on } @@ -144,10 +146,10 @@ public class NamespaceHttpServerAccessDeniedHandlerTests { @Configuration @EnableWebSecurity - static class AccessDeniedHandlerRefConfig extends WebSecurityConfigurerAdapter { + static class AccessDeniedHandlerRefConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -155,6 +157,7 @@ public class NamespaceHttpServerAccessDeniedHandlerTests { .and() .exceptionHandling() .accessDeniedHandler(accessDeniedHandler()); + return http.build(); // @formatter:on } @@ -167,12 +170,12 @@ public class NamespaceHttpServerAccessDeniedHandlerTests { @Configuration @EnableWebSecurity - static class AccessDeniedHandlerRefInLambdaConfig extends WebSecurityConfigurerAdapter { + static class AccessDeniedHandlerRefInLambdaConfig { static AccessDeniedHandler accessDeniedHandler = mock(AccessDeniedHandler.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -182,6 +185,7 @@ public class NamespaceHttpServerAccessDeniedHandlerTests { .exceptionHandling((exceptionHandling) -> exceptionHandling.accessDeniedHandler(accessDeniedHandler()) ); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpX509Tests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpX509Tests.java index 399104f04a..c89f46dc5f 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpX509Tests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpX509Tests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -34,15 +34,17 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.io.ClassPathResource; import org.springframework.security.authentication.AuthenticationDetailsSource; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.annotation.AuthenticationPrincipal; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails; import org.springframework.test.web.servlet.MockMvc; import org.springframework.web.bind.annotation.GetMapping; @@ -135,19 +137,17 @@ public class NamespaceHttpX509Tests { @Configuration @EnableWebSecurity @EnableWebMvc - public static class X509Config extends WebSecurityConfigurerAdapter { + public static class X509Config { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser("rod").password("password").roles("USER", "ADMIN"); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + UserDetails user = User.withDefaultPasswordEncoder().username("rod").password("password") + .roles("USER", "ADMIN").build(); + return new InMemoryUserDetailsManager(user); } - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -155,6 +155,7 @@ public class NamespaceHttpX509Tests { .and() .x509(); // @formatter:on + return http.build(); } } @@ -162,19 +163,17 @@ public class NamespaceHttpX509Tests { @Configuration @EnableWebSecurity @EnableWebMvc - static class AuthenticationDetailsSourceRefConfig extends WebSecurityConfigurerAdapter { + static class AuthenticationDetailsSourceRefConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser("rod").password("password").roles("USER", "ADMIN"); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + UserDetails user = User.withDefaultPasswordEncoder().username("rod").password("password") + .roles("USER", "ADMIN").build(); + return new InMemoryUserDetailsManager(user); } - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -183,6 +182,7 @@ public class NamespaceHttpX509Tests { .x509() .authenticationDetailsSource(authenticationDetailsSource()); // @formatter:on + return http.build(); } @Bean @@ -195,19 +195,17 @@ public class NamespaceHttpX509Tests { @EnableWebMvc @Configuration @EnableWebSecurity - public static class SubjectPrincipalRegexConfig extends WebSecurityConfigurerAdapter { + public static class SubjectPrincipalRegexConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser("rod").password("password").roles("USER", "ADMIN"); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + UserDetails user = User.withDefaultPasswordEncoder().username("rod").password("password") + .roles("USER", "ADMIN").build(); + return new InMemoryUserDetailsManager(user); } - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -216,6 +214,7 @@ public class NamespaceHttpX509Tests { .x509() .subjectPrincipalRegex("CN=(.*?)@example.com(?:,|$)"); // @formatter:on + return http.build(); } } @@ -223,19 +222,17 @@ public class NamespaceHttpX509Tests { @EnableWebMvc @Configuration @EnableWebSecurity - public static class CustomPrincipalExtractorConfig extends WebSecurityConfigurerAdapter { + public static class CustomPrincipalExtractorConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser("rod@example.com").password("password").roles("USER", "ADMIN"); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + UserDetails user = User.withDefaultPasswordEncoder().username("rod@example.com").password("password") + .roles("USER", "ADMIN").build(); + return new InMemoryUserDetailsManager(user); } - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -244,6 +241,7 @@ public class NamespaceHttpX509Tests { .x509() .x509PrincipalExtractor(this::extractCommonName); // @formatter:on + return http.build(); } private String extractCommonName(X509Certificate certificate) { @@ -256,19 +254,17 @@ public class NamespaceHttpX509Tests { @EnableWebMvc @Configuration @EnableWebSecurity - public static class UserDetailsServiceRefConfig extends WebSecurityConfigurerAdapter { + public static class UserDetailsServiceRefConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser("rod").password("password").roles("USER", "ADMIN"); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + UserDetails user = User.withDefaultPasswordEncoder().username("rod").password("password") + .roles("USER", "ADMIN").build(); + return new InMemoryUserDetailsManager(user); } - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -277,6 +273,7 @@ public class NamespaceHttpX509Tests { .x509() .userDetailsService((username) -> USER); // @formatter:on + return http.build(); } } @@ -284,19 +281,17 @@ public class NamespaceHttpX509Tests { @EnableWebMvc @Configuration @EnableWebSecurity - public static class AuthenticationUserDetailsServiceConfig extends WebSecurityConfigurerAdapter { + public static class AuthenticationUserDetailsServiceConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser("rod").password("password").roles("USER", "ADMIN"); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + UserDetails user = User.withDefaultPasswordEncoder().username("rod").password("password") + .roles("USER", "ADMIN").build(); + return new InMemoryUserDetailsManager(user); } - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -305,6 +300,7 @@ public class NamespaceHttpX509Tests { .x509() .authenticationUserDetailsService((authentication) -> USER); // @formatter:on + return http.build(); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceRememberMeTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceRememberMeTests.java index fef1e21f51..6ae6aea55d 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceRememberMeTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceRememberMeTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -28,10 +28,8 @@ import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.mock.web.MockHttpSession; import org.springframework.security.authentication.RememberMeAuthenticationToken; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.Authentication; @@ -39,6 +37,7 @@ import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.RememberMeServices; import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices; @@ -138,11 +137,10 @@ public class NamespaceRememberMeTests { @Test public void rememberMeLoginWhenKeyDeclaredThenMatchesNamespace() throws Exception { - this.spring.register(WithoutKeyConfig.class, KeyConfig.class, SecurityController.class).autowire(); + this.spring.register(WithoutKeyConfig.class, SecurityController.class).autowire(); MockHttpServletRequestBuilder requestWithRememberme = post("/without-key/login").with(rememberMeLogin()); // @formatter:off Cookie withoutKey = this.mvc.perform(requestWithRememberme) - .andExpect(redirectedUrl("/")) .andReturn() .getResponse() .getCookie("remember-me"); @@ -284,8 +282,8 @@ public class NamespaceRememberMeTests { @EnableWebSecurity static class RememberMeConfig extends UsersConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -294,6 +292,7 @@ public class NamespaceRememberMeTests { .formLogin() .and() .rememberMe(); + return http.build(); // @formatter:on } @@ -305,18 +304,19 @@ public class NamespaceRememberMeTests { @Configuration @EnableWebSecurity - static class RememberMeServicesRefConfig extends WebSecurityConfigurerAdapter { + static class RememberMeServicesRefConfig { static RememberMeServices REMEMBER_ME_SERVICES; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin() .and() .rememberMe() .rememberMeServices(REMEMBER_ME_SERVICES); + return http.build(); // @formatter:on } @@ -328,14 +328,15 @@ public class NamespaceRememberMeTests { static AuthenticationSuccessHandler SUCCESS_HANDLER; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin() .and() .rememberMe() .authenticationSuccessHandler(SUCCESS_HANDLER); + return http.build(); // @formatter:on } @@ -343,29 +344,26 @@ public class NamespaceRememberMeTests { @Configuration @EnableWebSecurity - @Order(0) static class WithoutKeyConfig extends UsersConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + @Order(0) + SecurityFilterChain withoutKeyFilterChain(HttpSecurity http) throws Exception { // @formatter:off http .antMatcher("/without-key/**") - .formLogin() - .loginProcessingUrl("/without-key/login") - .and() - .rememberMe(); + .authorizeHttpRequests((requests) -> requests.anyRequest().authenticated()) + .formLogin() + .loginProcessingUrl("/without-key/login") + .and() + .rememberMe(); + return http.build(); // @formatter:on } - } - - @Configuration - @EnableWebSecurity - static class KeyConfig extends UsersConfig { - - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + @Order(1) + SecurityFilterChain keyFilterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -375,6 +373,7 @@ public class NamespaceRememberMeTests { .and() .rememberMe() .key("KeyConfig"); + return http.build(); // @formatter:on } @@ -386,8 +385,8 @@ public class NamespaceRememberMeTests { static PersistentTokenRepository TOKEN_REPOSITORY; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl() // tokenRepository.setDataSource(dataSource); // @formatter:off @@ -396,6 +395,7 @@ public class NamespaceRememberMeTests { .and() .rememberMe() .tokenRepository(TOKEN_REPOSITORY); + return http.build(); // @formatter:on } @@ -405,8 +405,8 @@ public class NamespaceRememberMeTests { @EnableWebSecurity static class TokenValiditySecondsConfig extends UsersConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -416,6 +416,7 @@ public class NamespaceRememberMeTests { .and() .rememberMe() .tokenValiditySeconds(314); + return http.build(); // @formatter:on } @@ -425,14 +426,15 @@ public class NamespaceRememberMeTests { @EnableWebSecurity static class UseSecureCookieConfig extends UsersConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin() .and() .rememberMe() .useSecureCookie(true); + return http.build(); // @formatter:on } @@ -442,14 +444,15 @@ public class NamespaceRememberMeTests { @EnableWebSecurity static class RememberMeParameterConfig extends UsersConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin() .and() .rememberMe() .rememberMeParameter("rememberMe"); + return http.build(); // @formatter:on } @@ -459,14 +462,15 @@ public class NamespaceRememberMeTests { @EnableWebSecurity static class RememberMeCookieNameConfig extends UsersConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin() .and() .rememberMe() .rememberMeCookieName("rememberMe"); + return http.build(); // @formatter:on } @@ -474,26 +478,24 @@ public class NamespaceRememberMeTests { @EnableWebSecurity @Configuration - static class DefaultsUserDetailsServiceWithDaoConfig extends WebSecurityConfigurerAdapter { + static class DefaultsUserDetailsServiceWithDaoConfig { static UserDetailsService USERDETAILS_SERVICE; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin() .and() .rememberMe(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .userDetailsService(USERDETAILS_SERVICE); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return USERDETAILS_SERVICE; } } @@ -504,24 +506,24 @@ public class NamespaceRememberMeTests { static UserDetailsService USERDETAILS_SERVICE; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin() .and() .rememberMe() .userDetailsService(USERDETAILS_SERVICE); + return http.build(); // @formatter:on } } - static class UsersConfig extends WebSecurityConfigurerAdapter { + static class UsersConfig { - @Override @Bean - public UserDetailsService userDetailsService() { + UserDetailsService userDetailsService() { return new InMemoryUserDetailsManager( // @formatter:off User.withDefaultPasswordEncoder() diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceSessionManagementTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceSessionManagementTests.java index 313835a6b0..64ba3a77e8 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceSessionManagementTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceSessionManagementTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,9 +32,9 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpSession; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.Authentication; @@ -44,6 +44,7 @@ import org.springframework.security.core.session.SessionRegistryImpl; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy; import org.springframework.security.web.authentication.session.SessionAuthenticationException; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; @@ -256,29 +257,33 @@ public class NamespaceSessionManagementTests { @Configuration @EnableWebSecurity - static class SessionManagementConfig extends WebSecurityConfigurerAdapter { + static class SessionManagementConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off - super.configure(http); http + .authorizeHttpRequests((authorize) -> authorize + .anyRequest().authenticated() + ) .sessionManagement((sessions) -> sessions .requireExplicitAuthenticationStrategy(false) - ); + ) + .httpBasic(Customizer.withDefaults()); // @formatter:on + return http.build(); } } @Configuration @EnableWebSecurity - static class CustomSessionManagementConfig extends WebSecurityConfigurerAdapter { + static class CustomSessionManagementConfig { SessionRegistry sessionRegistry = spy(SessionRegistryImpl.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -292,7 +297,8 @@ public class NamespaceSessionManagementTests { .maximumSessions(1) // session-management/concurrency-control@max-sessions .maxSessionsPreventsLogin(true) // session-management/concurrency-control@error-if-maximum-exceeded .expiredUrl("/expired-session") // session-management/concurrency-control@expired-url - .sessionRegistry(sessionRegistry()); // session-management/concurrency-control@session-registry-ref + .sessionRegistry(sessionRegistry()); + return http.build(); // session-management/concurrency-control@session-registry-ref // @formatter:on } @@ -305,16 +311,17 @@ public class NamespaceSessionManagementTests { @Configuration @EnableWebSecurity - static class InvalidSessionStrategyConfig extends WebSecurityConfigurerAdapter { + static class InvalidSessionStrategyConfig { InvalidSessionStrategy invalidSessionStrategy = mock(InvalidSessionStrategy.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .sessionManagement() .invalidSessionStrategy(invalidSessionStrategy()); + return http.build(); // @formatter:on } @@ -327,18 +334,19 @@ public class NamespaceSessionManagementTests { @Configuration @EnableWebSecurity - static class RefsSessionManagementConfig extends WebSecurityConfigurerAdapter { + static class RefsSessionManagementConfig { SessionAuthenticationStrategy sessionAuthenticationStrategy = mock(SessionAuthenticationStrategy.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .sessionManagement() .sessionAuthenticationStrategy(sessionAuthenticationStrategy()) // session-management@session-authentication-strategy-ref .and() .httpBasic(); + return http.build(); // @formatter:on } @@ -351,16 +359,17 @@ public class NamespaceSessionManagementTests { @Configuration @EnableWebSecurity - static class SFPNoneSessionManagementConfig extends WebSecurityConfigurerAdapter { + static class SFPNoneSessionManagementConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .sessionManagement() .sessionAuthenticationStrategy(new NullAuthenticatedSessionStrategy()) .and() .httpBasic(); + return http.build(); // @formatter:on } @@ -368,16 +377,17 @@ public class NamespaceSessionManagementTests { @Configuration @EnableWebSecurity - static class SFPMigrateSessionManagementConfig extends WebSecurityConfigurerAdapter { + static class SFPMigrateSessionManagementConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .sessionManagement() .requireExplicitAuthenticationStrategy(false) .and() .httpBasic(); + return http.build(); // @formatter:on } @@ -385,16 +395,17 @@ public class NamespaceSessionManagementTests { @Configuration @EnableWebSecurity - static class SFPPostProcessedConfig extends WebSecurityConfigurerAdapter { + static class SFPPostProcessedConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .sessionManagement((sessions) -> sessions .requireExplicitAuthenticationStrategy(false) ) .httpBasic(); + return http.build(); // @formatter:on } @@ -407,10 +418,10 @@ public class NamespaceSessionManagementTests { @Configuration @EnableWebSecurity - static class SFPNewSessionSessionManagementConfig extends WebSecurityConfigurerAdapter { + static class SFPNewSessionSessionManagementConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .sessionManagement((sessions) -> sessions @@ -418,6 +429,7 @@ public class NamespaceSessionManagementTests { .requireExplicitAuthenticationStrategy(false) ) .httpBasic(); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/PermitAllSupportTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/PermitAllSupportTests.java index 276936414e..693c8d349b 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/PermitAllSupportTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/PermitAllSupportTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,12 +21,13 @@ import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.BeanCreationException; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder; @@ -92,10 +93,10 @@ public class PermitAllSupportTests { @Configuration @EnableWebSecurity - static class PermitAllConfig extends WebSecurityConfigurerAdapter { + static class PermitAllConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -104,6 +105,7 @@ public class PermitAllSupportTests { .formLogin() .loginPage("/xyz").permitAll() .loginProcessingUrl("/abc?def").permitAll(); + return http.build(); // @formatter:on } @@ -111,10 +113,10 @@ public class PermitAllSupportTests { @Configuration @EnableWebSecurity - static class PermitAllConfigAuthorizeHttpRequests extends WebSecurityConfigurerAdapter { + static class PermitAllConfigAuthorizeHttpRequests { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeHttpRequests() @@ -123,6 +125,7 @@ public class PermitAllSupportTests { .formLogin() .loginPage("/xyz").permitAll() .loginProcessingUrl("/abc?def").permitAll(); + return http.build(); // @formatter:on } @@ -130,10 +133,10 @@ public class PermitAllSupportTests { @Configuration @EnableWebSecurity - static class PermitAllConfigWithBothConfigs extends WebSecurityConfigurerAdapter { + static class PermitAllConfigWithBothConfigs { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -145,6 +148,7 @@ public class PermitAllSupportTests { .formLogin() .loginPage("/xyz").permitAll() .loginProcessingUrl("/abc?def").permitAll(); + return http.build(); // @formatter:on } @@ -152,14 +156,15 @@ public class PermitAllSupportTests { @Configuration @EnableWebSecurity - static class NoAuthorizedUrlsConfig extends WebSecurityConfigurerAdapter { + static class NoAuthorizedUrlsConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin() .permitAll(); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/PortMapperConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/PortMapperConfigurerTests.java index 4deffa5987..ce19e6aa20 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/PortMapperConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/PortMapperConfigurerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,13 +22,14 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.web.PortMapperImpl; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.web.servlet.MockMvc; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; @@ -66,10 +67,10 @@ public class PortMapperConfigurerTests { @Configuration @EnableWebSecurity - static class InvokeTwiceDoesNotOverride extends WebSecurityConfigurerAdapter { + static class InvokeTwiceDoesNotOverride { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .requiresChannel() @@ -79,6 +80,7 @@ public class PortMapperConfigurerTests { .http(543).mapsTo(123) .and() .portMapper(); + return http.build(); // @formatter:on } @@ -86,10 +88,10 @@ public class PortMapperConfigurerTests { @Configuration @EnableWebSecurity - static class HttpMapsToInLambdaConfig extends WebSecurityConfigurerAdapter { + static class HttpMapsToInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .requiresChannel((requiresChannel) -> @@ -100,6 +102,7 @@ public class PortMapperConfigurerTests { portMapper .http(543).mapsTo(123) ); + return http.build(); // @formatter:on } @@ -107,10 +110,10 @@ public class PortMapperConfigurerTests { @Configuration @EnableWebSecurity - static class CustomPortMapperInLambdaConfig extends WebSecurityConfigurerAdapter { + static class CustomPortMapperInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { PortMapperImpl customPortMapper = new PortMapperImpl(); customPortMapper.setPortMappings(Collections.singletonMap("543", "123")); // @formatter:off @@ -123,6 +126,7 @@ public class PortMapperConfigurerTests { portMapper .portMapper(customPortMapper) ); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.java index cad606ee3d..3a55181521 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.java @@ -24,6 +24,7 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.BeanCreationException; +import org.springframework.beans.factory.UnsatisfiedDependencyException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; @@ -35,7 +36,6 @@ import org.springframework.security.config.annotation.SecurityContextChangedList import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.context.SecurityContextHolderStrategy; @@ -54,7 +54,6 @@ import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilde import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatExceptionOfType; -import static org.assertj.core.api.Assertions.assertThatIllegalStateException; import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.anyString; import static org.mockito.BDDMockito.given; @@ -88,17 +87,9 @@ public class RememberMeConfigurerTests { @Test public void postWhenNoUserDetailsServiceThenException() { - this.spring.register(NullUserDetailsConfig.class).autowire(); - assertThatIllegalStateException().isThrownBy(() -> { - // @formatter:off - MockHttpServletRequestBuilder request = post("/login") - .param("username", "user") - .param("password", "password") - .param("remember-me", "true") - .with(csrf()); - // @formatter:on - this.mvc.perform(request); - }).withMessageContaining("UserDetailsService is required"); + assertThatExceptionOfType(UnsatisfiedDependencyException.class) + .isThrownBy(() -> this.spring.register(NullUserDetailsConfig.class).autowire()) + .withMessageContaining("userDetailsService cannot be null"); } @Test @@ -305,10 +296,10 @@ public class RememberMeConfigurerTests { @Configuration @EnableWebSecurity - static class NullUserDetailsConfig extends WebSecurityConfigurerAdapter { + static class NullUserDetailsConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -318,10 +309,11 @@ public class RememberMeConfigurerTests { .and() .rememberMe(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) { + @Autowired + void configure(AuthenticationManagerBuilder auth) { User user = (User) PasswordEncodedUser.user(); DaoAuthenticationProvider provider = new DaoAuthenticationProvider(); provider.setUserDetailsService(new InMemoryUserDetailsManager(Collections.singletonList(user))); @@ -335,25 +327,23 @@ public class RememberMeConfigurerTests { @Configuration @EnableWebSecurity - static class ObjectPostProcessorConfig extends WebSecurityConfigurerAdapter { + static class ObjectPostProcessorConfig { ObjectPostProcessor objectPostProcessor = spy(ReflectingObjectPostProcessor.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .rememberMe() .userDetailsService(new AuthenticationManagerBuilder(this.objectPostProcessor).getDefaultUserDetailsService()); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } @Bean @@ -374,12 +364,12 @@ public class RememberMeConfigurerTests { @Configuration @EnableWebSecurity - static class DuplicateDoesNotOverrideConfig extends WebSecurityConfigurerAdapter { + static class DuplicateDoesNotOverrideConfig { static UserDetailsService userDetailsService = mock(UserDetailsService.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic() @@ -388,12 +378,12 @@ public class RememberMeConfigurerTests { .userDetailsService(userDetailsService) .and() .rememberMe(); + return http.build(); // @formatter:on } - @Override @Bean - public UserDetailsService userDetailsService() { + UserDetailsService userDetailsService() { return new InMemoryUserDetailsManager( // @formatter:off User.withDefaultPasswordEncoder() @@ -430,10 +420,10 @@ public class RememberMeConfigurerTests { @Configuration @EnableWebSecurity - static class RememberMeConfig extends WebSecurityConfigurerAdapter { + static class RememberMeConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -442,26 +432,23 @@ public class RememberMeConfigurerTests { .formLogin() .and() .rememberMe(); + return http.build(); // @formatter:on } - @Autowired - void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class RememberMeInLambdaConfig extends WebSecurityConfigurerAdapter { + static class RememberMeInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -470,26 +457,23 @@ public class RememberMeConfigurerTests { ) .formLogin(withDefaults()) .rememberMe(withDefaults()); + return http.build(); // @formatter:on } - @Autowired - void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class RememberMeCookieDomainConfig extends WebSecurityConfigurerAdapter { + static class RememberMeCookieDomainConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -499,26 +483,23 @@ public class RememberMeConfigurerTests { .and() .rememberMe() .rememberMeCookieDomain("spring.io"); + return http.build(); // @formatter:on } - @Autowired - void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class RememberMeCookieDomainInLambdaConfig extends WebSecurityConfigurerAdapter { + static class RememberMeCookieDomainInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -530,28 +511,25 @@ public class RememberMeConfigurerTests { rememberMe .rememberMeCookieDomain("spring.io") ); + return http.build(); // @formatter:on } - @Autowired - void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class RememberMeCookieNameAndRememberMeServicesConfig extends WebSecurityConfigurerAdapter { + static class RememberMeCookieNameAndRememberMeServicesConfig { static RememberMeServices REMEMBER_ME = mock(RememberMeServices.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -563,6 +541,7 @@ public class RememberMeConfigurerTests { .rememberMeCookieName("SPRING_COOKIE_DOMAIN") .rememberMeCookieDomain("spring.io") .rememberMeServices(REMEMBER_ME); + return http.build(); // @formatter:on } @@ -581,12 +560,18 @@ public class RememberMeConfigurerTests { @EnableWebSecurity static class FallbackRememberMeKeyConfig extends RememberMeConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { - super.configure(http); + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off - http.rememberMe() + http + .authorizeRequests() + .anyRequest().hasRole("USER") + .and() + .formLogin() + .and() + .rememberMe() .rememberMeServices(new TokenBasedRememberMeServices("key", userDetailsService())); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java index e44996c596..5bde6992a6 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -28,15 +28,16 @@ import org.springframework.http.HttpHeaders; import org.springframework.http.MediaType; import org.springframework.mock.web.MockHttpSession; import org.springframework.mock.web.MockMultipartFile; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.userdetails.User; import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.test.web.servlet.RequestCacheResultMatcher; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.savedrequest.NullRequestCache; import org.springframework.security.web.savedrequest.RequestCache; import org.springframework.security.web.savedrequest.RequestCacheAwareFilter; @@ -228,8 +229,7 @@ public class RequestCacheConfigurerTests { // gh-6102 @Test public void getWhenRequestCacheIsDisabledThenExceptionTranslationFilterDoesNotStoreRequest() throws Exception { - this.spring.register(RequestCacheDisabledConfig.class, - ExceptionHandlingConfigurerTests.DefaultSecurityConfig.class).autowire(); + this.spring.register(RequestCacheDisabledConfig.class, DefaultSecurityConfig.class).autowire(); // @formatter:off MockHttpSession session = (MockHttpSession) this.mvc.perform(get("/bob")) .andReturn() @@ -303,15 +303,16 @@ public class RequestCacheConfigurerTests { @Configuration @EnableWebSecurity - static class ObjectPostProcessorConfig extends WebSecurityConfigurerAdapter { + static class ObjectPostProcessorConfig { static ObjectPostProcessor objectPostProcessor = spy(ReflectingObjectPostProcessor.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .requestCache(); + return http.build(); // @formatter:on } @@ -333,18 +334,19 @@ public class RequestCacheConfigurerTests { @Configuration @EnableWebSecurity - static class InvokeTwiceDoesNotOverrideConfig extends WebSecurityConfigurerAdapter { + static class InvokeTwiceDoesNotOverrideConfig { static RequestCache requestCache = mock(RequestCache.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .requestCache() .requestCache(requestCache) .and() .requestCache(); + return http.build(); // @formatter:on } @@ -352,16 +354,17 @@ public class RequestCacheConfigurerTests { @Configuration @EnableWebSecurity - static class RequestCacheDefaultsConfig extends WebSecurityConfigurerAdapter { + static class RequestCacheDefaultsConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin(); + return http.build(); // @formatter:on } @@ -369,22 +372,29 @@ public class RequestCacheConfigurerTests { @Configuration @EnableWebSecurity - static class RequestCacheDisabledConfig extends WebSecurityConfigurerAdapter { + static class RequestCacheDisabledConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { - super.configure(http); - http.requestCache().disable(); + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + // @formatter:off + http + .authorizeHttpRequests((requests) -> requests + .anyRequest().authenticated() + ) + .formLogin(Customizer.withDefaults()) + .requestCache((cache) -> cache.disable()); + // @formatter:on + return http.build(); } } @Configuration @EnableWebSecurity - static class RequestCacheDisabledInLambdaConfig extends WebSecurityConfigurerAdapter { + static class RequestCacheDisabledInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -393,6 +403,7 @@ public class RequestCacheConfigurerTests { ) .formLogin(withDefaults()) .requestCache(RequestCacheConfigurer::disable); + return http.build(); // @formatter:on } @@ -400,10 +411,10 @@ public class RequestCacheConfigurerTests { @Configuration @EnableWebSecurity - static class RequestCacheInLambdaConfig extends WebSecurityConfigurerAdapter { + static class RequestCacheInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -412,6 +423,7 @@ public class RequestCacheConfigurerTests { ) .formLogin(withDefaults()) .requestCache(withDefaults()); + return http.build(); // @formatter:on } @@ -419,10 +431,10 @@ public class RequestCacheConfigurerTests { @Configuration @EnableWebSecurity - static class CustomRequestCacheInLambdaConfig extends WebSecurityConfigurerAdapter { + static class CustomRequestCacheInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -434,6 +446,7 @@ public class RequestCacheConfigurerTests { requestCache .requestCache(new NullRequestCache()) ); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestMatcherConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestMatcherConfigurerTests.java index 4e04b7a167..23819d0f05 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestMatcherConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestMatcherConfigurerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,12 +20,13 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.web.servlet.MockMvc; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; @@ -70,10 +71,10 @@ public class RequestMatcherConfigurerTests { @Configuration @EnableWebSecurity - static class Sec2908Config extends WebSecurityConfigurerAdapter { + static class Sec2908Config { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .requestMatchers() @@ -84,6 +85,7 @@ public class RequestMatcherConfigurerTests { .and() .authorizeRequests() .anyRequest().denyAll(); + return http.build(); // @formatter:on } @@ -91,10 +93,10 @@ public class RequestMatcherConfigurerTests { @Configuration @EnableWebSecurity - static class AuthorizeRequestInLambdaConfig extends WebSecurityConfigurerAdapter { + static class AuthorizeRequestInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .requestMatchers((requestMatchers) -> @@ -109,6 +111,7 @@ public class RequestMatcherConfigurerTests { authorizeRequests .anyRequest().denyAll() ); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.java index 9f392e9cde..9342ae1e3f 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -29,15 +29,17 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.ObjectPostProcessor; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.builders.TestHttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.userdetails.PasswordEncodedUser; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.FilterChainProxy; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.context.HttpRequestResponseHolder; import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.security.web.context.NullSecurityContextRepository; @@ -139,17 +141,18 @@ public class SecurityContextConfigurerTests { assertThat(securityContext.getAuthentication()).isNotNull(); } - @Configuration + @Configuration(proxyBeanMethods = false) @EnableWebSecurity - static class ObjectPostProcessorConfig extends WebSecurityConfigurerAdapter { + static class ObjectPostProcessorConfig { static ObjectPostProcessor objectPostProcessor = spy(ReflectingObjectPostProcessor.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .securityContext(); + return http.build(); // @formatter:on } @@ -171,18 +174,19 @@ public class SecurityContextConfigurerTests { @Configuration @EnableWebSecurity - static class DuplicateDoesNotOverrideConfig extends WebSecurityConfigurerAdapter { + static class DuplicateDoesNotOverrideConfig { static SecurityContextRepository SCR = mock(SecurityContextRepository.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .securityContext() .securityContextRepository(SCR) .and() .securityContext(); + return http.build(); // @formatter:on } @@ -190,14 +194,11 @@ public class SecurityContextConfigurerTests { @Configuration @EnableWebSecurity - static class SecurityContextRepositoryDefaultsSecurityContextRepositoryConfig extends WebSecurityConfigurerAdapter { + static class SecurityContextRepositoryDefaultsSecurityContextRepositoryConfig { - SecurityContextRepositoryDefaultsSecurityContextRepositoryConfig() { - super(true); - } - - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + TestHttpSecurity.disableDefaults(http); // @formatter:off http .addFilter(new WebAsyncManagerIntegrationFilter()) @@ -210,73 +211,64 @@ public class SecurityContextConfigurerTests { .and() .httpBasic(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser("user").password("password").roles("USER"); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class SecurityContextWithDefaultsInLambdaConfig extends WebSecurityConfigurerAdapter { + static class SecurityContextWithDefaultsInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin(withDefaults()) .securityContext(withDefaults()); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class SecurityContextDisabledInLambdaConfig extends WebSecurityConfigurerAdapter { + static class SecurityContextDisabledInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin(withDefaults()) .securityContext(AbstractHttpConfigurer::disable); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class NullSecurityContextRepositoryInLambdaConfig extends WebSecurityConfigurerAdapter { + static class NullSecurityContextRepositoryInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin(withDefaults()) @@ -285,25 +277,22 @@ public class SecurityContextConfigurerTests { .securityContextRepository(new NullSecurityContextRepository()) ); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class RequireExplicitSaveConfig extends WebSecurityConfigurerAdapter { + static class RequireExplicitSaveConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin(withDefaults()) @@ -311,15 +300,12 @@ public class SecurityContextConfigurerTests { .requireExplicitSave(true) ); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.java index 13ea11a43e..09b78fc92f 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,20 +32,23 @@ import org.springframework.security.access.AccessDeniedException; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationTrustResolver; import org.springframework.security.authentication.TestingAuthenticationToken; +import org.springframework.security.authentication.dao.DaoAuthenticationProvider; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.ObjectPostProcessor; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.userdetails.PasswordEncodedUser; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors; import org.springframework.security.util.FieldUtils; import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.FilterChainProxy; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.logout.CompositeLogoutHandler; import org.springframework.security.web.authentication.logout.LogoutFilter; import org.springframework.security.web.authentication.logout.LogoutHandler; @@ -213,15 +216,16 @@ public class ServletApiConfigurerTests { @Configuration @EnableWebSecurity - static class ObjectPostProcessorConfig extends WebSecurityConfigurerAdapter { + static class ObjectPostProcessorConfig { static ObjectPostProcessor objectPostProcessor = spy(ReflectingObjectPostProcessor.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .servletApi(); + return http.build(); // @formatter:on } @@ -243,32 +247,43 @@ public class ServletApiConfigurerTests { @Configuration @EnableWebSecurity - static class ServletApiConfig extends WebSecurityConfigurerAdapter { + static class ServletApiConfig { - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); + http + .authorizeHttpRequests((requests) -> requests + .anyRequest().authenticated() + ) + .httpBasic(Customizer.withDefaults()) + .formLogin(Customizer.withDefaults()); // @formatter:on + return http.build(); } @Bean - AuthenticationManager customAuthenticationManager() throws Exception { - return super.authenticationManagerBean(); + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); + } + + @Bean + AuthenticationManager customAuthenticationManager(UserDetailsService userDetailsService) { + DaoAuthenticationProvider provider = new DaoAuthenticationProvider(); + provider.setUserDetailsService(userDetailsService); + return provider::authenticate; } } @Configuration @EnableWebSecurity - static class CustomEntryPointConfig extends WebSecurityConfigurerAdapter { + static class CustomEntryPointConfig { static AuthenticationEntryPoint ENTRYPOINT = spy(AuthenticationEntryPoint.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -279,31 +294,29 @@ public class ServletApiConfigurerTests { .and() .formLogin(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser("user").password("password").roles("USER"); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class DuplicateInvocationsDoesNotOverrideConfig extends WebSecurityConfigurerAdapter { + static class DuplicateInvocationsDoesNotOverrideConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .servletApi() .rolePrefix("PERMISSION_") .and() .servletApi(); + return http.build(); // @formatter:on } @@ -311,15 +324,16 @@ public class ServletApiConfigurerTests { @Configuration @EnableWebSecurity - static class SharedTrustResolverConfig extends WebSecurityConfigurerAdapter { + static class SharedTrustResolverConfig { static AuthenticationTrustResolver TR = spy(AuthenticationTrustResolver.class); - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .setSharedObject(AuthenticationTrustResolver.class, TR); + return http.build(); // @formatter:on } @@ -327,13 +341,14 @@ public class ServletApiConfigurerTests { @Configuration @EnableWebSecurity - static class ServletApiWithDefaultsInLambdaConfig extends WebSecurityConfigurerAdapter { + static class ServletApiWithDefaultsInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .servletApi(withDefaults()); + return http.build(); // @formatter:on } @@ -341,16 +356,17 @@ public class ServletApiConfigurerTests { @Configuration @EnableWebSecurity - static class RolePrefixInLambdaConfig extends WebSecurityConfigurerAdapter { + static class RolePrefixInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .servletApi((servletApi) -> servletApi .rolePrefix("PERMISSION_") ); + return http.build(); // @formatter:on } @@ -370,14 +386,15 @@ public class ServletApiConfigurerTests { @Configuration @EnableWebSecurity - static class ServletApiWithLogoutConfig extends WebSecurityConfigurerAdapter { + static class ServletApiWithLogoutConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .servletApi().and() .logout(); + return http.build(); // @formatter:on } @@ -385,13 +402,14 @@ public class ServletApiConfigurerTests { @Configuration @EnableWebSecurity - static class CsrfDisabledConfig extends WebSecurityConfigurerAdapter { + static class CsrfDisabledConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .csrf().disable(); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerServlet31Tests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerServlet31Tests.java index 2fa0c91e71..241a45308b 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerServlet31Tests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerServlet31Tests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2013 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,17 +23,19 @@ import org.junit.jupiter.api.Test; import org.springframework.context.ConfigurableApplicationContext; import org.springframework.context.annotation.AnnotationConfigApplicationContext; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.mock.web.MockFilterChain; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextImpl; import org.springframework.security.core.userdetails.PasswordEncodedUser; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.context.HttpRequestResponseHolder; import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.security.web.csrf.CsrfToken; @@ -109,25 +111,22 @@ public class SessionManagementConfigurerServlet31Tests { @Configuration @EnableWebSecurity - static class SessionManagementDefaultSessionFixationServlet31Config extends WebSecurityConfigurerAdapter { + static class SessionManagementDefaultSessionFixationServlet31Config { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin() .and() .sessionManagement(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerSessionAuthenticationStrategyTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerSessionAuthenticationStrategyTests.java index 8f9e6c0bed..bcd0235ccf 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerSessionAuthenticationStrategyTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerSessionAuthenticationStrategyTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,15 +22,17 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.Authentication; import org.springframework.security.core.userdetails.PasswordEncodedUser; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; import org.springframework.test.web.servlet.MockMvc; @@ -61,13 +63,13 @@ public class SessionManagementConfigurerSessionAuthenticationStrategyTests { @Configuration @EnableWebSecurity - static class CustomSessionAuthenticationStrategyConfig extends WebSecurityConfigurerAdapter { + static class CustomSessionAuthenticationStrategyConfig { static SessionAuthenticationStrategy customSessionAuthenticationStrategy = mock( SessionAuthenticationStrategy.class); - @Override - public void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin() @@ -75,15 +77,12 @@ public class SessionManagementConfigurerSessionAuthenticationStrategyTests { .sessionManagement() .sessionAuthenticationStrategy(customSessionAuthenticationStrategy); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerSessionCreationPolicyTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerSessionCreationPolicyTests.java index ce1d54977c..c7305f9834 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerSessionCreationPolicyTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerSessionCreationPolicyTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,13 +20,14 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.MvcResult; import org.springframework.web.bind.annotation.GetMapping; @@ -74,35 +75,35 @@ public class SessionManagementConfigurerSessionCreationPolicyTests { @Configuration @EnableWebSecurity - static class StatelessCreateSessionSharedObjectConfig extends WebSecurityConfigurerAdapter { + static class StatelessCreateSessionSharedObjectConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { - super.configure(http); + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.setSharedObject(SessionCreationPolicy.class, SessionCreationPolicy.STATELESS); + return http.build(); } } @Configuration @EnableWebSecurity - static class StatelessCreateSessionUserConfig extends WebSecurityConfigurerAdapter { + static class StatelessCreateSessionUserConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { - super.configure(http); + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); // @formatter:on http.setSharedObject(SessionCreationPolicy.class, SessionCreationPolicy.ALWAYS); + return http.build(); } } @Configuration @EnableWebSecurity - static class DefaultConfig extends WebSecurityConfigurerAdapter { + static class DefaultConfig { } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java index 133b47d0ba..6a3a39e24d 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java @@ -28,17 +28,18 @@ import org.springframework.context.annotation.Configuration; import org.springframework.mock.web.MockHttpSession; import org.springframework.security.authentication.AuthenticationTrustResolver; import org.springframework.security.config.annotation.ObjectPostProcessor; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.session.SessionRegistry; import org.springframework.security.core.userdetails.PasswordEncodedUser; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.DefaultSecurityFilterChain; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy; import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy; import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy; @@ -359,12 +360,12 @@ public class SessionManagementConfigurerTests { @Configuration @EnableWebSecurity - static class SessionManagementRequestCacheConfig extends WebSecurityConfigurerAdapter { + static class SessionManagementRequestCacheConfig { static RequestCache REQUEST_CACHE; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .requestCache() @@ -372,6 +373,7 @@ public class SessionManagementConfigurerTests { .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS); + return http.build(); // @formatter:on } @@ -379,12 +381,12 @@ public class SessionManagementConfigurerTests { @Configuration @EnableWebSecurity - static class SessionManagementSecurityContextRepositoryConfig extends WebSecurityConfigurerAdapter { + static class SessionManagementSecurityContextRepositoryConfig { static SecurityContextRepository SECURITY_CONTEXT_REPO; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .securityContext() @@ -392,6 +394,7 @@ public class SessionManagementConfigurerTests { .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS); + return http.build(); // @formatter:on } @@ -399,16 +402,17 @@ public class SessionManagementConfigurerTests { @Configuration @EnableWebSecurity - static class InvokeTwiceDoesNotOverride extends WebSecurityConfigurerAdapter { + static class InvokeTwiceDoesNotOverride { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .sessionManagement(); + return http.build(); // @formatter:on } @@ -416,10 +420,10 @@ public class SessionManagementConfigurerTests { @Configuration @EnableWebSecurity - static class DisableSessionFixationEnableConcurrencyControlConfig extends WebSecurityConfigurerAdapter { + static class DisableSessionFixationEnableConcurrencyControlConfig { - @Override - public void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .httpBasic() @@ -428,25 +432,22 @@ public class SessionManagementConfigurerTests { .sessionFixation().none() .maximumSessions(1); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class SFPNewSessionInLambdaConfig extends WebSecurityConfigurerAdapter { + static class SFPNewSessionInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .sessionManagement((sessionManagement) -> @@ -458,25 +459,22 @@ public class SessionManagementConfigurerTests { ) .httpBasic(withDefaults()); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class ConcurrencyControlConfig extends WebSecurityConfigurerAdapter { + static class ConcurrencyControlConfig { - @Override - public void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin() @@ -485,25 +483,22 @@ public class SessionManagementConfigurerTests { .maximumSessions(1) .maxSessionsPreventsLogin(true); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class ConcurrencyControlInLambdaConfig extends WebSecurityConfigurerAdapter { + static class ConcurrencyControlInLambdaConfig { - @Override - public void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .formLogin(withDefaults()) @@ -516,31 +511,29 @@ public class SessionManagementConfigurerTests { ) ); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } @Configuration @EnableWebSecurity - static class SessionCreationPolicyStateLessInLambdaConfig extends WebSecurityConfigurerAdapter { + static class SessionCreationPolicyStateLessInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .sessionManagement((sessionManagement) -> sessionManagement .sessionCreationPolicy(SessionCreationPolicy.STATELESS) ); + return http.build(); // @formatter:on } @@ -548,16 +541,17 @@ public class SessionManagementConfigurerTests { @Configuration @EnableWebSecurity - static class ObjectPostProcessorConfig extends WebSecurityConfigurerAdapter { + static class ObjectPostProcessorConfig { static ObjectPostProcessor objectPostProcessor; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .sessionManagement() .maximumSessions(1); + return http.build(); // @formatter:on } @@ -579,18 +573,19 @@ public class SessionManagementConfigurerTests { @Configuration @EnableWebSecurity - static class SharedTrustResolverConfig extends WebSecurityConfigurerAdapter { + static class SharedTrustResolverConfig { static AuthenticationTrustResolver TR; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .sessionManagement((sessions) -> sessions .requireExplicitAuthenticationStrategy(false) ) .setSharedObject(AuthenticationTrustResolver.class, TR); + return http.build(); // @formatter:on } @@ -598,16 +593,17 @@ public class SessionManagementConfigurerTests { @Configuration @EnableWebSecurity - static class SessionRegistryOneBeanConfig extends WebSecurityConfigurerAdapter { + static class SessionRegistryOneBeanConfig { private static SessionRegistry SESSION_REGISTRY; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .sessionManagement() .maximumSessions(1); + return http.build(); // @formatter:on } @@ -620,18 +616,19 @@ public class SessionManagementConfigurerTests { @Configuration @EnableWebSecurity - static class SessionRegistryTwoBeansConfig extends WebSecurityConfigurerAdapter { + static class SessionRegistryTwoBeansConfig { private static SessionRegistry SESSION_REGISTRY_ONE; private static SessionRegistry SESSION_REGISTRY_TWO; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .sessionManagement() .maximumSessions(1); + return http.build(); // @formatter:on } @@ -682,10 +679,10 @@ public class SessionManagementConfigurerTests { @Configuration @EnableWebSecurity - static class HttpBasicSessionCreationPolicyStatelessConfig extends WebSecurityConfigurerAdapter { + static class HttpBasicSessionCreationPolicyStatelessConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .sessionManagement((sessionManagement) -> @@ -694,15 +691,12 @@ public class SessionManagementConfigurerTests { ) .httpBasic(withDefaults()); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser(PasswordEncodedUser.user()); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } @Bean diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTransientAuthenticationTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTransientAuthenticationTests.java index 51f370bc8e..bef7862820 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTransientAuthenticationTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTransientAuthenticationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,19 +20,19 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AbstractAuthenticationToken; import org.springframework.security.authentication.AuthenticationProvider; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.Transient; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.MvcResult; @@ -66,36 +66,30 @@ public class SessionManagementConfigurerTransientAuthenticationTests { @Configuration @EnableWebSecurity - static class WithTransientAuthenticationConfig extends WebSecurityConfigurerAdapter { + static class WithTransientAuthenticationConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { - super.configure(http); + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http - .csrf().disable(); - // @formatter:on - } - - @Override - protected void configure(AuthenticationManagerBuilder auth) { - // @formatter:off - auth + .csrf().disable() .authenticationProvider(new TransientAuthenticationProvider()); // @formatter:on + return http.build(); } } @Configuration @EnableWebSecurity - static class AlwaysCreateSessionConfig extends WithTransientAuthenticationConfig { + static class AlwaysCreateSessionConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurerTests.java index e83f1ddc13..df220727a3 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurerTests.java @@ -32,10 +32,9 @@ import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.mock.web.MockServletContext; import org.springframework.security.config.Customizer; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.core.userdetails.PasswordEncodedUser; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; @@ -174,24 +173,22 @@ public class UrlAuthorizationConfigurerTests { @EnableWebSecurity @Configuration @EnableWebMvc - static class MvcMatcherConfig extends WebSecurityConfigurerAdapter { + static class MvcMatcherConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context) throws Exception { // @formatter:off http .httpBasic().and() - .apply(new UrlAuthorizationConfigurer(getApplicationContext())).getRegistry() + .apply(new UrlAuthorizationConfigurer(context)).getRegistry() .mvcMatchers("/path").hasRole("ADMIN"); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } @RestController @@ -209,24 +206,22 @@ public class UrlAuthorizationConfigurerTests { @EnableWebSecurity @Configuration @EnableWebMvc - static class MvcMatcherServletPathConfig extends WebSecurityConfigurerAdapter { + static class MvcMatcherServletPathConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context) throws Exception { // @formatter:off http .httpBasic().and() - .apply(new UrlAuthorizationConfigurer(getApplicationContext())).getRegistry() + .apply(new UrlAuthorizationConfigurer(context)).getRegistry() .mvcMatchers("/path").servletPath("/spring").hasRole("ADMIN"); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } @RestController @@ -243,14 +238,15 @@ public class UrlAuthorizationConfigurerTests { @EnableWebSecurity @Configuration - static class AnonymousUrlAuthorizationConfig extends WebSecurityConfigurerAdapter { + static class AnonymousUrlAuthorizationConfig { - @Override - public void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .apply(new UrlAuthorizationConfigurer<>(null)).getRegistry() .anyRequest().anonymous(); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationsTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationsTests.java index eb2e168789..ad9480f622 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationsTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationsTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -24,16 +24,17 @@ import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.ApplicationContext; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.access.vote.AffirmativeBased; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.test.context.annotation.SecurityTestExecutionListeners; import org.springframework.security.test.context.support.WithMockUser; import org.springframework.security.web.FilterChainProxy; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.access.intercept.FilterSecurityInterceptor; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.web.servlet.MockMvc; @@ -132,10 +133,10 @@ public class UrlAuthorizationsTests { @Configuration @EnableWebSecurity - static class RoleConfig extends WebSecurityConfigurerAdapter { + static class RoleConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -145,6 +146,7 @@ public class UrlAuthorizationsTests { .antMatchers("/role-user").hasAnyRole("USER") .antMatchers("/role-admin").hasAnyRole("ADMIN") .antMatchers("/role-user-admin").hasAnyRole("USER", "ADMIN"); + return http.build(); // @formatter:on } @@ -152,17 +154,17 @@ public class UrlAuthorizationsTests { @Configuration @EnableWebSecurity - static class NoSpecificAccessDecisionManagerConfig extends WebSecurityConfigurerAdapter { + static class NoSpecificAccessDecisionManagerConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { - ApplicationContext context = getApplicationContext(); + @Bean + SecurityFilterChain filterChain(HttpSecurity http, ApplicationContext context) throws Exception { UrlAuthorizationConfigurer.StandardInterceptUrlRegistry registry = http .apply(new UrlAuthorizationConfigurer(context)).getRegistry(); // @formatter:off registry .antMatchers("/a").hasRole("ADMIN") .anyRequest().hasRole("USER"); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/X509ConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/X509ConfigurerTests.java index 369cb07e4d..017e64bcab 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/X509ConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/X509ConfigurerTests.java @@ -30,15 +30,14 @@ import org.springframework.context.annotation.Configuration; import org.springframework.core.io.ClassPathResource; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.context.SecurityContextChangedListener; import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.SecurityFilterChain; @@ -154,15 +153,16 @@ public class X509ConfigurerTests { @Configuration @EnableWebSecurity - static class ObjectPostProcessorConfig extends WebSecurityConfigurerAdapter { + static class ObjectPostProcessorConfig { static ObjectPostProcessor objectPostProcessor = spy(ReflectingObjectPostProcessor.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .x509(); + return http.build(); // @formatter:on } @@ -184,10 +184,10 @@ public class X509ConfigurerTests { @Configuration @EnableWebSecurity - static class DuplicateDoesNotOverrideConfig extends WebSecurityConfigurerAdapter { + static class DuplicateDoesNotOverrideConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .x509() @@ -195,48 +195,46 @@ public class X509ConfigurerTests { .and() .x509(); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser("rod").password("password").roles("USER", "ADMIN"); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + UserDetails user = User.withDefaultPasswordEncoder().username("rod").password("password") + .roles("USER", "ADMIN").build(); + return new InMemoryUserDetailsManager(user); } } @Configuration @EnableWebSecurity - static class DefaultsInLambdaConfig extends WebSecurityConfigurerAdapter { + static class DefaultsInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .x509(withDefaults()); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser("rod").password("password").roles("USER", "ADMIN"); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + UserDetails user = User.withDefaultPasswordEncoder().username("rod").password("password") + .roles("USER", "ADMIN").build(); + return new InMemoryUserDetailsManager(user); } } @Configuration @EnableWebSecurity - static class SubjectPrincipalRegexInLambdaConfig extends WebSecurityConfigurerAdapter { + static class SubjectPrincipalRegexInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .x509((x509) -> @@ -244,15 +242,14 @@ public class X509ConfigurerTests { .subjectPrincipalRegex("CN=(.*?)@example.com(?:,|$)") ); // @formatter:on + return http.build(); } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser("rod").password("password").roles("USER", "ADMIN"); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + UserDetails user = User.withDefaultPasswordEncoder().username("rod").password("password") + .roles("USER", "ADMIN").build(); + return new InMemoryUserDetailsManager(user); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java index 16a566d53a..6430075914 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -34,7 +34,6 @@ import org.springframework.mock.web.MockHttpSession; import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.oauth2.client.InMemoryOAuth2AuthorizedClientService; @@ -61,6 +60,7 @@ import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequ import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; import org.springframework.security.web.DefaultRedirectStrategy; import org.springframework.security.web.RedirectStrategy; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.savedrequest.RequestCache; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.MvcResult; @@ -284,10 +284,10 @@ public class OAuth2ClientConfigurerTests { @EnableWebSecurity @Configuration @EnableWebMvc - static class OAuth2ClientConfig extends WebSecurityConfigurerAdapter { + static class OAuth2ClientConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -301,6 +301,7 @@ public class OAuth2ClientConfigurerTests { .authorizationRequestResolver(authorizationRequestResolver) .authorizationRedirectStrategy(authorizationRedirectStrategy) .accessTokenResponseClient(accessTokenResponseClient); + return http.build(); // @formatter:on } @@ -330,10 +331,10 @@ public class OAuth2ClientConfigurerTests { @EnableWebSecurity @Configuration @EnableWebMvc - static class OAuth2ClientInLambdaConfig extends WebSecurityConfigurerAdapter { + static class OAuth2ClientInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -341,6 +342,7 @@ public class OAuth2ClientConfigurerTests { .anyRequest().authenticated() ) .oauth2Client(withDefaults()); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java index 1facc1f7eb..a2db14a3e2 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java @@ -44,7 +44,6 @@ import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.security.authentication.event.AuthenticationSuccessEvent; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.oauth2.client.CommonOAuth2Provider; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; @@ -88,6 +87,7 @@ import org.springframework.security.oauth2.jwt.JwtDecoderFactory; import org.springframework.security.oauth2.jwt.TestJwts; import org.springframework.security.web.FilterChainProxy; import org.springframework.security.web.RedirectStrategy; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.HttpStatusEntryPoint; import org.springframework.security.web.context.HttpRequestResponseHolder; import org.springframework.security.web.context.HttpSessionSecurityContextRepository; @@ -660,20 +660,20 @@ public class OAuth2LoginConfigurerTests { @Configuration @EnableWebSecurity - static class OAuth2LoginConfig extends CommonWebSecurityConfigurerAdapter + static class OAuth2LoginConfig extends CommonSecurityFilterChainConfig implements ApplicationListener { static List EVENTS = new ArrayList<>(); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .oauth2Login() .clientRegistrationRepository( new InMemoryClientRegistrationRepository(GOOGLE_CLIENT_REGISTRATION)); // @formatter:on - super.configure(http); + return super.configureFilterChain(http); } @Override @@ -685,13 +685,13 @@ public class OAuth2LoginConfigurerTests { @Configuration @EnableWebSecurity - static class OAuth2LoginConfigFormLogin extends CommonWebSecurityConfigurerAdapter { + static class OAuth2LoginConfigFormLogin extends CommonSecurityFilterChainConfig { private final InMemoryClientRegistrationRepository clientRegistrationRepository = new InMemoryClientRegistrationRepository( GOOGLE_CLIENT_REGISTRATION); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .oauth2Login() @@ -699,20 +699,20 @@ public class OAuth2LoginConfigurerTests { .and() .formLogin(); // @formatter:on - super.configure(http); + return super.configureFilterChain(http); } } @Configuration @EnableWebSecurity - static class OAuth2LoginInLambdaConfig extends CommonLambdaWebSecurityConfigurerAdapter + static class OAuth2LoginInLambdaConfig extends CommonLambdaSecurityFilterChainConfig implements ApplicationListener { static List EVENTS = new ArrayList<>(); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .oauth2Login((oauth2Login) -> @@ -721,7 +721,7 @@ public class OAuth2LoginConfigurerTests { new InMemoryClientRegistrationRepository(GOOGLE_CLIENT_REGISTRATION)) ); // @formatter:on - super.configure(http); + return super.configureFilterChain(http); } @Override @@ -733,10 +733,10 @@ public class OAuth2LoginConfigurerTests { @Configuration @EnableWebSecurity - static class OAuth2LoginConfigCustomWithConfigurer extends CommonWebSecurityConfigurerAdapter { + static class OAuth2LoginConfigCustomWithConfigurer extends CommonSecurityFilterChainConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .oauth2Login() @@ -745,22 +745,22 @@ public class OAuth2LoginConfigurerTests { .userInfoEndpoint() .userAuthoritiesMapper(createGrantedAuthoritiesMapper()); // @formatter:on - super.configure(http); + return super.configureFilterChain(http); } } @Configuration @EnableWebSecurity - static class OAuth2LoginConfigCustomWithBeanRegistration extends CommonWebSecurityConfigurerAdapter { + static class OAuth2LoginConfigCustomWithBeanRegistration extends CommonSecurityFilterChainConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .oauth2Login(); // @formatter:on - super.configure(http); + return super.configureFilterChain(http); } @Bean @@ -777,10 +777,10 @@ public class OAuth2LoginConfigurerTests { @Configuration @EnableWebSecurity - static class OAuth2LoginConfigCustomUserServiceBeanRegistration extends WebSecurityConfigurerAdapter { + static class OAuth2LoginConfigCustomUserServiceBeanRegistration { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -792,6 +792,7 @@ public class OAuth2LoginConfigurerTests { .oauth2Login() .tokenEndpoint() .accessTokenResponseClient(createOauth2AccessTokenResponseClient()); + return http.build(); // @formatter:on } @@ -829,10 +830,10 @@ public class OAuth2LoginConfigurerTests { @Configuration @EnableWebSecurity - static class OAuth2LoginConfigLoginProcessingUrl extends CommonWebSecurityConfigurerAdapter { + static class OAuth2LoginConfigLoginProcessingUrl extends CommonSecurityFilterChainConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .oauth2Login() @@ -840,22 +841,22 @@ public class OAuth2LoginConfigurerTests { new InMemoryClientRegistrationRepository(GOOGLE_CLIENT_REGISTRATION)) .loginProcessingUrl("/login/oauth2/*"); // @formatter:on - super.configure(http); + return super.configureFilterChain(http); } } @Configuration @EnableWebSecurity - static class OAuth2LoginConfigCustomAuthorizationRequestResolver extends CommonWebSecurityConfigurerAdapter { + static class OAuth2LoginConfigCustomAuthorizationRequestResolver extends CommonSecurityFilterChainConfig { private ClientRegistrationRepository clientRegistrationRepository = new InMemoryClientRegistrationRepository( GOOGLE_CLIENT_REGISTRATION); OAuth2AuthorizationRequestResolver resolver = mock(OAuth2AuthorizationRequestResolver.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .oauth2Login() @@ -863,7 +864,7 @@ public class OAuth2LoginConfigurerTests { .authorizationEndpoint() .authorizationRequestResolver(this.resolver); // @formatter:on - super.configure(http); + return super.configureFilterChain(http); } } @@ -871,15 +872,15 @@ public class OAuth2LoginConfigurerTests { @Configuration @EnableWebSecurity static class OAuth2LoginConfigCustomAuthorizationRequestResolverInLambda - extends CommonLambdaWebSecurityConfigurerAdapter { + extends CommonLambdaSecurityFilterChainConfig { private ClientRegistrationRepository clientRegistrationRepository = new InMemoryClientRegistrationRepository( GOOGLE_CLIENT_REGISTRATION); OAuth2AuthorizationRequestResolver resolver = mock(OAuth2AuthorizationRequestResolver.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .oauth2Login((oauth2Login) -> @@ -891,22 +892,22 @@ public class OAuth2LoginConfigurerTests { ) ); // @formatter:on - super.configure(http); + return super.configureFilterChain(http); } } @Configuration @EnableWebSecurity - static class OAuth2LoginConfigCustomAuthorizationRedirectStrategy extends CommonWebSecurityConfigurerAdapter { + static class OAuth2LoginConfigCustomAuthorizationRedirectStrategy extends CommonSecurityFilterChainConfig { private final ClientRegistrationRepository clientRegistrationRepository = new InMemoryClientRegistrationRepository( GOOGLE_CLIENT_REGISTRATION); RedirectStrategy redirectStrategy = mock(RedirectStrategy.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .oauth2Login((oauth2Login) -> @@ -918,22 +919,22 @@ public class OAuth2LoginConfigurerTests { ) ); // @formatter:on - super.configure(http); + return super.configureFilterChain(http); } } @EnableWebSecurity static class OAuth2LoginConfigCustomAuthorizationRedirectStrategyInLambda - extends CommonLambdaWebSecurityConfigurerAdapter { + extends CommonLambdaSecurityFilterChainConfig { private final ClientRegistrationRepository clientRegistrationRepository = new InMemoryClientRegistrationRepository( GOOGLE_CLIENT_REGISTRATION); RedirectStrategy redirectStrategy = mock(RedirectStrategy.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain configureFilterChain(HttpSecurity http) throws Exception { // @formatter:off http .oauth2Login((oauth2Login) -> @@ -945,16 +946,17 @@ public class OAuth2LoginConfigurerTests { ) ); // @formatter:on - super.configure(http); + return super.configureFilterChain(http); } } + @Configuration @EnableWebSecurity - static class OAuth2LoginConfigMultipleClients extends CommonWebSecurityConfigurerAdapter { + static class OAuth2LoginConfigMultipleClients extends CommonSecurityFilterChainConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .oauth2Login() @@ -962,17 +964,17 @@ public class OAuth2LoginConfigurerTests { new InMemoryClientRegistrationRepository( GOOGLE_CLIENT_REGISTRATION, GITHUB_CLIENT_REGISTRATION)); // @formatter:on - super.configure(http); + return super.configureFilterChain(http); } } @Configuration @EnableWebSecurity - static class OAuth2LoginConfigAuthorizationCodeClientAndOtherClients extends CommonWebSecurityConfigurerAdapter { + static class OAuth2LoginConfigAuthorizationCodeClientAndOtherClients extends CommonSecurityFilterChainConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .oauth2Login() @@ -980,17 +982,17 @@ public class OAuth2LoginConfigurerTests { new InMemoryClientRegistrationRepository( GOOGLE_CLIENT_REGISTRATION, CLIENT_CREDENTIALS_REGISTRATION)); // @formatter:on - super.configure(http); + return super.configureFilterChain(http); } } @Configuration @EnableWebSecurity - static class OAuth2LoginConfigCustomLoginPage extends CommonWebSecurityConfigurerAdapter { + static class OAuth2LoginConfigCustomLoginPage extends CommonSecurityFilterChainConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .oauth2Login() @@ -998,17 +1000,17 @@ public class OAuth2LoginConfigurerTests { new InMemoryClientRegistrationRepository(GOOGLE_CLIENT_REGISTRATION)) .loginPage("/custom-login"); // @formatter:on - super.configure(http); + return super.configureFilterChain(http); } } @Configuration @EnableWebSecurity - static class OAuth2LoginConfigCustomLoginPageInLambda extends CommonLambdaWebSecurityConfigurerAdapter { + static class OAuth2LoginConfigCustomLoginPageInLambda extends CommonLambdaSecurityFilterChainConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .oauth2Login((oauth2Login) -> @@ -1018,23 +1020,23 @@ public class OAuth2LoginConfigurerTests { .loginPage("/custom-login") ); // @formatter:on - super.configure(http); + return super.configureFilterChain(http); } } @Configuration @EnableWebSecurity - static class OAuth2LoginConfigWithOidcLogoutSuccessHandler extends CommonWebSecurityConfigurerAdapter { + static class OAuth2LoginConfigWithOidcLogoutSuccessHandler extends CommonSecurityFilterChainConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .logout() .logoutSuccessHandler(oidcLogoutSuccessHandler()); // @formatter:on - super.configure(http); + return super.configureFilterChain(http); } @Bean @@ -1053,10 +1055,10 @@ public class OAuth2LoginConfigurerTests { @Configuration @EnableWebSecurity - static class OAuth2LoginWithHttpBasicConfig extends CommonWebSecurityConfigurerAdapter { + static class OAuth2LoginWithHttpBasicConfig extends CommonSecurityFilterChainConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .oauth2Login() @@ -1065,17 +1067,17 @@ public class OAuth2LoginConfigurerTests { .and() .httpBasic(); // @formatter:on - super.configure(http); + return super.configureFilterChain(http); } } @Configuration @EnableWebSecurity - static class OAuth2LoginWithXHREntryPointConfig extends CommonWebSecurityConfigurerAdapter { + static class OAuth2LoginWithXHREntryPointConfig extends CommonSecurityFilterChainConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .oauth2Login() @@ -1087,15 +1089,14 @@ public class OAuth2LoginConfigurerTests { new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED), new RequestHeaderRequestMatcher("X-Requested-With", "XMLHttpRequest")); // @formatter:on - super.configure(http); + return super.configureFilterChain(http); } } - private abstract static class CommonWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { + private abstract static class CommonSecurityFilterChainConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + SecurityFilterChain configureFilterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -1112,6 +1113,7 @@ public class OAuth2LoginConfigurerTests { .userService(createOauth2UserService()) .oidcUserService(createOidcUserService()); // @formatter:on + return http.build(); } @Bean @@ -1126,13 +1128,12 @@ public class OAuth2LoginConfigurerTests { } - private abstract static class CommonLambdaWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { + private abstract static class CommonLambdaSecurityFilterChainConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + SecurityFilterChain configureFilterChain(HttpSecurity http) throws Exception { // @formatter:off http - .authorizeRequests((authorizeRequests) -> + .authorizeHttpRequests((authorizeRequests) -> authorizeRequests .anyRequest().authenticated() ) @@ -1153,6 +1154,7 @@ public class OAuth2LoginConfigurerTests { ) ); // @formatter:on + return http.build(); } @Bean diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java index c342fad86e..1c35b669a2 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -86,7 +86,6 @@ import org.springframework.security.config.annotation.method.configuration.Enabl import org.springframework.security.config.annotation.web.HttpSecurityBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; @@ -1458,10 +1457,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class DefaultConfig extends WebSecurityConfigurerAdapter { + static class DefaultConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -1470,6 +1469,7 @@ public class OAuth2ResourceServerConfigurerTests { .and() .oauth2ResourceServer() .jwt(); + return http.build(); // @formatter:on } @@ -1477,10 +1477,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class DefaultInLambdaConfig extends WebSecurityConfigurerAdapter { + static class DefaultInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -1492,6 +1492,7 @@ public class OAuth2ResourceServerConfigurerTests { oauth2ResourceServer .jwt(withDefaults()) ); + return http.build(); // @formatter:on } @@ -1499,13 +1500,13 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class JwkSetUriConfig extends WebSecurityConfigurerAdapter { + static class JwkSetUriConfig { @Value("${mockwebserver.url:https://example.org}") String jwkSetUri; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -1515,6 +1516,7 @@ public class OAuth2ResourceServerConfigurerTests { .oauth2ResourceServer() .jwt() .jwkSetUri(this.jwkSetUri); + return http.build(); // @formatter:on } @@ -1522,13 +1524,13 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class JwkSetUriInLambdaConfig extends WebSecurityConfigurerAdapter { + static class JwkSetUriInLambdaConfig { @Value("${mockwebserver.url:https://example.org}") String jwkSetUri; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -1543,6 +1545,7 @@ public class OAuth2ResourceServerConfigurerTests { .jwkSetUri(this.jwkSetUri) ) ); + return http.build(); // @formatter:on } @@ -1550,13 +1553,13 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class CsrfDisabledConfig extends WebSecurityConfigurerAdapter { + static class CsrfDisabledConfig { @Value("${mockwebserver.url:https://example.org}") String jwkSetUri; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -1567,6 +1570,7 @@ public class OAuth2ResourceServerConfigurerTests { .oauth2ResourceServer() .jwt() .jwkSetUri(this.jwkSetUri); + return http.build(); // @formatter:on } @@ -1574,10 +1578,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class AnonymousDisabledConfig extends WebSecurityConfigurerAdapter { + static class AnonymousDisabledConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -1586,6 +1590,7 @@ public class OAuth2ResourceServerConfigurerTests { .anonymous().disable() .oauth2ResourceServer() .jwt(); + return http.build(); // @formatter:on } @@ -1594,10 +1599,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) - static class MethodSecurityConfig extends WebSecurityConfigurerAdapter { + static class MethodSecurityConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -1605,6 +1610,7 @@ public class OAuth2ResourceServerConfigurerTests { .and() .oauth2ResourceServer() .jwt(); + return http.build(); // @formatter:on } @@ -1612,16 +1618,17 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class JwtlessConfig extends WebSecurityConfigurerAdapter { + static class JwtlessConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated() .and() .oauth2ResourceServer(); + return http.build(); // @formatter:on } @@ -1629,10 +1636,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class RealmNameConfiguredOnEntryPoint extends WebSecurityConfigurerAdapter { + static class RealmNameConfiguredOnEntryPoint { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -1641,6 +1648,7 @@ public class OAuth2ResourceServerConfigurerTests { .oauth2ResourceServer() .authenticationEntryPoint(authenticationEntryPoint()) .jwt(); + return http.build(); // @formatter:on } @@ -1654,10 +1662,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class RealmNameConfiguredOnAccessDeniedHandler extends WebSecurityConfigurerAdapter { + static class RealmNameConfiguredOnAccessDeniedHandler { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -1666,6 +1674,7 @@ public class OAuth2ResourceServerConfigurerTests { .oauth2ResourceServer() .accessDeniedHandler(accessDeniedHandler()) .jwt(); + return http.build(); // @formatter:on } @@ -1679,10 +1688,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class ExceptionHandlingAndResourceServerWithAccessDeniedHandlerConfig extends WebSecurityConfigurerAdapter { + static class ExceptionHandlingAndResourceServerWithAccessDeniedHandlerConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -1695,12 +1704,12 @@ public class OAuth2ResourceServerConfigurerTests { .and() .oauth2ResourceServer() .jwt(); + return http.build(); // @formatter:on } - @Override @Bean - public UserDetailsService userDetailsService() { + UserDetailsService userDetailsService() { return new InMemoryUserDetailsManager( // @formatter:off org.springframework.security.core.userdetails.User.withDefaultPasswordEncoder() @@ -1715,12 +1724,12 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class JwtAuthenticationConverterConfiguredOnDsl extends WebSecurityConfigurerAdapter { + static class JwtAuthenticationConverterConfiguredOnDsl { private final Converter jwtAuthenticationConverter = mock(Converter.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -1729,6 +1738,7 @@ public class OAuth2ResourceServerConfigurerTests { .oauth2ResourceServer() .jwt() .jwtAuthenticationConverter(getJwtAuthenticationConverter()); + return http.build(); // @formatter:on } @@ -1740,10 +1750,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class CustomAuthorityMappingConfig extends WebSecurityConfigurerAdapter { + static class CustomAuthorityMappingConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -1752,6 +1762,7 @@ public class OAuth2ResourceServerConfigurerTests { .oauth2ResourceServer() .jwt() .jwtAuthenticationConverter(getJwtAuthenticationConverter()); + return http.build(); // @formatter:on } @@ -1766,10 +1777,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class BasicAndResourceServerConfig extends WebSecurityConfigurerAdapter { + static class BasicAndResourceServerConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -1779,12 +1790,12 @@ public class OAuth2ResourceServerConfigurerTests { .and() .oauth2ResourceServer() .jwt(); + return http.build(); // @formatter:on } - @Override @Bean - public UserDetailsService userDetailsService() { + UserDetailsService userDetailsService() { return new InMemoryUserDetailsManager( // @formatter:off org.springframework.security.core.userdetails.User.withDefaultPasswordEncoder() @@ -1799,10 +1810,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class FormAndResourceServerConfig extends WebSecurityConfigurerAdapter { + static class FormAndResourceServerConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -1812,6 +1823,7 @@ public class OAuth2ResourceServerConfigurerTests { .and() .oauth2ResourceServer() .jwt(); + return http.build(); // @formatter:on } @@ -1819,10 +1831,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class OAuth2LoginAndResourceServerConfig extends WebSecurityConfigurerAdapter { + static class OAuth2LoginAndResourceServerConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authz) -> authz @@ -1832,6 +1844,7 @@ public class OAuth2ResourceServerConfigurerTests { .oauth2ResourceServer((oauth2) -> oauth2 .jwt() ); + return http.build(); // @formatter:on } @@ -1845,17 +1858,18 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class JwtHalfConfiguredConfig extends WebSecurityConfigurerAdapter { + static class JwtHalfConfiguredConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().authenticated() .and() .oauth2ResourceServer() - .jwt(); // missing key configuration, e.g. jwkSetUri + .jwt(); + return http.build(); // missing key configuration, e.g. jwkSetUri // @formatter:on } @@ -1863,10 +1877,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class AlwaysSessionCreationConfig extends WebSecurityConfigurerAdapter { + static class AlwaysSessionCreationConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .sessionManagement() @@ -1874,6 +1888,7 @@ public class OAuth2ResourceServerConfigurerTests { .and() .oauth2ResourceServer() .jwt(); + return http.build(); // @formatter:on } @@ -1881,10 +1896,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class AllowBearerTokenInRequestBodyConfig extends WebSecurityConfigurerAdapter { + static class AllowBearerTokenInRequestBodyConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -1893,6 +1908,7 @@ public class OAuth2ResourceServerConfigurerTests { .oauth2ResourceServer() .bearerTokenResolver(allowRequestBody()) .jwt(); + return http.build(); // @formatter:on } @@ -1906,10 +1922,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class AllowBearerTokenAsQueryParameterConfig extends WebSecurityConfigurerAdapter { + static class AllowBearerTokenAsQueryParameterConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -1917,6 +1933,7 @@ public class OAuth2ResourceServerConfigurerTests { .and() .oauth2ResourceServer() .jwt(); + return http.build(); // @formatter:on } @@ -1931,10 +1948,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class MultipleBearerTokenResolverBeansConfig extends WebSecurityConfigurerAdapter { + static class MultipleBearerTokenResolverBeansConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -1942,6 +1959,7 @@ public class OAuth2ResourceServerConfigurerTests { .and() .oauth2ResourceServer() .jwt(); + return http.build(); // @formatter:on } @@ -1996,12 +2014,12 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class CustomJwtDecoderOnDsl extends WebSecurityConfigurerAdapter { + static class CustomJwtDecoderOnDsl { JwtDecoder decoder = mock(JwtDecoder.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -2010,6 +2028,7 @@ public class OAuth2ResourceServerConfigurerTests { .oauth2ResourceServer() .jwt() .decoder(decoder()); + return http.build(); // @formatter:on } @@ -2021,12 +2040,12 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class CustomJwtDecoderInLambdaOnDsl extends WebSecurityConfigurerAdapter { + static class CustomJwtDecoderInLambdaOnDsl { JwtDecoder decoder = mock(JwtDecoder.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -2040,6 +2059,7 @@ public class OAuth2ResourceServerConfigurerTests { .decoder(decoder()) ) ); + return http.build(); // @formatter:on } @@ -2051,10 +2071,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class CustomJwtDecoderAsBean extends WebSecurityConfigurerAdapter { + static class CustomJwtDecoderAsBean { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -2062,6 +2082,7 @@ public class OAuth2ResourceServerConfigurerTests { .and() .oauth2ResourceServer() .jwt(); + return http.build(); // @formatter:on } @@ -2074,10 +2095,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class JwtAuthenticationManagerConfig extends WebSecurityConfigurerAdapter { + static class JwtAuthenticationManagerConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -2086,6 +2107,7 @@ public class OAuth2ResourceServerConfigurerTests { .oauth2ResourceServer() .jwt() .authenticationManager(authenticationProvider()::authenticate); + return http.build(); // @formatter:on } @@ -2098,14 +2120,14 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class DefaultAndJwtAuthenticationManagerConfig extends WebSecurityConfigurerAdapter { + static class DefaultAndJwtAuthenticationManagerConfig { AuthenticationManager defaultAuthenticationManager = mock(AuthenticationManager.class); AuthenticationManager jwtAuthenticationManager = mock(AuthenticationManager.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authenticationManager(this.defaultAuthenticationManager) @@ -2117,6 +2139,7 @@ public class OAuth2ResourceServerConfigurerTests { .authenticationManager(this.jwtAuthenticationManager) ) ); + return http.build(); // @formatter:on } @@ -2132,20 +2155,21 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class CustomJwtValidatorConfig extends WebSecurityConfigurerAdapter { + static class CustomJwtValidatorConfig { @Autowired NimbusJwtDecoder jwtDecoder; private final OAuth2TokenValidator jwtValidator = mock(OAuth2TokenValidator.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { this.jwtDecoder.setJwtValidator(this.jwtValidator); // @formatter:off http .oauth2ResourceServer() .jwt(); + return http.build(); // @formatter:on } @@ -2157,13 +2181,13 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class UnexpiredJwtClockSkewConfig extends WebSecurityConfigurerAdapter { + static class UnexpiredJwtClockSkewConfig { @Autowired NimbusJwtDecoder jwtDecoder; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { Clock nearlyAnHourFromTokenExpiry = Clock.fixed(Instant.ofEpochMilli(4687181540000L), ZoneId.systemDefault()); JwtTimestampValidator jwtValidator = new JwtTimestampValidator(Duration.ofHours(1)); @@ -2173,6 +2197,7 @@ public class OAuth2ResourceServerConfigurerTests { http .oauth2ResourceServer() .jwt(); + return http.build(); // @formatter:on } @@ -2180,13 +2205,13 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class ExpiredJwtClockSkewConfig extends WebSecurityConfigurerAdapter { + static class ExpiredJwtClockSkewConfig { @Autowired NimbusJwtDecoder jwtDecoder; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { Clock justOverOneHourAfterExpiry = Clock.fixed(Instant.ofEpochMilli(4687181595000L), ZoneId.systemDefault()); JwtTimestampValidator jwtValidator = new JwtTimestampValidator(Duration.ofHours(1)); @@ -2196,11 +2221,12 @@ public class OAuth2ResourceServerConfigurerTests { http .oauth2ResourceServer() .jwt(); + return http.build(); } } @Configuration @EnableWebSecurity - static class SingleKeyConfig extends WebSecurityConfigurerAdapter { + static class SingleKeyConfig { byte[] spec = Base64.getDecoder().decode( "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoXJ8OyOv/eRnce4akdan" + "R4KYRfnC2zLV4uYNQpcFn6oHL0dj7D6kxQmsXoYgJV8ZVDn71KGmuLvolxsDncc2" + @@ -2209,8 +2235,9 @@ public class OAuth2ResourceServerConfigurerTests { "iZCtPzL/IffDUcfhLQteGebhW8A6eUHgpD5A1PQ+JCw/G7UOzZAjjDjtNM2eqm8j" + "+Ms/gqnm4MiCZ4E+9pDN77CAAPVN7kuX6ejs9KBXpk01z48i9fORYk9u7rAkh1Hu" + "QwIDAQAB"); - @Override - protected void configure(HttpSecurity http) throws Exception { + + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -2218,6 +2245,7 @@ public class OAuth2ResourceServerConfigurerTests { .and() .oauth2ResourceServer() .jwt(); + return http.build(); // @formatter:on } @@ -2232,10 +2260,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class CustomAuthenticationEventPublisher extends WebSecurityConfigurerAdapter { + static class CustomAuthenticationEventPublisher { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -2243,6 +2271,7 @@ public class OAuth2ResourceServerConfigurerTests { .and() .oauth2ResourceServer() .jwt(); + return http.build(); // @formatter:on } @@ -2260,10 +2289,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class OpaqueTokenConfig extends WebSecurityConfigurerAdapter { + static class OpaqueTokenConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -2272,6 +2301,7 @@ public class OAuth2ResourceServerConfigurerTests { .and() .oauth2ResourceServer() .opaqueToken(); + return http.build(); // @formatter:on } @@ -2279,10 +2309,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class OpaqueTokenInLambdaConfig extends WebSecurityConfigurerAdapter { + static class OpaqueTokenInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -2294,6 +2324,7 @@ public class OAuth2ResourceServerConfigurerTests { oauth2ResourceServer .opaqueToken(withDefaults()) ); + return http.build(); // @formatter:on } @@ -2301,10 +2332,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class OpaqueTokenAuthenticationManagerConfig extends WebSecurityConfigurerAdapter { + static class OpaqueTokenAuthenticationManagerConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -2313,6 +2344,7 @@ public class OAuth2ResourceServerConfigurerTests { .oauth2ResourceServer() .opaqueToken() .authenticationManager(authenticationProvider()::authenticate); + return http.build(); // @formatter:on } @@ -2325,10 +2357,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class OpaqueTokenAuthenticationManagerInLambdaConfig extends WebSecurityConfigurerAdapter { + static class OpaqueTokenAuthenticationManagerInLambdaConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorizeRequests) -> @@ -2342,6 +2374,7 @@ public class OAuth2ResourceServerConfigurerTests { .authenticationManager(authenticationProvider()::authenticate) ) ); + return http.build(); // @formatter:on } @@ -2354,14 +2387,14 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class DefaultAndOpaqueTokenAuthenticationManagerConfig extends WebSecurityConfigurerAdapter { + static class DefaultAndOpaqueTokenAuthenticationManagerConfig { AuthenticationManager defaultAuthenticationManager = mock(AuthenticationManager.class); AuthenticationManager opaqueTokenAuthenticationManager = mock(AuthenticationManager.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authenticationManager(this.defaultAuthenticationManager) @@ -2373,6 +2406,7 @@ public class OAuth2ResourceServerConfigurerTests { .authenticationManager(this.opaqueTokenAuthenticationManager) ) ); + return http.build(); // @formatter:on } @@ -2388,16 +2422,17 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class OpaqueAndJwtConfig extends WebSecurityConfigurerAdapter { + static class OpaqueAndJwtConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .oauth2ResourceServer() .jwt() .and() .opaqueToken(); + return http.build(); // @formatter:on } @@ -2405,10 +2440,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class OpaqueTokenHalfConfiguredConfig extends WebSecurityConfigurerAdapter { + static class OpaqueTokenHalfConfiguredConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -2416,7 +2451,8 @@ public class OAuth2ResourceServerConfigurerTests { .and() .oauth2ResourceServer() .opaqueToken() - .introspectionUri("https://idp.example.com"); // missing credentials + .introspectionUri("https://idp.example.com"); + return http.build(); // missing credentials // @formatter:on } @@ -2424,13 +2460,13 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class MultipleIssuersConfig extends WebSecurityConfigurerAdapter { + static class MultipleIssuersConfig { @Autowired MockWebServer web; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { String issuerOne = this.web.url("/issuerOne").toString(); String issuerTwo = this.web.url("/issuerTwo").toString(); JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver( @@ -2439,6 +2475,7 @@ public class OAuth2ResourceServerConfigurerTests { http .oauth2ResourceServer() .authenticationManagerResolver(authenticationManagerResolver); + return http.build(); // @formatter:on } @@ -2446,10 +2483,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class AuthenticationManagerResolverPlusOtherConfig extends WebSecurityConfigurerAdapter { + static class AuthenticationManagerResolverPlusOtherConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -2458,6 +2495,7 @@ public class OAuth2ResourceServerConfigurerTests { .oauth2ResourceServer() .authenticationManagerResolver(mock(AuthenticationManagerResolver.class)) .opaqueToken(); + return http.build(); // @formatter:on } @@ -2465,10 +2503,10 @@ public class OAuth2ResourceServerConfigurerTests { @Configuration @EnableWebSecurity - static class OpaqueTokenAuthenticationConverterConfig extends WebSecurityConfigurerAdapter { + static class OpaqueTokenAuthenticationConverterConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -2478,6 +2516,7 @@ public class OAuth2ResourceServerConfigurerTests { .oauth2ResourceServer() .opaqueToken() .authenticationConverter(authenticationConverter()); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurerTests.java index d49ac1bd0e..a92d6060bb 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurerTests.java @@ -47,7 +47,6 @@ import org.springframework.security.authentication.AuthenticationServiceExceptio import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; import org.springframework.security.core.Authentication; @@ -386,12 +385,12 @@ public class Saml2LoginConfigurerTests { @Configuration @EnableWebSecurity @Import(Saml2LoginConfigBeans.class) - static class Saml2LoginConfigWithCustomAuthenticationManager extends WebSecurityConfigurerAdapter { + static class Saml2LoginConfigWithCustomAuthenticationManager { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.saml2Login().authenticationManager(getAuthenticationManagerMock("ROLE_AUTH_MANAGER")); - super.configure(http); + return http.build(); } } @@ -399,17 +398,17 @@ public class Saml2LoginConfigurerTests { @Configuration @EnableWebSecurity @Import(Saml2LoginConfigBeans.class) - static class Saml2LoginConfigWithDefaultAndCustomAuthenticationManager extends WebSecurityConfigurerAdapter { + static class Saml2LoginConfigWithDefaultAndCustomAuthenticationManager { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authenticationManager(getAuthenticationManagerMock("DEFAULT_AUTH_MANAGER")) .saml2Login((saml) -> saml .authenticationManager(getAuthenticationManagerMock("ROLE_AUTH_MANAGER")) ); - super.configure(http); + return http.build(); // @formatter:on } @@ -418,15 +417,16 @@ public class Saml2LoginConfigurerTests { @Configuration @EnableWebSecurity @Import(Saml2LoginConfigBeans.class) - static class CustomAuthenticationFailureHandler extends WebSecurityConfigurerAdapter { + static class CustomAuthenticationFailureHandler { static final AuthenticationFailureHandler authenticationFailureHandler = mock( AuthenticationFailureHandler.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeRequests((authz) -> authz.anyRequest().authenticated()) .saml2Login((saml2) -> saml2.failureHandler(authenticationFailureHandler)); + return http.build(); } } @@ -498,14 +498,15 @@ public class Saml2LoginConfigurerTests { @Configuration @EnableWebSecurity @Import(Saml2LoginConfigBeans.class) - static class CustomAuthenticationConverter extends WebSecurityConfigurerAdapter { + static class CustomAuthenticationConverter { static final AuthenticationConverter authenticationConverter = mock(AuthenticationConverter.class); - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeRequests((authz) -> authz.anyRequest().authenticated()) .saml2Login((saml2) -> saml2.authenticationConverter(authenticationConverter)); + return http.build(); } } diff --git a/config/src/test/java/org/springframework/security/config/authentication/AuthenticationConfigurationGh3935Tests.java b/config/src/test/java/org/springframework/security/config/authentication/AuthenticationConfigurationGh3935Tests.java index c092bfbc1d..c841bad4c3 100644 --- a/config/src/test/java/org/springframework/security/config/authentication/AuthenticationConfigurationGh3935Tests.java +++ b/config/src/test/java/org/springframework/security/config/authentication/AuthenticationConfigurationGh3935Tests.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -29,7 +29,6 @@ import org.springframework.security.config.annotation.authentication.builders.Au import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration; import org.springframework.security.config.annotation.authentication.configuration.GlobalAuthenticationConfigurerAdapter; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.Authentication; import org.springframework.security.core.userdetails.PasswordEncodedUser; import org.springframework.security.core.userdetails.UserDetailsService; @@ -79,7 +78,7 @@ public class AuthenticationConfigurationGh3935Tests { @Configuration @EnableWebSecurity - static class WebSecurity extends WebSecurityConfigurerAdapter { + static class WebSecurity { } diff --git a/config/src/test/java/org/springframework/security/config/core/GrantedAuthorityDefaultsJcTests.java b/config/src/test/java/org/springframework/security/config/core/GrantedAuthorityDefaultsJcTests.java index 4e996c9e5e..7655d3e208 100644 --- a/config/src/test/java/org/springframework/security/config/core/GrantedAuthorityDefaultsJcTests.java +++ b/config/src/test/java/org/springframework/security/config/core/GrantedAuthorityDefaultsJcTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -40,10 +40,10 @@ import org.springframework.security.config.annotation.authentication.builders.Au import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.FilterChainProxy; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit.jupiter.SpringExtension; @@ -150,7 +150,7 @@ public class GrantedAuthorityDefaultsJcTests { @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true, jsr250Enabled = true) - static class Config extends WebSecurityConfigurerAdapter { + static class Config { @Autowired void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { @@ -161,12 +161,13 @@ public class GrantedAuthorityDefaultsJcTests { // @formatter:on } - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().access("hasRole('USER')"); + return http.build(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/crypto/RsaKeyConversionServicePostProcessorTests.java b/config/src/test/java/org/springframework/security/config/crypto/RsaKeyConversionServicePostProcessorTests.java index 88f876e29f..d5225ab334 100644 --- a/config/src/test/java/org/springframework/security/config/crypto/RsaKeyConversionServicePostProcessorTests.java +++ b/config/src/test/java/org/springframework/security/config/crypto/RsaKeyConversionServicePostProcessorTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/config/src/test/java/org/springframework/security/config/http/customconfigurer/CustomHttpSecurityConfigurerTests.java b/config/src/test/java/org/springframework/security/config/http/customconfigurer/CustomHttpSecurityConfigurerTests.java index f4b82e28b7..077a530388 100644 --- a/config/src/test/java/org/springframework/security/config/http/customconfigurer/CustomHttpSecurityConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/http/customconfigurer/CustomHttpSecurityConfigurerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -34,8 +34,8 @@ import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.FilterChainProxy; +import org.springframework.security.web.SecurityFilterChain; import static org.assertj.core.api.Assertions.assertThat; @@ -112,14 +112,15 @@ public class CustomHttpSecurityConfigurerTests { @Configuration @EnableWebSecurity - static class Config extends WebSecurityConfigurerAdapter { + static class Config { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .apply(CustomConfigurer.customConfigurer()) .loginPage("/custom"); + return http.build(); // @formatter:on } @@ -137,10 +138,10 @@ public class CustomHttpSecurityConfigurerTests { @Configuration @EnableWebSecurity - static class ConfigCustomize extends WebSecurityConfigurerAdapter { + static class ConfigCustomize { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .apply(CustomConfigurer.customConfigurer()) @@ -148,6 +149,7 @@ public class CustomHttpSecurityConfigurerTests { .csrf().disable() .formLogin() .loginPage("/other"); + return http.build(); // @formatter:on } diff --git a/docs/modules/ROOT/pages/whats-new.adoc b/docs/modules/ROOT/pages/whats-new.adoc index a601cb04fd..81eed226f5 100644 --- a/docs/modules/ROOT/pages/whats-new.adoc +++ b/docs/modules/ROOT/pages/whats-new.adoc @@ -18,3 +18,5 @@ Reorganize imports * https://github.com/spring-projects/spring-security/issues/11026[gh-11026] - Use `RequestAttributeSecurityContextRepository` instead of `NullSecurityContextRepository` * https://github.com/spring-projects/spring-security/pull/11887[gh-11827] - Change default authority for `oauth2Login()` * https://github.com/spring-projects/spring-security/issues/10347[gh-10347] - Remove `UsernamePasswordAuthenticationToken` check in `BasicAuthenticationFilter` +* https://github.com/spring-projects/spring-security/pull/11923[gh-11923] - Remove `WebSecurityConfigurerAdapter`. +Instead, create a https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter[SecurityFilterChain bean]. diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/request/Sec2935Tests.java b/test/src/test/java/org/springframework/security/test/web/servlet/request/Sec2935Tests.java index a8ea29a6f6..14909d24e1 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/request/Sec2935Tests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/request/Sec2935Tests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2015 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,12 +22,13 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.test.context.support.WithMockUser; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.context.web.WebAppConfiguration; @@ -110,10 +111,10 @@ public class Sec2935Tests { @EnableWebSecurity @Configuration - static class Config extends WebSecurityConfigurerAdapter { + static class Config { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -121,6 +122,7 @@ public class Sec2935Tests { .anyRequest().authenticated() .and() .httpBasic(); + return http.build(); // @formatter:on } diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsAuthenticationStatelessTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsAuthenticationStatelessTests.java index a330007184..1ff15e3d8f 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsAuthenticationStatelessTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsAuthenticationStatelessTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,13 +21,15 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.test.context.support.WithMockUser; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.context.web.WebAppConfiguration; @@ -74,24 +76,21 @@ public class SecurityMockMvcRequestPostProcessorsAuthenticationStatelessTests { @Configuration @EnableWebSecurity @EnableWebMvc - static class Config extends WebSecurityConfigurerAdapter { + static class Config { - @Override - protected void configure(HttpSecurity http) throws Exception { - super.configure(http); + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS); + return http.build(); // @formatter:on } - @Autowired - void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication(); - // @formatter:on + @Bean + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(); } @RestController diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsCsrfTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsCsrfTests.java index 25235f25d3..8ce4959ef5 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsCsrfTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsCsrfTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -29,15 +29,16 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.mock.web.MockHttpSession; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessorsCsrfTests.Config.TheController; import org.springframework.security.web.FilterChainProxy; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.csrf.CsrfToken; import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository; import org.springframework.test.context.ContextConfiguration; @@ -229,10 +230,11 @@ public class SecurityMockMvcRequestPostProcessorsCsrfTests { @Configuration @EnableWebSecurity - static class Config extends WebSecurityConfigurerAdapter { + static class Config { - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + return http.build(); } @RestController diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOAuth2ClientTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOAuth2ClientTests.java index 5ffdcc5cca..4ee24726dc 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOAuth2ClientTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOAuth2ClientTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -28,7 +28,6 @@ import org.springframework.context.annotation.Configuration; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.Authentication; import org.springframework.security.oauth2.client.OAuth2AuthorizedClient; import org.springframework.security.oauth2.client.annotation.RegisteredOAuth2AuthorizedClient; @@ -39,6 +38,7 @@ import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepo import org.springframework.security.oauth2.core.OAuth2AccessToken; import org.springframework.security.oauth2.core.TestOAuth2AccessTokens; import org.springframework.security.test.context.TestSecurityContextHolder; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.context.web.WebAppConfiguration; @@ -151,16 +151,17 @@ public class SecurityMockMvcRequestPostProcessorsOAuth2ClientTests { @Configuration @EnableWebSecurity @EnableWebMvc - static class OAuth2ClientConfig extends WebSecurityConfigurerAdapter { + static class OAuth2ClientConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authz) -> authz .anyRequest().permitAll() ) .oauth2Client(); + return http.build(); // @formatter:on } diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOAuth2LoginTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOAuth2LoginTests.java index eb71ea508e..35c545a30f 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOAuth2LoginTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOAuth2LoginTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -31,7 +31,6 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.annotation.AuthenticationPrincipal; import org.springframework.security.core.authority.AuthorityUtils; @@ -43,6 +42,7 @@ import org.springframework.security.oauth2.client.registration.TestClientRegistr import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository; import org.springframework.security.oauth2.core.user.DefaultOAuth2User; import org.springframework.security.oauth2.core.user.OAuth2User; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.context.web.WebAppConfiguration; @@ -146,16 +146,17 @@ public class SecurityMockMvcRequestPostProcessorsOAuth2LoginTests { @Configuration @EnableWebSecurity @EnableWebMvc - static class OAuth2LoginConfig extends WebSecurityConfigurerAdapter { + static class OAuth2LoginConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests((authorize) -> authorize .mvcMatchers("/admin/**").hasAuthority("SCOPE_admin") .anyRequest().hasAuthority("SCOPE_read") ).oauth2Login(); + return http.build(); // @formatter:on } diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOidcLoginTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOidcLoginTests.java index 2246d962db..566a4475cb 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOidcLoginTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOidcLoginTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -30,7 +30,6 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.annotation.AuthenticationPrincipal; import org.springframework.security.core.authority.AuthorityUtils; @@ -44,6 +43,7 @@ import org.springframework.security.oauth2.core.oidc.TestOidcIdTokens; import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser; import org.springframework.security.oauth2.core.oidc.user.OidcUser; import org.springframework.security.test.context.TestSecurityContextHolder; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.context.web.WebAppConfiguration; @@ -148,10 +148,10 @@ public class SecurityMockMvcRequestPostProcessorsOidcLoginTests { @Configuration @EnableWebSecurity @EnableWebMvc - static class OAuth2LoginConfig extends WebSecurityConfigurerAdapter { + static class OAuth2LoginConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -159,6 +159,7 @@ public class SecurityMockMvcRequestPostProcessorsOidcLoginTests { .anyRequest().hasAuthority("SCOPE_read") .and() .oauth2Login(); + return http.build(); // @formatter:on } diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOpaqueTokenTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOpaqueTokenTests.java index 968f760e7d..1b7fa97ed4 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOpaqueTokenTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOpaqueTokenTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,16 +26,17 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.annotation.AuthenticationPrincipal; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal; import org.springframework.security.oauth2.core.TestOAuth2AuthenticatedPrincipals; import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.context.web.WebAppConfiguration; @@ -119,10 +120,10 @@ public class SecurityMockMvcRequestPostProcessorsOpaqueTokenTests { @Configuration @EnableWebSecurity @EnableWebMvc - static class OAuth2LoginConfig extends WebSecurityConfigurerAdapter { + static class OAuth2LoginConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -132,6 +133,7 @@ public class SecurityMockMvcRequestPostProcessorsOpaqueTokenTests { .oauth2ResourceServer() .opaqueToken() .introspector(mock(OpaqueTokenIntrospector.class)); + return http.build(); // @formatter:on } diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsTestSecurityContextStatelessTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsTestSecurityContextStatelessTests.java index 43e2cc9dd3..f6adf0c9e4 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsTestSecurityContextStatelessTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsTestSecurityContextStatelessTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,13 +22,14 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.test.context.support.WithMockUser; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.context.web.WebAppConfiguration; @@ -71,15 +72,15 @@ public class SecurityMockMvcRequestPostProcessorsTestSecurityContextStatelessTes @Configuration @EnableWebSecurity @EnableWebMvc - static class Config extends WebSecurityConfigurerAdapter { + static class Config { - @Override - protected void configure(HttpSecurity http) throws Exception { - super.configure(http); + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS); + return http.build(); // @formatter:on } diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/response/Gh3409Tests.java b/test/src/test/java/org/springframework/security/test/web/servlet/response/Gh3409Tests.java index d12fde372c..f4f99a5502 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/response/Gh3409Tests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/response/Gh3409Tests.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,11 +21,12 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.context.SecurityContextImpl; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.context.web.WebAppConfiguration; @@ -91,10 +92,10 @@ public class Gh3409Tests { @Configuration @EnableWebSecurity @EnableWebMvc - static class Config extends WebSecurityConfigurerAdapter { + static class Config { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -103,6 +104,7 @@ public class Gh3409Tests { .and() .formLogin().and() .httpBasic(); + return http.build(); // @formatter:on } diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockMvcResultHandlersTest.java b/test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockMvcResultHandlersTest.java index c31a66773d..570ee185aa 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockMvcResultHandlersTest.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockMvcResultHandlersTest.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockMvcResultMatchersTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockMvcResultMatchersTests.java index edd017020a..789ad89d7b 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockMvcResultMatchersTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockMvcResultMatchersTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -25,7 +25,6 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; @@ -103,11 +102,10 @@ public class SecurityMockMvcResultMatchersTests { @Configuration @EnableWebSecurity @EnableWebMvc - static class Config extends WebSecurityConfigurerAdapter { + static class Config { - @Override @Bean - public UserDetailsService userDetailsService() { + UserDetailsService userDetailsService() { // @formatter:off UserDetails user = User.withDefaultPasswordEncoder().username("user").password("password").roles("USER", "SELLER").build(); // @formatter:on diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockWithAuthoritiesMvcResultMatchersTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockWithAuthoritiesMvcResultMatchersTests.java index a7cd009e1e..e4fe613486 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockWithAuthoritiesMvcResultMatchersTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockWithAuthoritiesMvcResultMatchersTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -27,7 +27,6 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; @@ -82,11 +81,10 @@ public class SecurityMockWithAuthoritiesMvcResultMatchersTests { @Configuration @EnableWebSecurity @EnableWebMvc - static class Config extends WebSecurityConfigurerAdapter { + static class Config { - @Override @Bean - public UserDetailsService userDetailsService() { + UserDetailsService userDetailsService() { // @formatter:off UserDetails user = User.withDefaultPasswordEncoder().username("user").password("password").roles("ADMIN", "SELLER").build(); return new InMemoryUserDetailsManager(user); diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/setup/SecurityMockMvcConfigurersTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/setup/SecurityMockMvcConfigurersTests.java index 9018b8294a..824ae10ebb 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/setup/SecurityMockMvcConfigurersTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/setup/SecurityMockMvcConfigurersTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/csrf/CsrfShowcaseTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/csrf/CsrfShowcaseTests.java index 35d67b2edf..8177168c20 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/csrf/CsrfShowcaseTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/csrf/CsrfShowcaseTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,11 +21,12 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.context.web.WebAppConfiguration; @@ -73,10 +74,11 @@ public class CsrfShowcaseTests { @Configuration @EnableWebSecurity @EnableWebMvc - static class Config extends WebSecurityConfigurerAdapter { + static class Config { - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + return http.build(); } @Autowired diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/csrf/CustomCsrfShowcaseTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/csrf/CustomCsrfShowcaseTests.java index 61257da40f..d2168737f5 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/csrf/CustomCsrfShowcaseTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/csrf/CustomCsrfShowcaseTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,7 +26,7 @@ import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.csrf.CsrfTokenRepository; import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository; import org.springframework.test.context.ContextConfiguration; @@ -76,14 +76,15 @@ public class CustomCsrfShowcaseTests { @Configuration @EnableWebSecurity @EnableWebMvc - static class Config extends WebSecurityConfigurerAdapter { + static class Config { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .csrf() .csrfTokenRepository(repo()); + return http.build(); // @formatter:on } diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/csrf/DefaultCsrfShowcaseTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/csrf/DefaultCsrfShowcaseTests.java index a932ad7e69..06fdf6ca07 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/csrf/DefaultCsrfShowcaseTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/csrf/DefaultCsrfShowcaseTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,11 +21,12 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.context.web.WebAppConfiguration; @@ -70,10 +71,11 @@ public class DefaultCsrfShowcaseTests { @Configuration @EnableWebSecurity @EnableWebMvc - static class Config extends WebSecurityConfigurerAdapter { + static class Config { - @Override - protected void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + return http.build(); } @Autowired diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/AuthenticationTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/AuthenticationTests.java index 63ba08c4c5..dfa98725b6 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/AuthenticationTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/AuthenticationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/CustomConfigAuthenticationTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/CustomConfigAuthenticationTests.java index 140a02601d..a77c0196ea 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/CustomConfigAuthenticationTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/CustomConfigAuthenticationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -25,11 +25,11 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.test.context.ContextConfiguration; @@ -90,10 +90,10 @@ public class CustomConfigAuthenticationTests { @Configuration @EnableWebSecurity @EnableWebMvc - static class Config extends WebSecurityConfigurerAdapter { + static class Config { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -106,13 +106,13 @@ public class CustomConfigAuthenticationTests { .usernameParameter("user") .passwordParameter("pass") .loginPage("/authenticate"); + return http.build(); // @formatter:on } // @formatter:off - @Override @Bean - public UserDetailsService userDetailsService() { + UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder().username("user").password("password").roles("USER").build(); return new InMemoryUserDetailsManager(user); } diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/CustomLoginRequestBuilderAuthenticationTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/CustomLoginRequestBuilderAuthenticationTests.java index dd45c9739f..743034d80a 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/CustomLoginRequestBuilderAuthenticationTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/CustomLoginRequestBuilderAuthenticationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -25,12 +25,12 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.FormLoginRequestBuilder; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.context.web.WebAppConfiguration; @@ -80,10 +80,10 @@ public class CustomLoginRequestBuilderAuthenticationTests { @Configuration @EnableWebSecurity @EnableWebMvc - static class Config extends WebSecurityConfigurerAdapter { + static class Config { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -93,13 +93,13 @@ public class CustomLoginRequestBuilderAuthenticationTests { .usernameParameter("user") .passwordParameter("pass") .loginPage("/authenticate"); + return http.build(); // @formatter:on } // @formatter:off - @Override @Bean - public UserDetailsService userDetailsService() { + UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder().username("user").password("password").roles("USER").build(); return new InMemoryUserDetailsManager(user); } diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/DefaultfSecurityRequestsTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/DefaultfSecurityRequestsTests.java index b4601fa410..e5cf793409 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/DefaultfSecurityRequestsTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/DefaultfSecurityRequestsTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,11 +21,12 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.context.web.WebAppConfiguration; @@ -88,10 +89,10 @@ public class DefaultfSecurityRequestsTests { @Configuration @EnableWebSecurity @EnableWebMvc - static class Config extends WebSecurityConfigurerAdapter { + static class Config { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -99,6 +100,7 @@ public class DefaultfSecurityRequestsTests { .anyRequest().authenticated() .and() .httpBasic(); + return http.build(); // @formatter:on } diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/SecurityRequestsTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/SecurityRequestsTests.java index 0a6fbe184b..4bad413ecc 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/SecurityRequestsTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/SecurityRequestsTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -24,13 +24,14 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.TestingAuthenticationToken; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.Authentication; +import org.springframework.security.core.userdetails.PasswordEncodedUser; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.context.web.WebAppConfiguration; @@ -105,10 +106,10 @@ public class SecurityRequestsTests { @Configuration @EnableWebSecurity @EnableWebMvc - static class Config extends WebSecurityConfigurerAdapter { + static class Config { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -117,21 +118,12 @@ public class SecurityRequestsTests { .and() .formLogin(); // @formatter:on + return http.build(); } - @Autowired - void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser("user").password("password").roles("USER"); - // @formatter:on - } - - @Override @Bean - public UserDetailsService userDetailsServiceBean() throws Exception { - return super.userDetailsServiceBean(); + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user()); } } diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserAuthenticationTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserAuthenticationTests.java index 89f566b0dd..7deaea7e3d 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserAuthenticationTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserAuthenticationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,13 +21,14 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.test.context.support.WithMockUser; import org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.context.web.WebAppConfiguration; @@ -89,10 +90,10 @@ public class WithUserAuthenticationTests { @Configuration @EnableWebSecurity @EnableWebMvc - static class Config extends WebSecurityConfigurerAdapter { + static class Config { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -100,6 +101,7 @@ public class WithUserAuthenticationTests { .anyRequest().authenticated() .and() .formLogin(); + return http.build(); // @formatter:on } diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserClassLevelAuthenticationTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserClassLevelAuthenticationTests.java index 96ecbffb6f..c0c581c687 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserClassLevelAuthenticationTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserClassLevelAuthenticationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,13 +21,14 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.test.context.support.WithAnonymousUser; import org.springframework.security.test.context.support.WithMockUser; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.context.web.WebAppConfiguration; @@ -89,10 +90,10 @@ public class WithUserClassLevelAuthenticationTests { @Configuration @EnableWebSecurity @EnableWebMvc - static class Config extends WebSecurityConfigurerAdapter { + static class Config { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -100,6 +101,7 @@ public class WithUserClassLevelAuthenticationTests { .anyRequest().authenticated() .and() .httpBasic(); + return http.build(); // @formatter:on } diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserDetailsAuthenticationTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserDetailsAuthenticationTests.java index 9acdefd6e1..dc7b6219f8 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserDetailsAuthenticationTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserDetailsAuthenticationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,12 +23,13 @@ import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.core.userdetails.PasswordEncodedUser; import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.test.context.support.WithUserDetails; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.context.web.WebAppConfiguration; @@ -80,10 +81,10 @@ public class WithUserDetailsAuthenticationTests { @Configuration @EnableWebSecurity @EnableWebMvc - static class Config extends WebSecurityConfigurerAdapter { + static class Config { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -92,22 +93,12 @@ public class WithUserDetailsAuthenticationTests { .and() .formLogin(); // @formatter:on + return http.build(); } @Bean - @Override - public UserDetailsService userDetailsServiceBean() throws Exception { - return super.userDetailsServiceBean(); - } - - @Autowired - void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser("user").password("password").roles("USER").and() - .withUser("admin").password("password").roles("USER", "ADMIN"); - // @formatter:on + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user(), PasswordEncodedUser.admin()); } } diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserDetailsClassLevelAuthenticationTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserDetailsClassLevelAuthenticationTests.java index 012b11cffb..8d9ebd0b26 100644 --- a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserDetailsClassLevelAuthenticationTests.java +++ b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/secured/WithUserDetailsClassLevelAuthenticationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,12 +23,13 @@ import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.core.userdetails.PasswordEncodedUser; import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.test.context.support.WithUserDetails; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.context.web.WebAppConfiguration; @@ -79,10 +80,10 @@ public class WithUserDetailsClassLevelAuthenticationTests { @Configuration @EnableWebSecurity @EnableWebMvc - static class Config extends WebSecurityConfigurerAdapter { + static class Config { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() @@ -91,22 +92,12 @@ public class WithUserDetailsClassLevelAuthenticationTests { .and() .formLogin(); // @formatter:on + return http.build(); } @Bean - @Override - public UserDetailsService userDetailsServiceBean() throws Exception { - return super.userDetailsServiceBean(); - } - - @Autowired - void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { - // @formatter:off - auth - .inMemoryAuthentication() - .withUser("user").password("password").roles("USER").and() - .withUser("admin").password("password").roles("USER", "ADMIN"); - // @formatter:on + UserDetailsService userDetailsService() { + return new InMemoryUserDetailsManager(PasswordEncodedUser.user(), PasswordEncodedUser.admin()); } } diff --git a/test/src/test/java/org/springframework/security/test/web/support/WebTestUtilsTests.java b/test/src/test/java/org/springframework/security/test/web/support/WebTestUtilsTests.java index 2ccfe3e068..123b19c88b 100644 --- a/test/src/test/java/org/springframework/security/test/web/support/WebTestUtilsTests.java +++ b/test/src/test/java/org/springframework/security/test/web/support/WebTestUtilsTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -30,9 +30,9 @@ import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.security.config.BeanIds; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.DefaultSecurityFilterChain; import org.springframework.security.web.FilterChainProxy; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.security.web.context.SecurityContextHolderFilter; import org.springframework.security.web.context.SecurityContextPersistenceFilter; @@ -185,24 +185,25 @@ public class WebTestUtilsTests { @Configuration @EnableWebSecurity - static class SecurityNoCsrfConfig extends WebSecurityConfigurerAdapter { + static class SecurityNoCsrfConfig { - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.csrf().disable(); + return http.build(); } } @Configuration @EnableWebSecurity - static class CustomSecurityConfig extends WebSecurityConfigurerAdapter { + static class CustomSecurityConfig { static CsrfTokenRepository CSRF_REPO; static SecurityContextRepository CONTEXT_REPO; - @Override - protected void configure(HttpSecurity http) throws Exception { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .csrf() @@ -210,6 +211,7 @@ public class WebTestUtilsTests { .and() .securityContext() .securityContextRepository(CONTEXT_REPO); + return http.build(); // @formatter:on } @@ -217,13 +219,14 @@ public class WebTestUtilsTests { @Configuration @EnableWebSecurity - static class PartialSecurityConfig extends WebSecurityConfigurerAdapter { + static class PartialSecurityConfig { - @Override - public void configure(HttpSecurity http) { + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off http .antMatcher("/willnotmatchthis"); + return http.build(); // @formatter:on } @@ -236,7 +239,7 @@ public class WebTestUtilsTests { @Configuration @EnableWebSecurity - static class SecurityConfigWithDefaults extends WebSecurityConfigurerAdapter { + static class SecurityConfigWithDefaults { }