Merge branch '5.7.x' into 5.8.x

2026-05-22 21:33:16 +00:00 · 2022-10-31 08:55:03 -05:00
parent 4112adf6a0 2915a70bf7
commit 66f2f1cde7
18 changed files with 368 additions and 141 deletions
@@ -19,8 +19,11 @@ package org.springframework.security.web.access.intercept;
 import java.io.IOException;
 import java.util.function.Supplier;

+import javax.servlet.DispatcherType;
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

@@ -36,7 +39,7 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.util.Assert;
-import org.springframework.web.filter.OncePerRequestFilter;
+import org.springframework.web.filter.GenericFilterBean;

 /**
 * An authorization filter that restricts access to the URL using
@@ -45,7 +48,7 @@ import org.springframework.web.filter.OncePerRequestFilter;
 * @author Evgeniy Cheban
 * @since 5.5
 */
-public class AuthorizationFilter extends OncePerRequestFilter {
+public class AuthorizationFilter extends GenericFilterBean {

 	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
 			.getContextHolderStrategy();
@@ -54,7 +57,11 @@ public class AuthorizationFilter extends OncePerRequestFilter {

 	private AuthorizationEventPublisher eventPublisher = AuthorizationFilter::noPublish;

-	private boolean shouldFilterAllDispatcherTypes = false;
+	private boolean observeOncePerRequest = true;
+
+	private boolean filterErrorDispatch = false;
+
+	private boolean filterAsyncDispatch = false;

 	/**
 	 * Creates an instance.
@@ -66,15 +73,57 @@ public class AuthorizationFilter extends OncePerRequestFilter {
 	}

 	@Override
-	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+	public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain)
 			throws ServletException, IOException {

-		AuthorizationDecision decision = this.authorizationManager.check(this::getAuthentication, request);
-		this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, request, decision);
-		if (decision != null && !decision.isGranted()) {
-			throw new AccessDeniedException("Access Denied");
+		HttpServletRequest request = (HttpServletRequest) servletRequest;
+		HttpServletResponse response = (HttpServletResponse) servletResponse;
+
+		if (this.observeOncePerRequest && isApplied(request)) {
+			chain.doFilter(request, response);
+			return;
 		}
-		filterChain.doFilter(request, response);
+
+		if (skipDispatch(request)) {
+			chain.doFilter(request, response);
+			return;
+		}
+
+		String alreadyFilteredAttributeName = getAlreadyFilteredAttributeName();
+		request.setAttribute(alreadyFilteredAttributeName, Boolean.TRUE);
+		try {
+			AuthorizationDecision decision = this.authorizationManager.check(this::getAuthentication, request);
+			this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, request, decision);
+			if (decision != null && !decision.isGranted()) {
+				throw new AccessDeniedException("Access Denied");
+			}
+			chain.doFilter(request, response);
+		}
+		finally {
+			request.removeAttribute(alreadyFilteredAttributeName);
+		}
+	}
+
+	private boolean skipDispatch(HttpServletRequest request) {
+		if (DispatcherType.ERROR.equals(request.getDispatcherType()) && !this.filterErrorDispatch) {
+			return true;
+		}
+		if (DispatcherType.ASYNC.equals(request.getDispatcherType()) && !this.filterAsyncDispatch) {
+			return true;
+		}
+		return false;
+	}
+
+	private boolean isApplied(HttpServletRequest request) {
+		return request.getAttribute(getAlreadyFilteredAttributeName()) != null;
+	}
+
+	private String getAlreadyFilteredAttributeName() {
+		String name = getFilterName();
+		if (name == null) {
+			name = getClass().getName();
+		}
+		return name + ".APPLIED";
 	}

 	/**
@@ -97,22 +146,6 @@ public class AuthorizationFilter extends OncePerRequestFilter {
 		return authentication;
 	}

-	@Override
-	protected void doFilterNestedErrorDispatch(HttpServletRequest request, HttpServletResponse response,
-			FilterChain filterChain) throws ServletException, IOException {
-		doFilterInternal(request, response, filterChain);
-	}
-
-	@Override
-	protected boolean shouldNotFilterAsyncDispatch() {
-		return !this.shouldFilterAllDispatcherTypes;
-	}
-
-	@Override
-	protected boolean shouldNotFilterErrorDispatch() {
-		return !this.shouldFilterAllDispatcherTypes;
-	}
-
 	/**
 	 * Use this {@link AuthorizationEventPublisher} to publish
 	 * {@link AuthorizationDeniedEvent}s and {@link AuthorizationGrantedEvent}s.
@@ -139,7 +172,9 @@ public class AuthorizationFilter extends OncePerRequestFilter {
 	 * @since 5.7
 	 */
 	public void setShouldFilterAllDispatcherTypes(boolean shouldFilterAllDispatcherTypes) {
-		this.shouldFilterAllDispatcherTypes = shouldFilterAllDispatcherTypes;
+		this.observeOncePerRequest = !shouldFilterAllDispatcherTypes;
+		this.filterErrorDispatch = shouldFilterAllDispatcherTypes;
+		this.filterAsyncDispatch = shouldFilterAllDispatcherTypes;
 	}

 	private static <T> void noPublish(Supplier<Authentication> authentication, T object,
@@ -147,4 +182,38 @@ public class AuthorizationFilter extends OncePerRequestFilter {

 	}

+	public boolean isObserveOncePerRequest() {
+		return this.observeOncePerRequest;
+	}
+
+	/**
+	 * Sets whether this filter apply only once per request. By default, this is
+	 * <code>true</code>, meaning the filter will only execute once per request. Sometimes
+	 * users may wish it to execute more than once per request, such as when JSP forwards
+	 * are being used and filter security is desired on each included fragment of the HTTP
+	 * request.
+	 * @param observeOncePerRequest whether the filter should only be applied once per
+	 * request
+	 */
+	public void setObserveOncePerRequest(boolean observeOncePerRequest) {
+		this.observeOncePerRequest = observeOncePerRequest;
+	}
+
+	/**
+	 * If set to true, the filter will be applied to error dispatcher. Defaults to false.
+	 * @param filterErrorDispatch whether the filter should be applied to error dispatcher
+	 */
+	public void setFilterErrorDispatch(boolean filterErrorDispatch) {
+		this.filterErrorDispatch = filterErrorDispatch;
+	}
+
+	/**
+	 * If set to true, the filter will be applied to the async dispatcher. Defaults to
+	 * false.
+	 * @param filterAsyncDispatch whether the filter should be applied to async dispatch
+	 */
+	public void setFilterAsyncDispatch(boolean filterAsyncDispatch) {
+		this.filterAsyncDispatch = filterAsyncDispatch;
+	}
+
 }
@@ -16,16 +16,20 @@

 package org.springframework.security.web.access.intercept;

+import java.io.IOException;
 import java.util.function.Supplier;

 import javax.servlet.DispatcherType;
 import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;

 import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.mockito.ArgumentCaptor;

+import org.springframework.mock.web.MockFilterChain;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.access.AccessDeniedException;
@@ -40,6 +44,7 @@ import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.core.context.SecurityContextImpl;
+import org.springframework.test.util.ReflectionTestUtils;
 import org.springframework.web.util.WebUtils;

 import static org.assertj.core.api.Assertions.assertThat;
@@ -50,6 +55,7 @@ import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.BDDMockito.given;
 import static org.mockito.BDDMockito.willThrow;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoInteractions;

@@ -60,6 +66,24 @@ import static org.mockito.Mockito.verifyNoInteractions;
 */
 public class AuthorizationFilterTests {

+	private static final String ALREADY_FILTERED_ATTRIBUTE_NAME = "org.springframework.security.web.access.intercept.AuthorizationFilter.APPLIED";
+
+	private AuthorizationFilter filter;
+
+	private AuthorizationManager<HttpServletRequest> authorizationManager;
+
+	private MockHttpServletRequest request = new MockHttpServletRequest();
+
+	private final MockHttpServletResponse response = new MockHttpServletResponse();
+
+	private final FilterChain chain = new MockFilterChain();
+
+	@BeforeEach
+	public void setup() {
+		this.authorizationManager = mock(AuthorizationManager.class);
+		this.filter = new AuthorizationFilter(this.authorizationManager);
+	}
+
 	@AfterEach
 	public void tearDown() {
 		SecurityContextHolder.clearContext();
@@ -199,37 +223,101 @@ public class AuthorizationFilterTests {
 	}

 	@Test
-	public void doFilterNestedErrorDispatchWhenAuthorizationManagerThenUses() throws Exception {
-		AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);
-		AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
-		authorizationFilter.setShouldFilterAllDispatcherTypes(true);
-		MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
-		mockRequest.setDispatcherType(DispatcherType.ERROR);
-		mockRequest.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error");
-		MockHttpServletResponse mockResponse = new MockHttpServletResponse();
-		FilterChain mockFilterChain = mock(FilterChain.class);
-
-		authorizationFilter.doFilterNestedErrorDispatch(mockRequest, mockResponse, mockFilterChain);
-		verify(authorizationManager).check(any(Supplier.class), any(HttpServletRequest.class));
+	public void doFilterWhenObserveOncePerRequestTrueAndIsAppliedThenNotInvoked() throws ServletException, IOException {
+		setIsAppliedTrue();
+		this.filter.setObserveOncePerRequest(true);
+		this.filter.doFilter(this.request, this.response, this.chain);
+		verifyNoInteractions(this.authorizationManager);
 	}

 	@Test
-	public void doFilterNestedErrorDispatchWhenAuthorizationEventPublisherThenUses() throws Exception {
-		AuthorizationFilter authorizationFilter = new AuthorizationFilter(
-				AuthenticatedAuthorizationManager.authenticated());
-		MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
-		MockHttpServletResponse mockResponse = new MockHttpServletResponse();
-		FilterChain mockFilterChain = mock(FilterChain.class);
+	public void doFilterWhenObserveOncePerRequestTrueAndNotAppliedThenInvoked() throws ServletException, IOException {
+		this.filter.setObserveOncePerRequest(true);
+		this.filter.doFilter(this.request, this.response, this.chain);
+		verify(this.authorizationManager).check(any(), any());
+	}

-		SecurityContext securityContext = new SecurityContextImpl();
-		securityContext.setAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"));
-		SecurityContextHolder.setContext(securityContext);
+	@Test
+	public void doFilterWhenObserveOncePerRequestFalseAndIsAppliedThenInvoked() throws ServletException, IOException {
+		setIsAppliedTrue();
+		this.filter.setObserveOncePerRequest(false);
+		this.filter.doFilter(this.request, this.response, this.chain);
+		verify(this.authorizationManager).check(any(), any());
+	}

-		AuthorizationEventPublisher eventPublisher = mock(AuthorizationEventPublisher.class);
-		authorizationFilter.setAuthorizationEventPublisher(eventPublisher);
-		authorizationFilter.doFilterNestedErrorDispatch(mockRequest, mockResponse, mockFilterChain);
-		verify(eventPublisher).publishAuthorizationEvent(any(Supplier.class), any(HttpServletRequest.class),
-				any(AuthorizationDecision.class));
+	@Test
+	public void doFilterWhenObserveOncePerRequestFalseAndNotAppliedThenInvoked() throws ServletException, IOException {
+		this.filter.setObserveOncePerRequest(false);
+		this.filter.doFilter(this.request, this.response, this.chain);
+		verify(this.authorizationManager).check(any(), any());
+	}
+
+	@Test
+	public void doFilterWhenFilterErrorDispatchFalseAndIsErrorThenNotInvoked() throws ServletException, IOException {
+		this.request.setDispatcherType(DispatcherType.ERROR);
+		this.filter.setFilterErrorDispatch(false);
+		this.filter.doFilter(this.request, this.response, this.chain);
+		verifyNoInteractions(this.authorizationManager);
+	}
+
+	@Test
+	public void doFilterWhenFilterErrorDispatchTrueAndIsErrorThenInvoked() throws ServletException, IOException {
+		this.request.setDispatcherType(DispatcherType.ERROR);
+		this.filter.setFilterErrorDispatch(true);
+		this.filter.doFilter(this.request, this.response, this.chain);
+		verify(this.authorizationManager).check(any(), any());
+	}
+
+	@Test
+	public void doFilterWhenFilterThenSetAlreadyFilteredAttribute() throws ServletException, IOException {
+		this.request = mock(MockHttpServletRequest.class);
+		this.filter.doFilter(this.request, this.response, this.chain);
+		verify(this.request).setAttribute(ALREADY_FILTERED_ATTRIBUTE_NAME, Boolean.TRUE);
+	}
+
+	@Test
+	public void doFilterWhenFilterThenRemoveAlreadyFilteredAttribute() throws ServletException, IOException {
+		this.request = spy(MockHttpServletRequest.class);
+		this.filter.doFilter(this.request, this.response, this.chain);
+		verify(this.request).setAttribute(ALREADY_FILTERED_ATTRIBUTE_NAME, Boolean.TRUE);
+		assertThat(this.request.getAttribute(ALREADY_FILTERED_ATTRIBUTE_NAME)).isNull();
+	}
+
+	@Test
+	public void doFilterWhenFilterAsyncDispatchTrueAndIsAsyncThenInvoked() throws ServletException, IOException {
+		this.request.setDispatcherType(DispatcherType.ASYNC);
+		this.filter.setFilterAsyncDispatch(true);
+		this.filter.doFilter(this.request, this.response, this.chain);
+		verify(this.authorizationManager).check(any(), any());
+	}
+
+	@Test
+	public void doFilterWhenFilterAsyncDispatchFalseAndIsAsyncThenNotInvoked() throws ServletException, IOException {
+		this.request.setDispatcherType(DispatcherType.ASYNC);
+		this.filter.setFilterAsyncDispatch(false);
+		this.filter.doFilter(this.request, this.response, this.chain);
+		verifyNoInteractions(this.authorizationManager);
+	}
+
+	@Test
+	public void filterWhenFilterErrorDispatchDefaultThenFalse() {
+		Boolean filterErrorDispatch = (Boolean) ReflectionTestUtils.getField(this.filter, "filterErrorDispatch");
+		assertThat(filterErrorDispatch).isFalse();
+	}
+
+	@Test
+	public void filterWhenFilterAsyncDispatchDefaultThenFalse() {
+		Boolean filterAsyncDispatch = (Boolean) ReflectionTestUtils.getField(this.filter, "filterAsyncDispatch");
+		assertThat(filterAsyncDispatch).isFalse();
+	}
+
+	@Test
+	public void filterWhenObserveOncePerRequestDefaultThenTrue() {
+		assertThat(this.filter.isObserveOncePerRequest()).isTrue();
+	}
+
+	private void setIsAppliedTrue() {
+		this.request.setAttribute(ALREADY_FILTERED_ATTRIBUTE_NAME, Boolean.TRUE);
 	}

 }