Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

RequestMatcherDelegatingAuthorizationManager defaults to deny

Browse Source 
Closes gh-11958
This commit is contained in:
Joe Grandja
2022-10-13 07:16:29 -04:00
parent d0653afec3
commit 753e113a13
51 changed files with 126 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files
web/src/main/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManager.java
+7 -3
View File
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -44,6 +44,8 @@ import org.springframework.util.Assert;
*/
public final class RequestMatcherDelegatingAuthorizationManager implements AuthorizationManager<HttpServletRequest> {
private static final AuthorizationDecision DENY = new AuthorizationDecision(false);
private final Log logger = LogFactory.getLog(getClass());
private final List<RequestMatcherEntry<AuthorizationManager<RequestAuthorizationContext>>> mappings;
@@ -81,8 +83,10 @@ public final class RequestMatcherDelegatingAuthorizationManager implements Autho
new RequestAuthorizationContext(request, matchResult.getVariables()));
}
}
this.logger.trace("Abstaining since did not find matching RequestMatcher");
return null;
if (this.logger.isTraceEnabled()) {
this.logger.trace(LogMessage.of(() -> "Denying request since did not find matching RequestMatcher"));
}
return DENY;
}
/**
web/src/test/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManagerTests.java
+6 -8
View File
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -67,8 +67,7 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
public void checkWhenMultipleMappingsConfiguredThenDelegatesMatchingManager() {
RequestMatcherDelegatingAuthorizationManager manager = RequestMatcherDelegatingAuthorizationManager.builder()
.add(new MvcRequestMatcher(null, "/grant"), (a, o) -> new AuthorizationDecision(true))
.add(new MvcRequestMatcher(null, "/deny"), (a, o) -> new AuthorizationDecision(false))
.add(new MvcRequestMatcher(null, "/neutral"), (a, o) -> null).build();
.add(new MvcRequestMatcher(null, "/deny"), (a, o) -> new AuthorizationDecision(false)).build();
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_USER");
@@ -80,11 +79,10 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
assertThat(deny).isNotNull();
assertThat(deny.isGranted()).isFalse();
AuthorizationDecision neutral = manager.check(authentication, new MockHttpServletRequest(null, "/neutral"));
assertThat(neutral).isNull();
AuthorizationDecision abstain = manager.check(authentication, new MockHttpServletRequest(null, "/abstain"));
assertThat(abstain).isNull();
AuthorizationDecision defaultDeny = manager.check(authentication,
new MockHttpServletRequest(null, "/unmapped"));
assertThat(defaultDeny).isNotNull();
assertThat(defaultDeny.isGranted()).isFalse();
}
@Test