Compare commits
128 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 51c06a53fa | |||
| 1528c421bd | |||
| 0e257b56ce | |||
| bf77213db2 | |||
| ee5e11a294 | |||
| 29e8c8e6db | |||
| dbff977b86 | |||
| a504b2f125 | |||
| 52438b4973 | |||
| 028dd4541c | |||
| adf1755064 | |||
| ac15554cd1 | |||
| c66ee4a21a | |||
| 517ea7f42a | |||
| ea3cc42f0b | |||
| e8addfb0cc | |||
| 018789a262 | |||
| beecb2e06b | |||
| 6889a6fca2 | |||
| 49e39144d7 | |||
| 0ee0e35b99 | |||
| f082494e1b | |||
| b0a988644f | |||
| fe79766aa2 | |||
| ef70561ac9 | |||
| 7570c19bb9 | |||
| 9d1a094c34 | |||
| 17b5ebd3b1 | |||
| 48af71ae5e | |||
| 8e5d8d9bd5 | |||
| 1e6ac83dfb | |||
| e8876fa195 | |||
| 73ee0cf7ec | |||
| 746464e035 | |||
| c1857c0308 | |||
| 690e012fb1 | |||
| b49051a1e6 | |||
| f7b85ed314 | |||
| 426e089bf8 | |||
| 3ac89080ee | |||
| 8b63817f02 | |||
| 083d02c9dd | |||
| 95cee40224 | |||
| fb5d6a9add | |||
| bcf0a7f55d | |||
| 755e9f2f69 | |||
| 7fec535718 | |||
| 1a97d07079 | |||
| 551c483ee6 | |||
| 7b7a3044cf | |||
| 8a791028b1 | |||
| dfce3a280d | |||
| 1a0203ecf6 | |||
| 750ab53d35 | |||
| c4ce3f61fd | |||
| e7c486b3f8 | |||
| 8a48c6903a | |||
| f734d79da7 | |||
| a939c100fc | |||
| 1782f17e7f | |||
| 0a4eb0f09a | |||
| 1189216f10 | |||
| f3061d9c1a | |||
| 51d0a8b57d | |||
| e86dac8a64 | |||
| 3c5fdf901e | |||
| b9f051d15b | |||
| df80170dac | |||
| 44afdcec64 | |||
| 9316208986 | |||
| aeae740926 | |||
| a268b78473 | |||
| 6139f0986e | |||
| b2c0cc3809 | |||
| a0e6c17512 | |||
| 04e31043b7 | |||
| e73e65677e | |||
| e251779b31 | |||
| 8834cc8881 | |||
| 8a5b198e5a | |||
| 51b0f1058b | |||
| 5c20505b0e | |||
| 820e3f5750 | |||
| c44eed0d15 | |||
| f4ac42e7fe | |||
| 7ad6f38d5b | |||
| ff41521e1e | |||
| b22061d0b6 | |||
| 97cefa6830 | |||
| f836efb912 | |||
| 25ddc2acfc | |||
| 69231c5853 | |||
| 279cb89eac | |||
| 2ba9b6821a | |||
| f372f5cf52 | |||
| 6ea33ceaea | |||
| 47723f6d39 | |||
| 2041d30201 | |||
| 5c84d505d9 | |||
| c3a5cf54d4 | |||
| d134b0a4f4 | |||
| a3b88a8d4b | |||
| 4c0d969f1f | |||
| 3ee5a96e53 | |||
| 5c604b95fb | |||
| 9791801bc6 | |||
| c06543daf3 | |||
| e92a945a2d | |||
| a203ab9651 | |||
| fc01ebb995 | |||
| fb054198af | |||
| 035f86bdb3 | |||
| 92809cef01 | |||
| 7e372c780d | |||
| 868c07af72 | |||
| a68851fca3 | |||
| bf2c1a5979 | |||
| 439b797eb8 | |||
| 0cab7c8f15 | |||
| 8272640c7c | |||
| f4585d8e4a | |||
| 300c8d7913 | |||
| 83eceea58f | |||
| 25450f87fa | |||
| 097c927d8d | |||
| 38093090c2 | |||
| 0115e8aea1 | |||
| 182cbbbbb7 |
@@ -113,20 +113,13 @@ jobs:
|
||||
artifact-path: org/springframework/security/spring-security-core
|
||||
slack-announcing-id: spring-security-announcing
|
||||
secrets: inherit
|
||||
notify_result:
|
||||
name: Check for failures
|
||||
send-notification:
|
||||
name: Send Notification
|
||||
needs: [ perform-release ]
|
||||
if: failure()
|
||||
if: ${{ failure() || cancelled() }}
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: read
|
||||
steps:
|
||||
- name: Send Slack message
|
||||
# Workaround while waiting for Gamesight/slack-workflow-status#38 to be fixed
|
||||
# See https://github.com/Gamesight/slack-workflow-status/issues/38
|
||||
uses: sjohnr/slack-workflow-status@v1-beta
|
||||
- name: Send Notification
|
||||
uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1
|
||||
with:
|
||||
repo_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
|
||||
channel: '#spring-security-ci'
|
||||
name: 'CI Notifier'
|
||||
webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}
|
||||
|
||||
@@ -22,10 +22,9 @@ jobs:
|
||||
- name: Find PRs
|
||||
id: find_duplicates
|
||||
env:
|
||||
DEPENDENCY_NAME: ${{ steps.extract.outputs.dependency_name }}
|
||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: |
|
||||
PRS=$(gh pr list --search 'milestone:${{ github.event.pull_request.milestone.title }} is:merged in:title "$DEPENDENCY_NAME"' --json number --jq 'map(.number) | join(",")')
|
||||
PRS=$(gh pr list --search 'milestone:${{ github.event.pull_request.milestone.title }} is:merged in:title "${{ steps.extract.outputs.dependency_name }}"' --json number --jq 'map(.number) | join(",")')
|
||||
echo "prs=$PRS" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Label Duplicate PRs
|
||||
|
||||
@@ -8,6 +8,7 @@ permissions: write-all
|
||||
|
||||
jobs:
|
||||
merge-dependabot-pr:
|
||||
name: Merge Dependabot PR
|
||||
runs-on: ubuntu-latest
|
||||
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'spring-projects/spring-security' }}
|
||||
steps:
|
||||
@@ -50,3 +51,13 @@ jobs:
|
||||
run: gh pr merge ${{ github.event.pull_request.number }} --auto --rebase
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
|
||||
send-notification:
|
||||
name: Send Notification
|
||||
needs: [ merge-dependabot-pr ]
|
||||
if: ${{ failure() || cancelled() }}
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Send Notification
|
||||
uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1
|
||||
with:
|
||||
webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}
|
||||
|
||||
@@ -23,18 +23,13 @@ jobs:
|
||||
export TOOL_VERSION=0.1.1
|
||||
wget "https://repo.maven.apache.org/maven2/io/spring/releasetrain/spring-release-train-tools/$TOOL_VERSION/spring-release-train-tools-$TOOL_VERSION.jar"
|
||||
java -cp "spring-release-train-tools-$TOOL_VERSION.jar" io.spring.releasetrain.CheckMilestoneDueOnMain --dueOn "$DUE_ON" --expectedDayOfWeek MONDAY --expectedMondayCount 3
|
||||
notify_result:
|
||||
name: Check for failures
|
||||
needs: [spring-releasetrain-checks]
|
||||
if: failure()
|
||||
send-notification:
|
||||
name: Send Notification
|
||||
needs: [ spring-releasetrain-checks ]
|
||||
if: ${{ failure() || cancelled() }}
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: read
|
||||
steps:
|
||||
- name: Send Slack message
|
||||
uses: Gamesight/slack-workflow-status@v1.3.0
|
||||
- name: Send Notification
|
||||
uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1
|
||||
with:
|
||||
repo_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
|
||||
channel: '#spring-security-ci'
|
||||
name: 'CI Notifier'
|
||||
webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}
|
||||
|
||||
@@ -42,3 +42,13 @@ jobs:
|
||||
name: docs
|
||||
path: docs/build/site
|
||||
overwrite: true
|
||||
send-notification:
|
||||
name: Send Notification
|
||||
needs: [ build, generate-docs ]
|
||||
if: ${{ failure() && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'spring-projects/spring-security' }}
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Send Notification
|
||||
uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1
|
||||
with:
|
||||
webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}
|
||||
|
||||
@@ -11,3 +11,13 @@ jobs:
|
||||
name: Update Scheduled Release Version
|
||||
uses: spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml@v1
|
||||
secrets: inherit
|
||||
send-notification:
|
||||
name: Send Notification
|
||||
needs: [ update-scheduled-release-version ]
|
||||
if: ${{ failure() || cancelled() }}
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Send Notification
|
||||
uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1
|
||||
with:
|
||||
webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}
|
||||
@@ -63,6 +63,7 @@ class EclipsePlugin implements Plugin<Project> {
|
||||
// test sources. Relax those from error to warning
|
||||
properties['org.eclipse.jdt.core.circularClasspath'] = 'warning'
|
||||
properties['org.eclipse.jdt.core.incompleteClasspath'] = 'warning'
|
||||
properties['org.eclipse.jdt.core.compiler.codegen.methodParameters'] = 'generate'
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
+52
-22
@@ -16,15 +16,23 @@
|
||||
|
||||
package org.springframework.security;
|
||||
|
||||
import java.io.ByteArrayOutputStream;
|
||||
import java.io.IOException;
|
||||
|
||||
import org.gradle.api.DefaultTask;
|
||||
import org.gradle.api.Plugin;
|
||||
import org.gradle.api.Project;
|
||||
import org.gradle.api.Task;
|
||||
import org.gradle.api.file.RegularFileProperty;
|
||||
import org.gradle.api.plugins.JavaBasePlugin;
|
||||
import org.gradle.api.provider.Property;
|
||||
import org.gradle.api.tasks.CacheableTask;
|
||||
import org.gradle.api.tasks.Input;
|
||||
import org.gradle.api.tasks.OutputFile;
|
||||
import org.gradle.api.tasks.TaskAction;
|
||||
import org.gradle.api.tasks.TaskExecutionException;
|
||||
import org.gradle.api.tasks.TaskProvider;
|
||||
import org.gradle.api.tasks.VerificationException;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.nio.file.Files;
|
||||
|
||||
/**
|
||||
* @author Marcus da Coregio
|
||||
@@ -36,38 +44,60 @@ public class CheckExpectedBranchVersionPlugin implements Plugin<Project> {
|
||||
TaskProvider<CheckExpectedBranchVersionTask> checkExpectedBranchVersionTask = project.getTasks().register("checkExpectedBranchVersion", CheckExpectedBranchVersionTask.class, (task) -> {
|
||||
task.setGroup("Build");
|
||||
task.setDescription("Check if the project version matches the branch version");
|
||||
task.onlyIf("skipCheckExpectedBranchVersion property is false or not present", CheckExpectedBranchVersionPlugin::skipPropertyFalseOrNotPresent);
|
||||
task.getVersion().convention(project.provider(() -> project.getVersion().toString()));
|
||||
task.getBranchName().convention(project.getProviders().exec(execSpec -> execSpec.setCommandLine("git", "symbolic-ref", "--short", "HEAD")).getStandardOutput().getAsText());
|
||||
task.getOutputFile().convention(project.getLayout().getBuildDirectory().file("check-expected-branch-version"));
|
||||
});
|
||||
project.getTasks().named(JavaBasePlugin.CHECK_TASK_NAME, checkTask -> checkTask.dependsOn(checkExpectedBranchVersionTask));
|
||||
}
|
||||
|
||||
public static class CheckExpectedBranchVersionTask extends DefaultTask {
|
||||
private static boolean skipPropertyFalseOrNotPresent(Task task) {
|
||||
return task.getProject()
|
||||
.getProviders()
|
||||
.gradleProperty("skipCheckExpectedBranchVersion")
|
||||
.orElse("false")
|
||||
.map("false"::equalsIgnoreCase)
|
||||
.get();
|
||||
}
|
||||
|
||||
@CacheableTask
|
||||
public static abstract class CheckExpectedBranchVersionTask extends DefaultTask {
|
||||
|
||||
@Input
|
||||
abstract Property<String> getVersion();
|
||||
|
||||
@Input
|
||||
abstract Property<String> getBranchName();
|
||||
|
||||
@OutputFile
|
||||
abstract RegularFileProperty getOutputFile();
|
||||
|
||||
@TaskAction
|
||||
public void run() throws IOException {
|
||||
Project project = getProject();
|
||||
if (project.hasProperty("skipCheckExpectedBranchVersion")) {
|
||||
return;
|
||||
}
|
||||
String version = (String) project.getVersion();
|
||||
String branchVersion = getBranchVersion(project);
|
||||
public void run() {
|
||||
String version = getVersion().get();
|
||||
String branchVersion = getBranchName().map(String::trim).get();
|
||||
if (!branchVersion.matches("^[0-9]+\\.[0-9]+\\.x$")) {
|
||||
System.out.println("Branch version does not match *.x, ignoring");
|
||||
String msg = String.format("Branch version [%s] does not match *.x, ignoring", branchVersion);
|
||||
getLogger().warn(msg);
|
||||
writeExpectedVersionOutput(msg);
|
||||
return;
|
||||
}
|
||||
if (!versionsMatch(version, branchVersion)) {
|
||||
throw new IllegalStateException(String.format("Project version [%s] does not match branch version [%s]. " +
|
||||
"Please verify that the branch contains the right version.", version, branchVersion));
|
||||
String msg = String.format("Project version [%s] does not match branch version [%s]. " +
|
||||
"Please verify that the branch contains the right version.", version, branchVersion);
|
||||
writeExpectedVersionOutput(msg);
|
||||
throw new VerificationException(msg);
|
||||
}
|
||||
|
||||
writeExpectedVersionOutput(version);
|
||||
}
|
||||
|
||||
private static String getBranchVersion(Project project) throws IOException {
|
||||
try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
|
||||
project.exec((exec) -> {
|
||||
exec.commandLine("git", "symbolic-ref", "--short", "HEAD");
|
||||
exec.setErrorOutput(System.err);
|
||||
exec.setStandardOutput(baos);
|
||||
});
|
||||
return baos.toString();
|
||||
private void writeExpectedVersionOutput(String fileContent) {
|
||||
try {
|
||||
Files.writeString(getOutputFile().get().getAsFile().toPath(), fileContent);
|
||||
} catch (IOException e) {
|
||||
throw new TaskExecutionException(this, e);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
+51
-22
@@ -19,52 +19,81 @@ package org.springframework.security.convention.versions;
|
||||
import org.gradle.api.DefaultTask;
|
||||
import org.gradle.api.Plugin;
|
||||
import org.gradle.api.Project;
|
||||
import org.gradle.api.artifacts.Dependency;
|
||||
import org.gradle.api.artifacts.MinimalExternalModuleDependency;
|
||||
import org.gradle.api.artifacts.VersionCatalog;
|
||||
import org.gradle.api.artifacts.VersionCatalogsExtension;
|
||||
import org.gradle.api.file.RegularFile;
|
||||
import org.gradle.api.file.RegularFileProperty;
|
||||
import org.gradle.api.plugins.JavaBasePlugin;
|
||||
import org.gradle.api.provider.Property;
|
||||
import org.gradle.api.provider.Provider;
|
||||
import org.gradle.api.tasks.CacheableTask;
|
||||
import org.gradle.api.tasks.Input;
|
||||
import org.gradle.api.tasks.OutputFile;
|
||||
import org.gradle.api.tasks.TaskAction;
|
||||
import org.gradle.api.tasks.TaskExecutionException;
|
||||
import org.gradle.api.tasks.TaskProvider;
|
||||
import org.gradle.api.tasks.VerificationException;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.IOException;
|
||||
import java.nio.file.Files;
|
||||
import java.util.Optional;
|
||||
|
||||
public class VerifyDependenciesVersionsPlugin implements Plugin<Project> {
|
||||
|
||||
@Override
|
||||
public void apply(Project project) {
|
||||
VersionCatalog versionCatalog = project.getExtensions().getByType(VersionCatalogsExtension.class).named("libs");
|
||||
Optional<Provider<MinimalExternalModuleDependency>> oauth2OidcSdk = versionCatalog.findLibrary("com-nimbusds-oauth2-oidc-sdk");
|
||||
Optional<Provider<MinimalExternalModuleDependency>> nimbusJoseJwt = versionCatalog.findLibrary("com-nimbusds-nimbus-jose-jwt");
|
||||
|
||||
if (oauth2OidcSdk.isEmpty()) {
|
||||
throw new VerificationException("Library [com-nimbusds-oauth2-oidc-sdk] does not exist in the version catalog named libs.");
|
||||
}
|
||||
|
||||
if (nimbusJoseJwt.isEmpty()) {
|
||||
throw new VerificationException("Library [com-nimbusds-nimbus-jose-jwt] does not exist in the version catalog named libs.");
|
||||
}
|
||||
|
||||
TaskProvider<VerifyDependenciesVersionsTask> verifyDependenciesVersionsTaskProvider = project.getTasks().register("verifyDependenciesVersions", VerifyDependenciesVersionsTask.class, (task) -> {
|
||||
task.setGroup("Verification");
|
||||
task.setDescription("Verify that specific dependencies are using the same version");
|
||||
VersionCatalog versionCatalog = project.getExtensions().getByType(VersionCatalogsExtension.class).named("libs");
|
||||
MinimalExternalModuleDependency oauth2OidcSdk = versionCatalog.findLibrary("com-nimbusds-oauth2-oidc-sdk").get().get();
|
||||
MinimalExternalModuleDependency nimbusJoseJwt = versionCatalog.findLibrary("com-nimbusds-nimbus-jose-jwt").get().get();
|
||||
task.setOauth2OidcSdkVersion(oauth2OidcSdk.getVersion());
|
||||
task.setExpectedNimbusJoseJwtVersion(nimbusJoseJwt.getVersion());
|
||||
task.getOauth2OidcSdkVersion().convention(oauth2OidcSdk.get().map(Dependency::getVersion));
|
||||
task.getExpectedNimbusJoseJwtVersion().convention(nimbusJoseJwt.get().map(Dependency::getVersion));
|
||||
task.getOutputFile().convention(project.getLayout().getBuildDirectory().file("verify-dependencies-versions"));
|
||||
});
|
||||
project.getTasks().named(JavaBasePlugin.CHECK_TASK_NAME, checkTask -> checkTask.dependsOn(verifyDependenciesVersionsTaskProvider));
|
||||
}
|
||||
|
||||
public static class VerifyDependenciesVersionsTask extends DefaultTask {
|
||||
@CacheableTask
|
||||
public abstract static class VerifyDependenciesVersionsTask extends DefaultTask {
|
||||
|
||||
private String oauth2OidcSdkVersion;
|
||||
@Input
|
||||
abstract Property<String> getOauth2OidcSdkVersion();
|
||||
|
||||
private String expectedNimbusJoseJwtVersion;
|
||||
@Input
|
||||
abstract Property<String> getExpectedNimbusJoseJwtVersion();
|
||||
|
||||
public void setOauth2OidcSdkVersion(String oauth2OidcSdkVersion) {
|
||||
this.oauth2OidcSdkVersion = oauth2OidcSdkVersion;
|
||||
}
|
||||
|
||||
public void setExpectedNimbusJoseJwtVersion(String expectedNimbusJoseJwtVersion) {
|
||||
this.expectedNimbusJoseJwtVersion = expectedNimbusJoseJwtVersion;
|
||||
}
|
||||
@OutputFile
|
||||
abstract RegularFileProperty getOutputFile();
|
||||
|
||||
@TaskAction
|
||||
public void verify() {
|
||||
String transitiveNimbusJoseJwtVersion = TransitiveDependencyLookupUtils.lookupJwtVersion(this.oauth2OidcSdkVersion);
|
||||
if (!transitiveNimbusJoseJwtVersion.equals(this.expectedNimbusJoseJwtVersion)) {
|
||||
String message = String.format("Found transitive nimbus-jose-jwt:%s in oauth2-oidc-sdk:%s, but the project contains a different version of nimbus-jose-jwt [%s]. Please align the versions.", transitiveNimbusJoseJwtVersion, this.oauth2OidcSdkVersion, this.expectedNimbusJoseJwtVersion);
|
||||
throw new IllegalStateException(message);
|
||||
public void verify() {
|
||||
String oauth2OidcSdkVersion = this.getOauth2OidcSdkVersion().get();
|
||||
String transitiveNimbusJoseJwtVersion = TransitiveDependencyLookupUtils.lookupJwtVersion(oauth2OidcSdkVersion);
|
||||
String expectedNimbusJoseJwtVersion = this.getExpectedNimbusJoseJwtVersion().get();
|
||||
if (!transitiveNimbusJoseJwtVersion.equals(expectedNimbusJoseJwtVersion)) {
|
||||
String message = String.format("Found transitive nimbus-jose-jwt:%s in oauth2-oidc-sdk:%s, but the project contains a different version of nimbus-jose-jwt [%s]. Please align the versions.", transitiveNimbusJoseJwtVersion, oauth2OidcSdkVersion, expectedNimbusJoseJwtVersion);
|
||||
throw new VerificationException(message);
|
||||
}
|
||||
String message = String.format("Found transitive nimbus-jose-jwt:%s in oauth2-oidc-sdk:%s, the project contains expected version of nimbus-jose-jwt [%s]. Verified all versions align.", transitiveNimbusJoseJwtVersion, oauth2OidcSdkVersion, expectedNimbusJoseJwtVersion);
|
||||
try {
|
||||
Files.writeString(getOutputFile().get().getAsFile().toPath(), message);
|
||||
} catch (IOException e) {
|
||||
throw new TaskExecutionException(this, e);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
+1
-1
@@ -94,7 +94,7 @@ class InitializeAuthenticationProviderBeanManagerConfigurer extends GlobalAuthen
|
||||
String[] beanNames = InitializeAuthenticationProviderBeanManagerConfigurer.this.context
|
||||
.getBeanNamesForType(type);
|
||||
for (String beanName : beanNames) {
|
||||
T bean = InitializeAuthenticationProviderBeanManagerConfigurer.this.context.getBean(beanNames[0], type);
|
||||
T bean = InitializeAuthenticationProviderBeanManagerConfigurer.this.context.getBean(beanName, type);
|
||||
beanWithNames.add(new BeanWithName<T>(bean, beanName));
|
||||
}
|
||||
return beanWithNames;
|
||||
|
||||
+1
-1
@@ -135,7 +135,7 @@ class InitializeUserDetailsBeanManagerConfigurer extends GlobalAuthenticationCon
|
||||
List<BeanWithName<T>> beanWithNames = new ArrayList<>();
|
||||
String[] beanNames = InitializeUserDetailsBeanManagerConfigurer.this.context.getBeanNamesForType(type);
|
||||
for (String beanName : beanNames) {
|
||||
T bean = InitializeUserDetailsBeanManagerConfigurer.this.context.getBean(beanNames[0], type);
|
||||
T bean = InitializeUserDetailsBeanManagerConfigurer.this.context.getBean(beanName, type);
|
||||
beanWithNames.add(new BeanWithName<T>(bean, beanName));
|
||||
}
|
||||
return beanWithNames;
|
||||
|
||||
+2
-1
@@ -509,7 +509,8 @@ public abstract class AbstractRequestMatcherRegistry<C> {
|
||||
public boolean matches(HttpServletRequest request) {
|
||||
String name = request.getHttpServletMapping().getServletName();
|
||||
ServletRegistration registration = this.servletContext.getServletRegistration(name);
|
||||
Assert.notNull(registration, computeErrorMessage(this.servletContext.getServletRegistrations().values()));
|
||||
Assert.notNull(registration,
|
||||
() -> computeErrorMessage(this.servletContext.getServletRegistrations().values()));
|
||||
try {
|
||||
Class<?> clazz = Class.forName(registration.getClassName());
|
||||
return DispatcherServlet.class.isAssignableFrom(clazz);
|
||||
|
||||
+5
-2
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2023 the original author or authors.
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -30,6 +30,7 @@ import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
|
||||
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
|
||||
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
|
||||
import org.springframework.security.oauth2.jwt.Jwt;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
* A {@link OAuth2TokenValidator} that validates OIDC Logout Token claims in conformance
|
||||
@@ -57,7 +58,9 @@ final class OidcBackChannelLogoutTokenValidator implements OAuth2TokenValidator<
|
||||
|
||||
OidcBackChannelLogoutTokenValidator(ClientRegistration clientRegistration) {
|
||||
this.audience = clientRegistration.getClientId();
|
||||
this.issuer = clientRegistration.getProviderDetails().getIssuerUri();
|
||||
String issuer = clientRegistration.getProviderDetails().getIssuerUri();
|
||||
Assert.hasText(issuer, "Provider issuer cannot be null");
|
||||
this.issuer = issuer;
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
+5
-2
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2023 the original author or authors.
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -30,6 +30,7 @@ import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
|
||||
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
|
||||
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
|
||||
import org.springframework.security.oauth2.jwt.Jwt;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
* A {@link OAuth2TokenValidator} that validates OIDC Logout Token claims in conformance
|
||||
@@ -57,7 +58,9 @@ final class OidcBackChannelLogoutTokenValidator implements OAuth2TokenValidator<
|
||||
|
||||
OidcBackChannelLogoutTokenValidator(ClientRegistration clientRegistration) {
|
||||
this.audience = clientRegistration.getClientId();
|
||||
this.issuer = clientRegistration.getProviderDetails().getIssuerUri();
|
||||
String issuer = clientRegistration.getProviderDetails().getIssuerUri();
|
||||
Assert.hasText(issuer, "Provider issuer cannot be null");
|
||||
this.issuer = issuer;
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
+57
@@ -101,6 +101,8 @@ import static org.mockito.Mockito.atLeastOnce;
|
||||
import static org.mockito.Mockito.clearInvocations;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.never;
|
||||
import static org.mockito.Mockito.spy;
|
||||
import static org.mockito.Mockito.times;
|
||||
import static org.mockito.Mockito.verify;
|
||||
|
||||
/**
|
||||
@@ -984,6 +986,27 @@ public class PrePostMethodSecurityConfigurationTests {
|
||||
"postFilterAuthorizationMethodInterceptor", "authorizeReturnObjectMethodInterceptor");
|
||||
}
|
||||
|
||||
// gh-15651
|
||||
@Test
|
||||
@WithMockUser(roles = "ADMIN")
|
||||
public void adviseWhenPrePostEnabledThenEachInterceptorRunsExactlyOnce() {
|
||||
this.spring.register(MethodSecurityServiceConfig.class, CustomMethodSecurityExpressionHandlerConfig.class)
|
||||
.autowire();
|
||||
MethodSecurityExpressionHandler expressionHandler = this.spring.getContext()
|
||||
.getBean(MethodSecurityExpressionHandler.class);
|
||||
this.methodSecurityService.manyAnnotations(new ArrayList<>(Arrays.asList("harold", "jonathan", "tim", "bo")));
|
||||
verify(expressionHandler, times(4)).createEvaluationContext(any(Supplier.class), any());
|
||||
}
|
||||
|
||||
// gh-15721
|
||||
@Test
|
||||
@WithMockUser(roles = "uid")
|
||||
public void methodWhenMetaAnnotationPropertiesHasClassProperties() {
|
||||
this.spring.register(MetaAnnotationPlaceholderConfig.class).autowire();
|
||||
MetaAnnotationService service = this.spring.getContext().getBean(MetaAnnotationService.class);
|
||||
assertThat(service.getIdPath("uid")).isEqualTo("uid");
|
||||
}
|
||||
|
||||
private static Consumer<ConfigurableWebApplicationContext> disallowBeanOverriding() {
|
||||
return (context) -> ((AnnotationConfigWebApplicationContext) context).setAllowBeanDefinitionOverriding(false);
|
||||
}
|
||||
@@ -1079,6 +1102,19 @@ public class PrePostMethodSecurityConfigurationTests {
|
||||
}
|
||||
|
||||
@Configuration
|
||||
@EnableMethodSecurity
|
||||
static class CustomMethodSecurityExpressionHandlerConfig {
|
||||
|
||||
private final MethodSecurityExpressionHandler expressionHandler = spy(
|
||||
new DefaultMethodSecurityExpressionHandler());
|
||||
|
||||
@Bean
|
||||
MethodSecurityExpressionHandler methodSecurityExpressionHandler() {
|
||||
return this.expressionHandler;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@EnableMethodSecurity
|
||||
static class CustomPermissionEvaluatorConfig {
|
||||
|
||||
@@ -1349,6 +1385,27 @@ public class PrePostMethodSecurityConfigurationTests {
|
||||
return list;
|
||||
}
|
||||
|
||||
@RestrictedAccess(entityClass = EntityClass.class)
|
||||
String getIdPath(String id) {
|
||||
return id;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@Retention(RetentionPolicy.RUNTIME)
|
||||
@PreAuthorize("hasRole({idPath})")
|
||||
@interface RestrictedAccess {
|
||||
|
||||
String idPath() default "#id";
|
||||
|
||||
Class<?> entityClass();
|
||||
|
||||
String[] recipes() default {};
|
||||
|
||||
}
|
||||
|
||||
static class EntityClass {
|
||||
|
||||
}
|
||||
|
||||
@Retention(RetentionPolicy.RUNTIME)
|
||||
|
||||
+1
-1
@@ -650,7 +650,7 @@ public class OAuth2LoginConfigurerTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void configureWhenOidcSessionStrategyThenUses() {
|
||||
public void configureWhenOidcSessionRegistryThenUses() {
|
||||
this.spring.register(OAuth2LoginWithOidcSessionRegistry.class).autowire();
|
||||
OidcSessionRegistry registry = this.spring.getContext().getBean(OidcSessionRegistry.class);
|
||||
this.spring.getContext().publishEvent(new HttpSessionDestroyedEvent(this.request.getSession()));
|
||||
|
||||
+77
-2
@@ -91,6 +91,7 @@ import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
import static org.hamcrest.Matchers.containsString;
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.BDDMockito.willThrow;
|
||||
@@ -259,6 +260,22 @@ public class OidcLogoutConfigurerTests {
|
||||
verify(sessionRegistry).removeSessionInformation(any(OidcLogoutToken.class));
|
||||
}
|
||||
|
||||
@Test
|
||||
void logoutWhenProviderIssuerMissingThenThrowIllegalArgumentException() throws Exception {
|
||||
this.spring.register(WebServerConfig.class, OidcProviderConfig.class, ProviderIssuerMissingConfig.class)
|
||||
.autowire();
|
||||
String registrationId = this.clientRegistration.getRegistrationId();
|
||||
MockHttpSession session = login();
|
||||
String logoutToken = this.mvc.perform(get("/token/logout").session(session))
|
||||
.andExpect(status().isOk())
|
||||
.andReturn()
|
||||
.getResponse()
|
||||
.getContentAsString();
|
||||
assertThatIllegalArgumentException().isThrownBy(
|
||||
() -> this.mvc.perform(post(this.web.url("/logout/connect/back-channel/" + registrationId).toString())
|
||||
.param("logout_token", logoutToken)));
|
||||
}
|
||||
|
||||
private MockHttpSession login() throws Exception {
|
||||
MockMvcDispatcher dispatcher = (MockMvcDispatcher) this.web.getDispatcher();
|
||||
this.mvc.perform(get("/token/logout")).andExpect(status().isUnauthorized());
|
||||
@@ -410,6 +427,54 @@ public class OidcLogoutConfigurerTests {
|
||||
|
||||
}
|
||||
|
||||
@Configuration
|
||||
static class ProviderIssuerMissingRegistrationConfig {
|
||||
|
||||
@Autowired(required = false)
|
||||
MockWebServer web;
|
||||
|
||||
@Bean
|
||||
ClientRegistration clientRegistration() {
|
||||
if (this.web == null) {
|
||||
return TestClientRegistrations.clientRegistration().issuerUri(null).build();
|
||||
}
|
||||
String issuer = this.web.url("/").toString();
|
||||
return TestClientRegistrations.clientRegistration()
|
||||
.issuerUri(null)
|
||||
.jwkSetUri(issuer + "jwks")
|
||||
.tokenUri(issuer + "token")
|
||||
.userInfoUri(issuer + "user")
|
||||
.scope("openid")
|
||||
.build();
|
||||
}
|
||||
|
||||
@Bean
|
||||
ClientRegistrationRepository clientRegistrationRepository(ClientRegistration clientRegistration) {
|
||||
return new InMemoryClientRegistrationRepository(clientRegistration);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@Import(ProviderIssuerMissingRegistrationConfig.class)
|
||||
static class ProviderIssuerMissingConfig {
|
||||
|
||||
@Bean
|
||||
@Order(1)
|
||||
SecurityFilterChain filters(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
|
||||
.oauth2Login(Customizer.withDefaults())
|
||||
.oidcLogout((oidc) -> oidc.backChannel(Customizer.withDefaults()));
|
||||
// @formatter:on
|
||||
|
||||
return http.build();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableWebMvc
|
||||
@@ -448,6 +513,9 @@ public class OidcLogoutConfigurerTests {
|
||||
@Autowired
|
||||
ClientRegistration registration;
|
||||
|
||||
@Autowired(required = false)
|
||||
MockWebServer web;
|
||||
|
||||
@Bean
|
||||
@Order(0)
|
||||
SecurityFilterChain authorizationServer(HttpSecurity http, ClientRegistration registration) throws Exception {
|
||||
@@ -484,7 +552,7 @@ public class OidcLogoutConfigurerTests {
|
||||
HttpSession session = request.getSession();
|
||||
JwtEncoderParameters parameters = JwtEncoderParameters
|
||||
.from(JwtClaimsSet.builder().id("id").subject(this.username)
|
||||
.issuer(this.registration.getProviderDetails().getIssuerUri()).issuedAt(Instant.now())
|
||||
.issuer(getIssuerUri()).issuedAt(Instant.now())
|
||||
.expiresAt(Instant.now().plusSeconds(86400)).claim("scope", "openid").build());
|
||||
String token = this.encoder.encode(parameters).getTokenValue();
|
||||
return new OIDCTokens(idToken(session.getId()), new BearerAccessToken(token, 86400, new Scope("openid")), null)
|
||||
@@ -492,7 +560,7 @@ public class OidcLogoutConfigurerTests {
|
||||
}
|
||||
|
||||
String idToken(String sessionId) {
|
||||
OidcIdToken token = TestOidcIdTokens.idToken().issuer(this.registration.getProviderDetails().getIssuerUri())
|
||||
OidcIdToken token = TestOidcIdTokens.idToken().issuer(getIssuerUri())
|
||||
.subject(this.username).expiresAt(Instant.now().plusSeconds(86400))
|
||||
.audience(List.of(this.registration.getClientId())).nonce(this.nonce)
|
||||
.claim(LogoutTokenClaimNames.SID, sessionId).build();
|
||||
@@ -501,6 +569,13 @@ public class OidcLogoutConfigurerTests {
|
||||
return this.encoder.encode(parameters).getTokenValue();
|
||||
}
|
||||
|
||||
private String getIssuerUri() {
|
||||
if (this.web == null) {
|
||||
return TestClientRegistrations.clientRegistration().build().getProviderDetails().getIssuerUri();
|
||||
}
|
||||
return this.web.url("/").toString();
|
||||
}
|
||||
|
||||
@GetMapping("/user")
|
||||
Map<String, Object> userinfo() {
|
||||
return Map.of("sub", this.username, "id", this.username);
|
||||
|
||||
+84
-2
@@ -323,6 +323,30 @@ public class OidcLogoutSpecTests {
|
||||
verify(sessionRegistry, atLeastOnce()).removeSessionInformation(any(OidcLogoutToken.class));
|
||||
}
|
||||
|
||||
@Test
|
||||
void logoutWhenProviderIssuerMissingThen5xxServerError() {
|
||||
this.spring.register(WebServerConfig.class, OidcProviderConfig.class, ProviderIssuerMissingConfig.class)
|
||||
.autowire();
|
||||
String registrationId = this.clientRegistration.getRegistrationId();
|
||||
String session = login();
|
||||
String logoutToken = this.test.mutateWith(session(session))
|
||||
.get()
|
||||
.uri("/token/logout")
|
||||
.exchange()
|
||||
.expectStatus()
|
||||
.isOk()
|
||||
.returnResult(String.class)
|
||||
.getResponseBody()
|
||||
.blockFirst();
|
||||
this.test.post()
|
||||
.uri(this.web.url("/logout/connect/back-channel/" + registrationId).toString())
|
||||
.body(BodyInserters.fromFormData("logout_token", logoutToken))
|
||||
.exchange()
|
||||
.expectStatus()
|
||||
.is5xxServerError();
|
||||
this.test.mutateWith(session(session)).get().uri("/token/logout").exchange().expectStatus().isOk();
|
||||
}
|
||||
|
||||
private String login() {
|
||||
this.test.get().uri("/token/logout").exchange().expectStatus().isUnauthorized();
|
||||
String registrationId = this.clientRegistration.getRegistrationId();
|
||||
@@ -499,6 +523,54 @@ public class OidcLogoutSpecTests {
|
||||
|
||||
}
|
||||
|
||||
@Configuration
|
||||
static class ProviderIssuerMissingRegistrationConfig {
|
||||
|
||||
@Autowired(required = false)
|
||||
MockWebServer web;
|
||||
|
||||
@Bean
|
||||
ClientRegistration clientRegistration() {
|
||||
if (this.web == null) {
|
||||
return TestClientRegistrations.clientRegistration().issuerUri(null).build();
|
||||
}
|
||||
String issuer = this.web.url("/").toString();
|
||||
return TestClientRegistrations.clientRegistration()
|
||||
.issuerUri(null)
|
||||
.jwkSetUri(issuer + "jwks")
|
||||
.tokenUri(issuer + "token")
|
||||
.userInfoUri(issuer + "user")
|
||||
.scope("openid")
|
||||
.build();
|
||||
}
|
||||
|
||||
@Bean
|
||||
ReactiveClientRegistrationRepository clientRegistrationRepository(ClientRegistration clientRegistration) {
|
||||
return new InMemoryReactiveClientRegistrationRepository(clientRegistration);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@Configuration
|
||||
@EnableWebFluxSecurity
|
||||
@Import(ProviderIssuerMissingRegistrationConfig.class)
|
||||
static class ProviderIssuerMissingConfig {
|
||||
|
||||
@Bean
|
||||
@Order(1)
|
||||
SecurityWebFilterChain filters(ServerHttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeExchange((authorize) -> authorize.anyExchange().authenticated())
|
||||
.oauth2Login(Customizer.withDefaults())
|
||||
.oidcLogout((oidc) -> oidc.backChannel(Customizer.withDefaults()));
|
||||
// @formatter:on
|
||||
|
||||
return http.build();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@Configuration
|
||||
@EnableWebFluxSecurity
|
||||
@EnableWebFlux
|
||||
@@ -537,6 +609,9 @@ public class OidcLogoutSpecTests {
|
||||
@Autowired
|
||||
ClientRegistration registration;
|
||||
|
||||
@Autowired(required = false)
|
||||
MockWebServer web;
|
||||
|
||||
static ServerWebExchangeMatcher or(String... patterns) {
|
||||
List<ServerWebExchangeMatcher> matchers = new ArrayList<>();
|
||||
for (String pattern : patterns) {
|
||||
@@ -581,7 +656,7 @@ public class OidcLogoutSpecTests {
|
||||
Map<String, Object> accessToken(WebSession session) {
|
||||
JwtEncoderParameters parameters = JwtEncoderParameters
|
||||
.from(JwtClaimsSet.builder().id("id").subject(this.username)
|
||||
.issuer(this.registration.getProviderDetails().getIssuerUri()).issuedAt(Instant.now())
|
||||
.issuer(getIssuerUri()).issuedAt(Instant.now())
|
||||
.expiresAt(Instant.now().plusSeconds(86400)).claim("scope", "openid").build());
|
||||
String token = this.encoder.encode(parameters).getTokenValue();
|
||||
return new OIDCTokens(idToken(session.getId()), new BearerAccessToken(token, 86400, new Scope("openid")), null)
|
||||
@@ -589,7 +664,7 @@ public class OidcLogoutSpecTests {
|
||||
}
|
||||
|
||||
String idToken(String sessionId) {
|
||||
OidcIdToken token = TestOidcIdTokens.idToken().issuer(this.registration.getProviderDetails().getIssuerUri())
|
||||
OidcIdToken token = TestOidcIdTokens.idToken().issuer(getIssuerUri())
|
||||
.subject(this.username).expiresAt(Instant.now().plusSeconds(86400))
|
||||
.audience(List.of(this.registration.getClientId())).nonce(this.nonce)
|
||||
.claim(LogoutTokenClaimNames.SID, sessionId).build();
|
||||
@@ -598,6 +673,13 @@ public class OidcLogoutSpecTests {
|
||||
return this.encoder.encode(parameters).getTokenValue();
|
||||
}
|
||||
|
||||
private String getIssuerUri() {
|
||||
if (this.web == null) {
|
||||
return TestClientRegistrations.clientRegistration().build().getProviderDetails().getIssuerUri();
|
||||
}
|
||||
return this.web.url("/").toString();
|
||||
}
|
||||
|
||||
@GetMapping("/user")
|
||||
Map<String, Object> userinfo() {
|
||||
return Map.of("sub", this.username, "id", this.username);
|
||||
|
||||
+1
-2
@@ -146,6 +146,7 @@ public final class AuthorizationAdvisorProxyFactory
|
||||
*/
|
||||
@Override
|
||||
public Object proxy(Object target) {
|
||||
AnnotationAwareOrderComparator.sort(this.advisors);
|
||||
if (target == null) {
|
||||
return null;
|
||||
}
|
||||
@@ -170,7 +171,6 @@ public final class AuthorizationAdvisorProxyFactory
|
||||
*/
|
||||
public void setAdvisors(AuthorizationAdvisor... advisors) {
|
||||
this.advisors = new ArrayList<>(List.of(advisors));
|
||||
AnnotationAwareOrderComparator.sort(this.advisors);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -182,7 +182,6 @@ public final class AuthorizationAdvisorProxyFactory
|
||||
*/
|
||||
public void setAdvisors(Collection<AuthorizationAdvisor> advisors) {
|
||||
this.advisors = new ArrayList<>(advisors);
|
||||
AnnotationAwareOrderComparator.sort(this.advisors);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
+25
-1
@@ -19,9 +19,11 @@ package org.springframework.security.authorization.method;
|
||||
import java.lang.annotation.Annotation;
|
||||
import java.lang.reflect.AnnotatedElement;
|
||||
import java.lang.reflect.Method;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
import java.util.function.Function;
|
||||
|
||||
import org.springframework.core.annotation.AnnotationConfigurationException;
|
||||
@@ -29,6 +31,8 @@ import org.springframework.core.annotation.MergedAnnotation;
|
||||
import org.springframework.core.annotation.MergedAnnotations;
|
||||
import org.springframework.core.annotation.MergedAnnotations.SearchStrategy;
|
||||
import org.springframework.core.annotation.RepeatableContainers;
|
||||
import org.springframework.core.convert.TypeDescriptor;
|
||||
import org.springframework.core.convert.converter.GenericConverter;
|
||||
import org.springframework.core.convert.support.DefaultConversionService;
|
||||
import org.springframework.util.PropertyPlaceholderHelper;
|
||||
|
||||
@@ -55,6 +59,12 @@ import org.springframework.util.PropertyPlaceholderHelper;
|
||||
*/
|
||||
final class AuthorizationAnnotationUtils {
|
||||
|
||||
private static final DefaultConversionService conversionService = new DefaultConversionService();
|
||||
|
||||
static {
|
||||
conversionService.addConverter(new ClassToStringConverter());
|
||||
}
|
||||
|
||||
static <A extends Annotation> Function<AnnotatedElement, A> withDefaults(Class<A> type,
|
||||
PrePostTemplateDefaults defaults) {
|
||||
Function<MergedAnnotation<A>, A> map = (mergedAnnotation) -> {
|
||||
@@ -70,7 +80,7 @@ final class AuthorizationAnnotationUtils {
|
||||
String key = property.getKey();
|
||||
Object value = property.getValue();
|
||||
String asString = (value instanceof String) ? (String) value
|
||||
: DefaultConversionService.getSharedInstance().convert(value, String.class);
|
||||
: conversionService.convert(value, String.class);
|
||||
stringProperties.put(key, asString);
|
||||
}
|
||||
AnnotatedElement annotatedElement = (AnnotatedElement) mergedAnnotation.getSource();
|
||||
@@ -156,4 +166,18 @@ final class AuthorizationAnnotationUtils {
|
||||
|
||||
}
|
||||
|
||||
static class ClassToStringConverter implements GenericConverter {
|
||||
|
||||
@Override
|
||||
public Set<ConvertiblePair> getConvertibleTypes() {
|
||||
return Collections.singleton(new ConvertiblePair(Class.class, String.class));
|
||||
}
|
||||
|
||||
@Override
|
||||
public Object convert(Object source, TypeDescriptor sourceType, TypeDescriptor targetType) {
|
||||
return (source != null) ? source.toString() : null;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
+8
-1
@@ -75,7 +75,6 @@ public final class SecurityJackson2Modules {
|
||||
|
||||
private static final List<String> securityJackson2ModuleClasses = Arrays.asList(
|
||||
"org.springframework.security.jackson2.CoreJackson2Module",
|
||||
"org.springframework.security.cas.jackson2.CasJackson2Module",
|
||||
"org.springframework.security.web.jackson2.WebJackson2Module",
|
||||
"org.springframework.security.web.server.jackson2.WebServerJackson2Module");
|
||||
|
||||
@@ -89,6 +88,8 @@ public final class SecurityJackson2Modules {
|
||||
|
||||
private static final String saml2Jackson2ModuleClass = "org.springframework.security.saml2.jackson2.Saml2Jackson2Module";
|
||||
|
||||
private static final String casJackson2ModuleClass = "org.springframework.security.cas.jackson2.CasJackson2Module";
|
||||
|
||||
private static final boolean webServletPresent;
|
||||
|
||||
private static final boolean oauth2ClientPresent;
|
||||
@@ -99,6 +100,8 @@ public final class SecurityJackson2Modules {
|
||||
|
||||
private static final boolean saml2JacksonPresent;
|
||||
|
||||
private static final boolean casJacksonPresent;
|
||||
|
||||
static {
|
||||
ClassLoader classLoader = SecurityJackson2Modules.class.getClassLoader();
|
||||
webServletPresent = ClassUtils.isPresent("jakarta.servlet.http.Cookie", classLoader);
|
||||
@@ -107,6 +110,7 @@ public final class SecurityJackson2Modules {
|
||||
javaTimeJacksonPresent = ClassUtils.isPresent(javaTimeJackson2ModuleClass, classLoader);
|
||||
ldapJacksonPresent = ClassUtils.isPresent(ldapJackson2ModuleClass, classLoader);
|
||||
saml2JacksonPresent = ClassUtils.isPresent(saml2Jackson2ModuleClass, classLoader);
|
||||
casJacksonPresent = ClassUtils.isPresent(casJackson2ModuleClass, classLoader);
|
||||
}
|
||||
|
||||
private SecurityJackson2Modules() {
|
||||
@@ -160,6 +164,9 @@ public final class SecurityJackson2Modules {
|
||||
if (saml2JacksonPresent) {
|
||||
addToModulesList(loader, modules, saml2Jackson2ModuleClass);
|
||||
}
|
||||
if (casJacksonPresent) {
|
||||
addToModulesList(loader, modules, casJackson2ModuleClass);
|
||||
}
|
||||
return modules;
|
||||
}
|
||||
|
||||
|
||||
@@ -155,6 +155,7 @@
|
||||
*** xref:reactive/exploits/csrf.adoc[CSRF]
|
||||
*** xref:reactive/exploits/headers.adoc[Headers]
|
||||
*** xref:reactive/exploits/http.adoc[HTTP Requests]
|
||||
*** xref:reactive/exploits/firewall.adoc[]
|
||||
** Integrations
|
||||
*** xref:reactive/integrations/cors.adoc[CORS]
|
||||
*** xref:reactive/integrations/rsocket.adoc[RSocket]
|
||||
|
||||
@@ -0,0 +1,202 @@
|
||||
[[webflux-serverwebexchangefirewall]]
|
||||
= ServerWebExchangeFirewall
|
||||
|
||||
There are various ways a request can be created by malicious users that can exploit applications.
|
||||
Spring Security provides the `ServerWebExchangeFirewall` to allow rejecting requests that look malicious.
|
||||
The default implementation is `StrictServerWebExchangeFirewall` which rejects malicious requests.
|
||||
|
||||
For example a request could contain path-traversal sequences (such as `/../`) or multiple forward slashes (`//`) that could also cause pattern-matches to fail.
|
||||
Some containers normalize these out before performing the servlet mapping, but others do not.
|
||||
To protect against issues like these, `WebFilterChainProxy` uses a `ServerWebExchangeFirewall` strategy to check and wrap the request.
|
||||
By default, un-normalized requests are automatically rejected, and path parameters are removed for matching purposes.
|
||||
(So, for example, an original request path of `/secure;hack=1/somefile.html;hack=2` is returned as `/secure/somefile.html`.)
|
||||
It is, therefore, essential that a `WebFilterChainProxy` is used.
|
||||
|
||||
In practice, we recommend that you use method security at your service layer, to control access to your application, rather than rely entirely on the use of security constraints defined at the web-application level.
|
||||
URLs change, and it is difficult to take into account all the possible URLs that an application might support and how requests might be manipulated.
|
||||
You should restrict yourself to using a few simple patterns that are simple to understand.
|
||||
Always try to use a "`deny-by-default`" approach, where you have a catch-all wildcard (`/**` or `**`) defined last to deny access.
|
||||
|
||||
Security defined at the service layer is much more robust and harder to bypass, so you should always take advantage of Spring Security's method security options.
|
||||
|
||||
You can customize the `ServerWebExchangeFirewall` by exposing it as a Bean.
|
||||
|
||||
.Allow Matrix Variables
|
||||
[tabs]
|
||||
======
|
||||
Java::
|
||||
+
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
public StrictServerWebExchangeFirewall httpFirewall() {
|
||||
StrictServerWebExchangeFirewall firewall = new StrictServerWebExchangeFirewall();
|
||||
firewall.setAllowSemicolon(true);
|
||||
return firewall;
|
||||
}
|
||||
----
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun httpFirewall(): StrictServerWebExchangeFirewall {
|
||||
val firewall = StrictServerWebExchangeFirewall()
|
||||
firewall.setAllowSemicolon(true)
|
||||
return firewall
|
||||
}
|
||||
----
|
||||
======
|
||||
|
||||
To protect against https://www.owasp.org/index.php/Cross_Site_Tracing[Cross Site Tracing (XST)] and https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)[HTTP Verb Tampering], the `StrictServerWebExchangeFirewall` provides an allowed list of valid HTTP methods that are allowed.
|
||||
The default valid methods are `DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, and `PUT`.
|
||||
If your application needs to modify the valid methods, you can configure a custom `StrictServerWebExchangeFirewall` bean.
|
||||
The following example allows only HTTP `GET` and `POST` methods:
|
||||
|
||||
|
||||
.Allow Only GET & POST
|
||||
[tabs]
|
||||
======
|
||||
Java::
|
||||
+
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
public StrictServerWebExchangeFirewall httpFirewall() {
|
||||
StrictServerWebExchangeFirewall firewall = new StrictServerWebExchangeFirewall();
|
||||
firewall.setAllowedHttpMethods(Arrays.asList("GET", "POST"));
|
||||
return firewall;
|
||||
}
|
||||
----
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun httpFirewall(): StrictServerWebExchangeFirewall {
|
||||
val firewall = StrictServerWebExchangeFirewall()
|
||||
firewall.setAllowedHttpMethods(listOf("GET", "POST"))
|
||||
return firewall
|
||||
}
|
||||
----
|
||||
======
|
||||
|
||||
If you must allow any HTTP method (not recommended), you can use `StrictServerWebExchangeFirewall.setUnsafeAllowAnyHttpMethod(true)`.
|
||||
Doing so entirely disables validation of the HTTP method.
|
||||
|
||||
|
||||
[[webflux-serverwebexchangefirewall-headers-parameters]]
|
||||
`StrictServerWebExchangeFirewall` also checks header names and values and parameter names.
|
||||
It requires that each character have a defined code point and not be a control character.
|
||||
|
||||
This requirement can be relaxed or adjusted as necessary by using the following methods:
|
||||
|
||||
* `StrictServerWebExchangeFirewall#setAllowedHeaderNames(Predicate)`
|
||||
* `StrictServerWebExchangeFirewall#setAllowedHeaderValues(Predicate)`
|
||||
* `StrictServerWebExchangeFirewall#setAllowedParameterNames(Predicate)`
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
Parameter values can be also controlled with `setAllowedParameterValues(Predicate)`.
|
||||
====
|
||||
|
||||
For example, to switch off this check, you can wire your `StrictServerWebExchangeFirewall` with `Predicate` instances that always return `true`:
|
||||
|
||||
.Allow Any Header Name, Header Value, and Parameter Name
|
||||
[tabs]
|
||||
======
|
||||
Java::
|
||||
+
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
public StrictServerWebExchangeFirewall httpFirewall() {
|
||||
StrictServerWebExchangeFirewall firewall = new StrictServerWebExchangeFirewall();
|
||||
firewall.setAllowedHeaderNames((header) -> true);
|
||||
firewall.setAllowedHeaderValues((header) -> true);
|
||||
firewall.setAllowedParameterNames((parameter) -> true);
|
||||
return firewall;
|
||||
}
|
||||
----
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun httpFirewall(): StrictServerWebExchangeFirewall {
|
||||
val firewall = StrictServerWebExchangeFirewall()
|
||||
firewall.setAllowedHeaderNames { true }
|
||||
firewall.setAllowedHeaderValues { true }
|
||||
firewall.setAllowedParameterNames { true }
|
||||
return firewall
|
||||
}
|
||||
----
|
||||
======
|
||||
|
||||
Alternatively, there might be a specific value that you need to allow.
|
||||
|
||||
For example, iPhone Xʀ uses a `User-Agent` that includes a character that is not in the ISO-8859-1 charset.
|
||||
Due to this fact, some application servers parse this value into two separate characters, the latter being an undefined character.
|
||||
|
||||
You can address this with the `setAllowedHeaderValues` method:
|
||||
|
||||
.Allow Certain User Agents
|
||||
[tabs]
|
||||
======
|
||||
Java::
|
||||
+
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
public StrictServerWebExchangeFirewall httpFirewall() {
|
||||
StrictServerWebExchangeFirewall firewall = new StrictServerWebExchangeFirewall();
|
||||
Pattern allowed = Pattern.compile("[\\p{IsAssigned}&&[^\\p{IsControl}]]*");
|
||||
Pattern userAgent = ...;
|
||||
firewall.setAllowedHeaderValues((header) -> allowed.matcher(header).matches() || userAgent.matcher(header).matches());
|
||||
return firewall;
|
||||
}
|
||||
----
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun httpFirewall(): StrictServerWebExchangeFirewall {
|
||||
val firewall = StrictServerWebExchangeFirewall()
|
||||
val allowed = Pattern.compile("[\\p{IsAssigned}&&[^\\p{IsControl}]]*")
|
||||
val userAgent = Pattern.compile(...)
|
||||
firewall.setAllowedHeaderValues { allowed.matcher(it).matches() || userAgent.matcher(it).matches() }
|
||||
return firewall
|
||||
}
|
||||
----
|
||||
======
|
||||
|
||||
In the case of header values, you may instead consider parsing them as UTF-8 at verification time:
|
||||
|
||||
.Parse Headers As UTF-8
|
||||
[tabs]
|
||||
======
|
||||
Java::
|
||||
+
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
firewall.setAllowedHeaderValues((header) -> {
|
||||
String parsed = new String(header.getBytes(ISO_8859_1), UTF_8);
|
||||
return allowed.matcher(parsed).matches();
|
||||
});
|
||||
----
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
firewall.setAllowedHeaderValues {
|
||||
val parsed = String(header.getBytes(ISO_8859_1), UTF_8)
|
||||
return allowed.matcher(parsed).matches()
|
||||
}
|
||||
----
|
||||
======
|
||||
@@ -17,7 +17,7 @@ Java::
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
CorsConfigurationSource corsConfigurationSource() {
|
||||
UrlBasedCorsConfigurationSource corsConfigurationSource() {
|
||||
CorsConfiguration configuration = new CorsConfiguration();
|
||||
configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
|
||||
configuration.setAllowedMethods(Arrays.asList("GET","POST"));
|
||||
@@ -32,7 +32,7 @@ Kotlin::
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun corsConfigurationSource(): CorsConfigurationSource {
|
||||
fun corsConfigurationSource(): UrlBasedCorsConfigurationSource {
|
||||
val configuration = CorsConfiguration()
|
||||
configuration.allowedOrigins = listOf("https://example.com")
|
||||
configuration.allowedMethods = listOf("GET", "POST")
|
||||
|
||||
@@ -135,7 +135,7 @@ To enable this, you can stand up the Back-Channel Logout endpoint in the DSL lik
|
||||
======
|
||||
Java::
|
||||
+
|
||||
[source=java,role="primary"]
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
public SecurityWebFilterChain filterChain(ServerHttpSecurity http) throws Exception {
|
||||
@@ -153,7 +153,7 @@ public SecurityWebFilterChain filterChain(ServerHttpSecurity http) throws Except
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source=kotlin,role="secondary"]
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
open fun filterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
|
||||
@@ -187,7 +187,7 @@ Consider a `ClientRegistration` whose identifier is `registrationId`.
|
||||
|
||||
The overall flow for a Back-Channel logout is like this:
|
||||
|
||||
1. At login time, Spring Security correlates the ID Token, CSRF Token, and Provider Session ID (if any) to your application's session id in its `ReactiveOidcSessionStrategy` implementation.
|
||||
1. At login time, Spring Security correlates the ID Token, CSRF Token, and Provider Session ID (if any) to your application's session id in its `ReactiveOidcSessionRegistry` implementation.
|
||||
2. Then at logout time, your OIDC Provider makes an API call to `/logout/connect/back-channel/registrationId` including a Logout Token that indicates either the `sub` (the End User) or the `sid` (the Provider Session ID) to logout.
|
||||
3. Spring Security validates the token's signature and claims.
|
||||
4. If the token contains a `sid` claim, then only the Client's session that correlates to that provider session is terminated.
|
||||
@@ -197,38 +197,38 @@ The overall flow for a Back-Channel logout is like this:
|
||||
Remember that Spring Security's OIDC support is multi-tenant.
|
||||
This means that it will only terminate sessions whose Client matches the `aud` claim in the Logout Token.
|
||||
|
||||
=== Customizing the OIDC Provider Session Strategy
|
||||
=== Customizing the OIDC Provider Session Registry
|
||||
|
||||
By default, Spring Security stores in-memory all links between the OIDC Provider session and the Client session.
|
||||
|
||||
There are a number of circumstances, like a clustered application, where it would be nice to store this instead in a separate location, like a database.
|
||||
|
||||
You can achieve this by configuring a custom `ReactiveOidcSessionStrategy`, like so:
|
||||
You can achieve this by configuring a custom `ReactiveOidcSessionRegistry`, like so:
|
||||
|
||||
[tabs]
|
||||
======
|
||||
Java::
|
||||
+
|
||||
[source=java,role="primary"]
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Component
|
||||
public final class MySpringDataOidcSessionStrategy implements OidcSessionStrategy {
|
||||
public final class MySpringDataOidcSessionRegistry implements ReactiveOidcSessionRegistry {
|
||||
private final OidcProviderSessionRepository sessions;
|
||||
|
||||
// ...
|
||||
|
||||
@Override
|
||||
public void saveSessionInformation(OidcSessionInformation info) {
|
||||
this.sessions.save(info);
|
||||
public Mono<void> saveSessionInformation(OidcSessionInformation info) {
|
||||
return this.sessions.save(info);
|
||||
}
|
||||
|
||||
@Override
|
||||
public OidcSessionInformation(String clientSessionId) {
|
||||
public Mono<OidcSessionInformation> removeSessionInformation(String clientSessionId) {
|
||||
return this.sessions.removeByClientSessionId(clientSessionId);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Iterable<OidcSessionInformation> removeSessionInformation(OidcLogoutToken token) {
|
||||
public Flux<OidcSessionInformation> removeSessionInformation(OidcLogoutToken token) {
|
||||
return token.getSessionId() != null ?
|
||||
this.sessions.removeBySessionIdAndIssuerAndAudience(...) :
|
||||
this.sessions.removeBySubjectAndIssuerAndAudience(...);
|
||||
@@ -238,10 +238,10 @@ public final class MySpringDataOidcSessionStrategy implements OidcSessionStrateg
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source=kotlin,role="secondary"]
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Component
|
||||
class MySpringDataOidcSessionStrategy: ReactiveOidcSessionStrategy {
|
||||
class MySpringDataOidcSessionRegistry: ReactiveOidcSessionRegistry {
|
||||
val sessions: OidcProviderSessionRepository
|
||||
|
||||
// ...
|
||||
|
||||
@@ -326,156 +326,7 @@ Normally, Spring Security builds an `AuthenticationManager` internally composed
|
||||
In certain cases, it may still be desired to customize the instance of `AuthenticationManager` used by Spring Security.
|
||||
For example, you may need to simply disable xref:servlet/authentication/architecture.adoc#servlet-authentication-providermanager-erasing-credentials[credential erasure] for cached users.
|
||||
|
||||
The recommended way to do this is to simply publish your own `AuthenticationManager` bean, and Spring Security will use it.
|
||||
You can publish an `AuthenticationManager` using the following configuration:
|
||||
|
||||
.Publish `AuthenticationManager` bean for Spring Security
|
||||
[tabs]
|
||||
=====
|
||||
Java::
|
||||
+
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
public class SecurityConfig {
|
||||
|
||||
@Bean
|
||||
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeHttpRequests((authorize) -> authorize
|
||||
.requestMatchers("/login").permitAll()
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.httpBasic(Customizer.withDefaults())
|
||||
.formLogin(Customizer.withDefaults());
|
||||
|
||||
return http.build();
|
||||
}
|
||||
|
||||
@Bean
|
||||
public AuthenticationManager authenticationManager(
|
||||
UserDetailsService userDetailsService,
|
||||
PasswordEncoder passwordEncoder) {
|
||||
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
|
||||
authenticationProvider.setUserDetailsService(userDetailsService);
|
||||
authenticationProvider.setPasswordEncoder(passwordEncoder);
|
||||
|
||||
ProviderManager providerManager = new ProviderManager(authenticationProvider);
|
||||
providerManager.setEraseCredentialsAfterAuthentication(false);
|
||||
|
||||
return providerManager;
|
||||
}
|
||||
|
||||
@Bean
|
||||
public UserDetailsService userDetailsService() {
|
||||
UserDetails userDetails = User.withDefaultPasswordEncoder()
|
||||
.username("user")
|
||||
.password("password")
|
||||
.roles("USER")
|
||||
.build();
|
||||
|
||||
return new InMemoryUserDetailsManager(userDetails);
|
||||
}
|
||||
|
||||
@Bean
|
||||
public PasswordEncoder passwordEncoder() {
|
||||
return PasswordEncoderFactories.createDelegatingPasswordEncoder();
|
||||
}
|
||||
|
||||
}
|
||||
----
|
||||
|
||||
XML::
|
||||
+
|
||||
[source,xml,role="secondary"]
|
||||
----
|
||||
<http>
|
||||
<intercept-url pattern="/login" access="permitAll"/>
|
||||
<intercept-url pattern="/**" access="authenticated"/>
|
||||
<form-login />
|
||||
<http-basic />
|
||||
|
||||
<bean id="authenticationManager"
|
||||
class="org.springframework.security.authentication.ProviderManager">
|
||||
<constructor-arg>
|
||||
<bean class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
|
||||
<property name="userDetailsService" ref="userDetailsService" />
|
||||
<property name="passwordEncoder" ref="passwordEncoder" />
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
|
||||
<user-service id="userDetailsService">
|
||||
<user name="user"
|
||||
password="{noop}password"
|
||||
authorities="ROLE_USER" />
|
||||
</user-service>
|
||||
|
||||
<bean id="passwordEncoder"
|
||||
class="org.springframework.security.crypto.factory.PasswordEncoderFactories" factory-method="createDelegatingPasswordEncoder"/>
|
||||
</http>
|
||||
----
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
import org.springframework.security.config.annotation.web.invoke
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
class SecurityConfig {
|
||||
|
||||
@Bean
|
||||
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
|
||||
http {
|
||||
authorizeHttpRequests {
|
||||
authorize("/login", permitAll)
|
||||
authorize(anyRequest, authenticated)
|
||||
}
|
||||
formLogin { }
|
||||
httpBasic { }
|
||||
}
|
||||
|
||||
return http.build()
|
||||
}
|
||||
|
||||
@Bean
|
||||
fun authenticationManager(
|
||||
userDetailsService: UserDetailsService,
|
||||
passwordEncoder: PasswordEncoder): AuthenticationManager {
|
||||
val authenticationProvider = DaoAuthenticationProvider()
|
||||
authenticationProvider.setUserDetailsService(userDetailsService)
|
||||
authenticationProvider.setPasswordEncoder(passwordEncoder)
|
||||
|
||||
val providerManager = ProviderManager(authenticationProvider)
|
||||
providerManager.eraseCredentialsAfterAuthentication = false
|
||||
|
||||
return providerManager
|
||||
}
|
||||
|
||||
@Bean
|
||||
fun userDetailsService(): UserDetailsService {
|
||||
val user = User.withDefaultPasswordEncoder()
|
||||
.username("user")
|
||||
.password("password")
|
||||
.roles("USER")
|
||||
.build()
|
||||
|
||||
return InMemoryUserDetailsManager(user)
|
||||
}
|
||||
|
||||
@Bean
|
||||
fun passwordEncoder(): PasswordEncoder {
|
||||
return PasswordEncoderFactories.createDelegatingPasswordEncoder()
|
||||
}
|
||||
|
||||
}
|
||||
----
|
||||
=====
|
||||
|
||||
Alternatively, you can take advantage of the fact that the `AuthenticationManagerBuilder` used to build Spring Security's global `AuthenticationManager` is published as a bean.
|
||||
To do this, you can take advantage of the fact that the `AuthenticationManagerBuilder` used to build Spring Security's global `AuthenticationManager` is published as a bean.
|
||||
You can configure the builder as follows:
|
||||
|
||||
.Configure global `AuthenticationManagerBuilder`
|
||||
@@ -539,3 +390,142 @@ class SecurityConfig {
|
||||
}
|
||||
----
|
||||
=====
|
||||
|
||||
Alternatively, you may configure a local `AuthenticationManager` to override the global one.
|
||||
|
||||
.Configure local `AuthenticationManager` for Spring Security
|
||||
[tabs]
|
||||
=====
|
||||
Java::
|
||||
+
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
public class SecurityConfig {
|
||||
|
||||
@Bean
|
||||
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeHttpRequests((authorize) -> authorize
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.httpBasic(Customizer.withDefaults())
|
||||
.formLogin(Customizer.withDefaults())
|
||||
.authenticationManager(authenticationManager());
|
||||
|
||||
return http.build();
|
||||
}
|
||||
|
||||
private AuthenticationManager authenticationManager() {
|
||||
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
|
||||
authenticationProvider.setUserDetailsService(userDetailsService());
|
||||
authenticationProvider.setPasswordEncoder(passwordEncoder());
|
||||
|
||||
ProviderManager providerManager = new ProviderManager(authenticationProvider);
|
||||
providerManager.setEraseCredentialsAfterAuthentication(false);
|
||||
|
||||
return providerManager;
|
||||
}
|
||||
|
||||
private UserDetailsService userDetailsService() {
|
||||
UserDetails userDetails = User.withDefaultPasswordEncoder()
|
||||
.username("user")
|
||||
.password("password")
|
||||
.roles("USER")
|
||||
.build();
|
||||
|
||||
return new InMemoryUserDetailsManager(userDetails);
|
||||
}
|
||||
|
||||
private PasswordEncoder passwordEncoder() {
|
||||
return PasswordEncoderFactories.createDelegatingPasswordEncoder();
|
||||
}
|
||||
|
||||
}
|
||||
----
|
||||
|
||||
XML::
|
||||
+
|
||||
[source,xml,role="secondary"]
|
||||
----
|
||||
<http authentication-manager-ref="authenticationManager">
|
||||
<intercept-url pattern="/**" access="authenticated"/>
|
||||
<form-login />
|
||||
<http-basic />
|
||||
|
||||
<bean id="authenticationManager"
|
||||
class="org.springframework.security.authentication.ProviderManager">
|
||||
<constructor-arg>
|
||||
<bean class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
|
||||
<property name="userDetailsService" ref="userDetailsService" />
|
||||
<property name="passwordEncoder" ref="passwordEncoder" />
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
|
||||
<user-service id="userDetailsService">
|
||||
<user name="user"
|
||||
password="{noop}password"
|
||||
authorities="ROLE_USER" />
|
||||
</user-service>
|
||||
|
||||
<bean id="passwordEncoder"
|
||||
class="org.springframework.security.crypto.factory.PasswordEncoderFactories" factory-method="createDelegatingPasswordEncoder"/>
|
||||
</http>
|
||||
----
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
import org.springframework.security.config.annotation.web.invoke
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
class SecurityConfig {
|
||||
|
||||
@Bean
|
||||
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
|
||||
http {
|
||||
authorizeHttpRequests {
|
||||
authorize(anyRequest, authenticated)
|
||||
}
|
||||
formLogin { }
|
||||
httpBasic { }
|
||||
authenticationManager = authenticationManager()
|
||||
}
|
||||
|
||||
return http.build()
|
||||
}
|
||||
|
||||
@Bean
|
||||
fun authenticationManager(): AuthenticationManager {
|
||||
val authenticationProvider = DaoAuthenticationProvider()
|
||||
authenticationProvider.setUserDetailsService(userDetailsService())
|
||||
authenticationProvider.setPasswordEncoder(passwordEncoder())
|
||||
|
||||
val providerManager = ProviderManager(authenticationProvider)
|
||||
providerManager.eraseCredentialsAfterAuthentication = false
|
||||
|
||||
return providerManager
|
||||
}
|
||||
|
||||
private fun userDetailsService(): UserDetailsService {
|
||||
val user = User.withDefaultPasswordEncoder()
|
||||
.username("user")
|
||||
.password("password")
|
||||
.roles("USER")
|
||||
.build()
|
||||
|
||||
return InMemoryUserDetailsManager(user)
|
||||
}
|
||||
|
||||
private fun passwordEncoder(): PasswordEncoder {
|
||||
return PasswordEncoderFactories.createDelegatingPasswordEncoder()
|
||||
}
|
||||
|
||||
}
|
||||
----
|
||||
=====
|
||||
|
||||
|
||||
@@ -101,7 +101,7 @@ The `AuthorizationManager` interface contains two methods:
|
||||
----
|
||||
AuthorizationDecision check(Supplier<Authentication> authentication, Object secureObject);
|
||||
|
||||
default AuthorizationDecision verify(Supplier<Authentication> authentication, Object secureObject)
|
||||
default void verify(Supplier<Authentication> authentication, Object secureObject)
|
||||
throws AccessDeniedException {
|
||||
// ...
|
||||
}
|
||||
|
||||
@@ -16,7 +16,7 @@ Java::
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
CorsConfigurationSource corsConfigurationSource() {
|
||||
UrlBasedCorsConfigurationSource corsConfigurationSource() {
|
||||
CorsConfiguration configuration = new CorsConfiguration();
|
||||
configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
|
||||
configuration.setAllowedMethods(Arrays.asList("GET","POST"));
|
||||
@@ -31,7 +31,7 @@ Kotlin::
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun corsConfigurationSource(): CorsConfigurationSource {
|
||||
fun corsConfigurationSource(): UrlBasedCorsConfigurationSource {
|
||||
val configuration = CorsConfiguration()
|
||||
configuration.allowedOrigins = listOf("https://example.com")
|
||||
configuration.allowedMethods = listOf("GET", "POST")
|
||||
@@ -147,7 +147,7 @@ public class WebSecurityConfig {
|
||||
return http.build();
|
||||
}
|
||||
|
||||
CorsConfigurationSource apiConfigurationSource() {
|
||||
UrlBasedCorsConfigurationSource apiConfigurationSource() {
|
||||
CorsConfiguration configuration = new CorsConfiguration();
|
||||
configuration.setAllowedOrigins(Arrays.asList("https://api.example.com"));
|
||||
configuration.setAllowedMethods(Arrays.asList("GET","POST"));
|
||||
@@ -156,7 +156,7 @@ public class WebSecurityConfig {
|
||||
return source;
|
||||
}
|
||||
|
||||
CorsConfigurationSource myWebsiteConfigurationSource() {
|
||||
UrlBasedCorsConfigurationSource myWebsiteConfigurationSource() {
|
||||
CorsConfiguration configuration = new CorsConfiguration();
|
||||
configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
|
||||
configuration.setAllowedMethods(Arrays.asList("GET","POST"));
|
||||
@@ -173,7 +173,7 @@ Kotlin::
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun corsConfigurationSource(): CorsConfigurationSource {
|
||||
fun corsConfigurationSource(): UrlBasedCorsConfigurationSource {
|
||||
val configuration = CorsConfiguration()
|
||||
configuration.allowedOrigins = listOf("https://example.com")
|
||||
configuration.allowedMethods = listOf("GET", "POST")
|
||||
|
||||
@@ -134,7 +134,7 @@ To enable this, you can stand up the Back-Channel Logout endpoint in the DSL lik
|
||||
======
|
||||
Java::
|
||||
+
|
||||
[source=java,role="primary"]
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
@@ -152,7 +152,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source=kotlin,role="secondary"]
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||
@@ -176,7 +176,7 @@ Then, you need a way listen to events published by Spring Security to remove old
|
||||
======
|
||||
Java::
|
||||
+
|
||||
[source=java,role="primary"]
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
public HttpSessionEventPublisher sessionEventPublisher() {
|
||||
@@ -186,7 +186,7 @@ public HttpSessionEventPublisher sessionEventPublisher() {
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source=kotlin,role="secondary"]
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
open fun sessionEventPublisher(): HttpSessionEventPublisher {
|
||||
@@ -213,7 +213,7 @@ Consider a `ClientRegistration` whose identifier is `registrationId`.
|
||||
|
||||
The overall flow for a Back-Channel logout is like this:
|
||||
|
||||
1. At login time, Spring Security correlates the ID Token, CSRF Token, and Provider Session ID (if any) to your application's session id in its `OidcSessionStrategy` implementation.
|
||||
1. At login time, Spring Security correlates the ID Token, CSRF Token, and Provider Session ID (if any) to your application's session id in its `OidcSessionRegistry` implementation.
|
||||
2. Then at logout time, your OIDC Provider makes an API call to `/logout/connect/back-channel/registrationId` including a Logout Token that indicates either the `sub` (the End User) or the `sid` (the Provider Session ID) to logout.
|
||||
3. Spring Security validates the token's signature and claims.
|
||||
4. If the token contains a `sid` claim, then only the Client's session that correlates to that provider session is terminated.
|
||||
@@ -223,22 +223,22 @@ The overall flow for a Back-Channel logout is like this:
|
||||
Remember that Spring Security's OIDC support is multi-tenant.
|
||||
This means that it will only terminate sessions whose Client matches the `aud` claim in the Logout Token.
|
||||
|
||||
=== Customizing the OIDC Provider Session Strategy
|
||||
=== Customizing the OIDC Provider Session Registry
|
||||
|
||||
By default, Spring Security stores in-memory all links between the OIDC Provider session and the Client session.
|
||||
|
||||
There are a number of circumstances, like a clustered application, where it would be nice to store this instead in a separate location, like a database.
|
||||
|
||||
You can achieve this by configuring a custom `OidcSessionStrategy`, like so:
|
||||
You can achieve this by configuring a custom `OidcSessionRegistry`, like so:
|
||||
|
||||
[tabs]
|
||||
======
|
||||
Java::
|
||||
+
|
||||
[source=java,role="primary"]
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Component
|
||||
public final class MySpringDataOidcSessionStrategy implements OidcSessionStrategy {
|
||||
public final class MySpringDataOidcSessionRegistry implements OidcSessionRegistry {
|
||||
private final OidcProviderSessionRepository sessions;
|
||||
|
||||
// ...
|
||||
@@ -249,7 +249,7 @@ public final class MySpringDataOidcSessionStrategy implements OidcSessionStrateg
|
||||
}
|
||||
|
||||
@Override
|
||||
public OidcSessionInformation(String clientSessionId) {
|
||||
public OidcSessionInformation removeSessionInformation(String clientSessionId) {
|
||||
return this.sessions.removeByClientSessionId(clientSessionId);
|
||||
}
|
||||
|
||||
@@ -264,10 +264,10 @@ public final class MySpringDataOidcSessionStrategy implements OidcSessionStrateg
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source=kotlin,role="secondary"]
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Component
|
||||
class MySpringDataOidcSessionStrategy: OidcSessionStrategy {
|
||||
class MySpringDataOidcSessionRegistry: OidcSessionRegistry {
|
||||
val sessions: OidcProviderSessionRepository
|
||||
|
||||
// ...
|
||||
|
||||
@@ -89,12 +89,12 @@ Next, let's see the architectural components that Spring Security uses to suppor
|
||||
{security-api-url}org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationProvider.html[`JwtAuthenticationProvider`] is an xref:servlet/authentication/architecture.adoc#servlet-authentication-authenticationprovider[`AuthenticationProvider`] implementation that leverages a <<oauth2resourceserver-jwt-decoder,`JwtDecoder`>> and <<oauth2resourceserver-jwt-authorization-extraction,`JwtAuthenticationConverter`>> to authenticate a JWT.
|
||||
|
||||
Let's take a look at how `JwtAuthenticationProvider` works within Spring Security.
|
||||
The figure explains details of how the xref:servlet/authentication/architecture.adoc#servlet-authentication-authenticationmanager[`AuthenticationManager`] in figures from <<oauth2resourceserver-authentication-bearertokenauthenticationfilter,Reading the Bearer Token>> works.
|
||||
The figure explains details of how the xref:servlet/authentication/architecture.adoc#servlet-authentication-authenticationmanager[`AuthenticationManager`] in figures from xref:servlet/oauth2/resource-server/index.adoc#oauth2resourceserver-authentication-bearertokenauthenticationfilter[Reading the Bearer Token] works.
|
||||
|
||||
.`JwtAuthenticationProvider` Usage
|
||||
image::{figures}/jwtauthenticationprovider.png[]
|
||||
|
||||
image:{icondir}/number_1.png[] The authentication `Filter` from <<oauth2resourceserver-authentication-bearertokenauthenticationfilter,Reading the Bearer Token>> passes a `BearerTokenAuthenticationToken` to the `AuthenticationManager` which is implemented by xref:servlet/authentication/architecture.adoc#servlet-authentication-providermanager[`ProviderManager`].
|
||||
image:{icondir}/number_1.png[] The authentication `Filter` from xref:servlet/oauth2/resource-server/index.adoc#oauth2resourceserver-authentication-bearertokenauthenticationfilter[Reading the Bearer Token] passes a `BearerTokenAuthenticationToken` to the `AuthenticationManager` which is implemented by xref:servlet/authentication/architecture.adoc#servlet-authentication-providermanager[`ProviderManager`].
|
||||
|
||||
image:{icondir}/number_2.png[] The `ProviderManager` is configured to use an xref:servlet/authentication/architecture.adoc#servlet-authentication-authenticationprovider[AuthenticationProvider] of type `JwtAuthenticationProvider`.
|
||||
|
||||
|
||||
@@ -85,12 +85,12 @@ Next, let's see the architectural components that Spring Security uses to suppor
|
||||
{security-api-url}org/springframework/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProvider.html[`OpaqueTokenAuthenticationProvider`] is an xref:servlet/authentication/architecture.adoc#servlet-authentication-authenticationprovider[`AuthenticationProvider`] implementation that leverages a <<oauth2resourceserver-opaque-introspector,`OpaqueTokenIntrospector`>> to authenticate an opaque token.
|
||||
|
||||
Let's take a look at how `OpaqueTokenAuthenticationProvider` works within Spring Security.
|
||||
The figure explains details of how the xref:servlet/authentication/architecture.adoc#servlet-authentication-authenticationmanager[`AuthenticationManager`] in figures from <<oauth2resourceserver-authentication-bearertokenauthenticationfilter,Reading the Bearer Token>> works.
|
||||
The figure explains details of how the xref:servlet/authentication/architecture.adoc#servlet-authentication-authenticationmanager[`AuthenticationManager`] in figures from xref:servlet/oauth2/resource-server/index.adoc#oauth2resourceserver-authentication-bearertokenauthenticationfilter[Reading the Bearer Token] works.
|
||||
|
||||
.`OpaqueTokenAuthenticationProvider` Usage
|
||||
image::{figures}/opaquetokenauthenticationprovider.png[]
|
||||
|
||||
image:{icondir}/number_1.png[] The authentication `Filter` from <<oauth2resourceserver-authentication-bearertokenauthenticationfilter,Reading the Bearer Token>> passes a `BearerTokenAuthenticationToken` to the `AuthenticationManager` which is implemented by xref:servlet/authentication/architecture.adoc#servlet-authentication-providermanager[`ProviderManager`].
|
||||
image:{icondir}/number_1.png[] The authentication `Filter` from xref:servlet/oauth2/resource-server/index.adoc#oauth2resourceserver-authentication-bearertokenauthenticationfilter[Reading the Bearer Token] passes a `BearerTokenAuthenticationToken` to the `AuthenticationManager` which is implemented by xref:servlet/authentication/architecture.adoc#servlet-authentication-providermanager[`ProviderManager`].
|
||||
|
||||
image:{icondir}/number_2.png[] The `ProviderManager` is configured to use an xref:servlet/authentication/architecture.adoc#servlet-authentication-authenticationprovider[AuthenticationProvider] of type `OpaqueTokenAuthenticationProvider`.
|
||||
|
||||
|
||||
+2
-2
@@ -2,9 +2,9 @@
|
||||
"dependencies": {
|
||||
"antora": "3.2.0-alpha.6",
|
||||
"@antora/atlas-extension": "1.0.0-alpha.2",
|
||||
"@antora/collector-extension": "1.0.0-beta.2",
|
||||
"@antora/collector-extension": "1.0.0-beta.3",
|
||||
"@asciidoctor/tabs": "1.0.0-beta.6",
|
||||
"@springio/antora-extensions": "1.14.2",
|
||||
"@springio/asciidoctor-extensions": "1.0.0-alpha.12"
|
||||
"@springio/asciidoctor-extensions": "1.0.0-alpha.14"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -10,6 +10,7 @@ org.eclipse.jdt.core.codeComplete.staticFieldSuffixes=
|
||||
org.eclipse.jdt.core.codeComplete.staticFinalFieldPrefixes=
|
||||
org.eclipse.jdt.core.codeComplete.staticFinalFieldSuffixes=
|
||||
org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled
|
||||
org.eclipse.jdt.core.compiler.codegen.methodParameters=generate
|
||||
org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6
|
||||
org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve
|
||||
org.eclipse.jdt.core.compiler.compliance=1.6
|
||||
|
||||
+1
-1
@@ -1,5 +1,5 @@
|
||||
springBootVersion=3.1.1
|
||||
version=6.3.2
|
||||
version=6.3.4
|
||||
samplesBranch=6.3.x
|
||||
org.gradle.jvmargs=-Xmx3g -XX:+HeapDumpOnOutOfMemoryError
|
||||
org.gradle.parallel=true
|
||||
|
||||
+11
-11
@@ -8,15 +8,15 @@ org-apache-directory-server = "1.5.5"
|
||||
org-apache-maven-resolver = "1.9.22"
|
||||
org-aspectj = "1.9.22.1"
|
||||
org-bouncycastle = "1.78.1"
|
||||
org-eclipse-jetty = "11.0.22"
|
||||
org-eclipse-jetty = "11.0.24"
|
||||
org-jetbrains-kotlin = "1.9.25"
|
||||
org-jetbrains-kotlinx = "1.8.1"
|
||||
org-mockito = "5.11.0"
|
||||
org-opensaml = "4.3.2"
|
||||
org-springframework = "6.1.12"
|
||||
org-springframework = "6.1.14"
|
||||
|
||||
[libraries]
|
||||
ch-qos-logback-logback-classic = "ch.qos.logback:logback-classic:1.5.7"
|
||||
ch-qos-logback-logback-classic = "ch.qos.logback:logback-classic:1.5.11"
|
||||
com-fasterxml-jackson-jackson-bom = "com.fasterxml.jackson:jackson-bom:2.17.2"
|
||||
com-google-inject-guice = "com.google.inject:guice:3.0"
|
||||
com-netflix-nebula-nebula-project-plugin = "com.netflix.nebula:nebula-project-plugin:8.2.0"
|
||||
@@ -26,9 +26,9 @@ com-squareup-okhttp3-mockwebserver = { module = "com.squareup.okhttp3:mockwebser
|
||||
com-squareup-okhttp3-okhttp = { module = "com.squareup.okhttp3:okhttp", version.ref = "com-squareup-okhttp3" }
|
||||
com-unboundid-unboundid-ldapsdk = "com.unboundid:unboundid-ldapsdk:6.0.11"
|
||||
commons-collections = "commons-collections:commons-collections:3.2.2"
|
||||
io-micrometer-micrometer-observation = "io.micrometer:micrometer-observation:1.12.9"
|
||||
io-mockk = "io.mockk:mockk:1.13.12"
|
||||
io-projectreactor-reactor-bom = "io.projectreactor:reactor-bom:2023.0.9"
|
||||
io-micrometer-micrometer-observation = "io.micrometer:micrometer-observation:1.12.11"
|
||||
io-mockk = "io.mockk:mockk:1.13.13"
|
||||
io-projectreactor-reactor-bom = "io.projectreactor:reactor-bom:2023.0.11"
|
||||
io-rsocket-rsocket-bom = { module = "io.rsocket:rsocket-bom", version.ref = "io-rsocket" }
|
||||
io-spring-javaformat-spring-javaformat-checkstyle = { module = "io.spring.javaformat:spring-javaformat-checkstyle", version.ref = "io-spring-javaformat" }
|
||||
io-spring-javaformat-spring-javaformat-gradle-plugin = { module = "io.spring.javaformat:spring-javaformat-gradle-plugin", version.ref = "io-spring-javaformat" }
|
||||
@@ -40,7 +40,7 @@ jakarta-inject-jakarta-inject-api = "jakarta.inject:jakarta.inject-api:2.0.1"
|
||||
jakarta-persistence-jakarta-persistence-api = "jakarta.persistence:jakarta.persistence-api:3.1.0"
|
||||
jakarta-servlet-jakarta-servlet-api = "jakarta.servlet:jakarta.servlet-api:6.0.0"
|
||||
jakarta-servlet-jsp-jakarta-servlet-jsp-api = "jakarta.servlet.jsp:jakarta.servlet.jsp-api:3.1.1"
|
||||
jakarta-servlet-jsp-jstl-jakarta-servlet-jsp-jstl-api = "jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api:3.0.1"
|
||||
jakarta-servlet-jsp-jstl-jakarta-servlet-jsp-jstl-api = "jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api:3.0.2"
|
||||
jakarta-websocket-jakarta-websocket-api = { module = "jakarta.websocket:jakarta.websocket-api", version.ref = "jakarta-websocket" }
|
||||
jakarta-websocket-jakarta-websocket-client-api = { module = "jakarta.websocket:jakarta.websocket-client-api", version.ref = "jakarta-websocket" }
|
||||
jakarta-xml-bind-jakarta-xml-bind-api = "jakarta.xml.bind:jakarta.xml.bind-api:4.0.2"
|
||||
@@ -72,7 +72,7 @@ org-hsqldb = "org.hsqldb:hsqldb:2.7.3"
|
||||
org-jetbrains-kotlin-kotlin-bom = { module = "org.jetbrains.kotlin:kotlin-bom", version.ref = "org-jetbrains-kotlin" }
|
||||
org-jetbrains-kotlin-kotlin-gradle-plugin = "org.jetbrains.kotlin:kotlin-gradle-plugin:1.9.25"
|
||||
org-jetbrains-kotlinx-kotlinx-coroutines-bom = { module = "org.jetbrains.kotlinx:kotlinx-coroutines-bom", version.ref = "org-jetbrains-kotlinx" }
|
||||
org-junit-junit-bom = "org.junit:junit-bom:5.10.3"
|
||||
org-junit-junit-bom = "org.junit:junit-bom:5.10.5"
|
||||
org-mockito-mockito-bom = { module = "org.mockito:mockito-bom", version.ref = "org-mockito" }
|
||||
org-opensaml-opensaml-core = { module = "org.opensaml:opensaml-core", version.ref = "org-opensaml" }
|
||||
org-opensaml-opensaml-saml-api = { module = "org.opensaml:opensaml-saml-api", version.ref = "org-opensaml" }
|
||||
@@ -84,8 +84,8 @@ org-seleniumhq-selenium-selenium-support = "org.seleniumhq.selenium:selenium-sup
|
||||
org-skyscreamer-jsonassert = "org.skyscreamer:jsonassert:1.5.3"
|
||||
org-slf4j-log4j-over-slf4j = "org.slf4j:log4j-over-slf4j:1.7.36"
|
||||
org-slf4j-slf4j-api = "org.slf4j:slf4j-api:2.0.16"
|
||||
org-springframework-data-spring-data-bom = "org.springframework.data:spring-data-bom:2024.0.3"
|
||||
org-springframework-ldap-spring-ldap-core = "org.springframework.ldap:spring-ldap-core:3.2.6"
|
||||
org-springframework-data-spring-data-bom = "org.springframework.data:spring-data-bom:2024.0.5"
|
||||
org-springframework-ldap-spring-ldap-core = "org.springframework.ldap:spring-ldap-core:3.2.7"
|
||||
org-springframework-spring-framework-bom = { module = "org.springframework:spring-framework-bom", version.ref = "org-springframework" }
|
||||
org-synchronoss-cloud-nio-multipart-parser = "org.synchronoss.cloud:nio-multipart-parser:1.1.0"
|
||||
|
||||
@@ -99,7 +99,7 @@ org-gretty-gretty = "org.gretty:gretty:4.1.5"
|
||||
com-github-ben-manes-gradle-versions-plugin = "com.github.ben-manes:gradle-versions-plugin:0.51.0"
|
||||
com-github-spullara-mustache-java-compiler = "com.github.spullara.mustache.java:compiler:0.9.14"
|
||||
org-hidetake-gradle-ssh-plugin = "org.hidetake:gradle-ssh-plugin:2.10.1"
|
||||
org-jfrog-buildinfo-build-info-extractor-gradle = "org.jfrog.buildinfo:build-info-extractor-gradle:4.33.20"
|
||||
org-jfrog-buildinfo-build-info-extractor-gradle = "org.jfrog.buildinfo:build-info-extractor-gradle:4.33.22"
|
||||
org-sonarsource-scanner-gradle-sonarqube-gradle-plugin = "org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.8.0.1969"
|
||||
org-instancio-instancio-junit = "org.instancio:instancio-junit:3.7.1"
|
||||
|
||||
|
||||
Vendored
BIN
Binary file not shown.
+2
-2
@@ -1,7 +1,7 @@
|
||||
distributionBase=GRADLE_USER_HOME
|
||||
distributionPath=wrapper/dists
|
||||
distributionSha256Sum=544c35d6bd849ae8a5ed0bcea39ba677dc40f49df7d1835561582da2009b961d
|
||||
distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip
|
||||
distributionSha256Sum=1541fa36599e12857140465f3c91a97409b4512501c26f9631fb113e392c5bd1
|
||||
distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.1-bin.zip
|
||||
networkTimeout=10000
|
||||
validateDistributionUrl=true
|
||||
zipStoreBase=GRADLE_USER_HOME
|
||||
|
||||
@@ -15,6 +15,8 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
##############################################################################
|
||||
#
|
||||
@@ -55,7 +57,7 @@
|
||||
# Darwin, MinGW, and NonStop.
|
||||
#
|
||||
# (3) This script is generated from the Groovy template
|
||||
# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
|
||||
# https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
|
||||
# within the Gradle project.
|
||||
#
|
||||
# You can find Gradle at https://github.com/gradle/gradle/.
|
||||
@@ -84,7 +86,8 @@ done
|
||||
# shellcheck disable=SC2034
|
||||
APP_BASE_NAME=${0##*/}
|
||||
# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
|
||||
APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
|
||||
APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
|
||||
' "$PWD" ) || exit
|
||||
|
||||
# Use the maximum available, or set MAX_FD != -1 to use that value.
|
||||
MAX_FD=maximum
|
||||
|
||||
Vendored
+2
@@ -13,6 +13,8 @@
|
||||
@rem See the License for the specific language governing permissions and
|
||||
@rem limitations under the License.
|
||||
@rem
|
||||
@rem SPDX-License-Identifier: Apache-2.0
|
||||
@rem
|
||||
|
||||
@if "%DEBUG%"=="" @echo off
|
||||
@rem ##########################################################################
|
||||
|
||||
+16
-2
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -440,7 +440,21 @@ public final class OAuth2AuthorizationRequest implements Serializable {
|
||||
Map<String, Object> parameters = getParameters(); // Not encoded
|
||||
this.parametersConsumer.accept(parameters);
|
||||
MultiValueMap<String, String> queryParams = new LinkedMultiValueMap<>();
|
||||
parameters.forEach((k, v) -> queryParams.set(encodeQueryParam(k), encodeQueryParam(String.valueOf(v)))); // Encoded
|
||||
parameters.forEach((k, v) -> {
|
||||
String key = encodeQueryParam(k);
|
||||
if (v instanceof Iterable) {
|
||||
((Iterable<?>) v).forEach((value) -> queryParams.add(key, encodeQueryParam(String.valueOf(value))));
|
||||
}
|
||||
else if (v != null && v.getClass().isArray()) {
|
||||
Object[] values = (Object[]) v;
|
||||
for (Object value : values) {
|
||||
queryParams.add(key, encodeQueryParam(String.valueOf(value)));
|
||||
}
|
||||
}
|
||||
else {
|
||||
queryParams.set(key, encodeQueryParam(String.valueOf(v)));
|
||||
}
|
||||
});
|
||||
UriBuilder uriBuilder = this.uriBuilderFactory.uriString(this.authorizationUri).queryParams(queryParams);
|
||||
return this.authorizationRequestUriFunction.apply(uriBuilder).toString();
|
||||
}
|
||||
|
||||
+47
-1
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -19,6 +19,7 @@ package org.springframework.security.oauth2.core.endpoint;
|
||||
import java.net.URI;
|
||||
import java.util.Arrays;
|
||||
import java.util.HashMap;
|
||||
import java.util.LinkedHashMap;
|
||||
import java.util.LinkedHashSet;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
@@ -319,4 +320,49 @@ public class OAuth2AuthorizationRequestTests {
|
||||
+ "item%20amount=19.95%E2%82%AC&%C3%A2ge=4%C2%BD&item%20name=H%C3%85M%C3%96");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void buildWhenAdditionalParametersContainsArrayThenProperlyEncoded() {
|
||||
Map<String, Object> additionalParameters = new LinkedHashMap<>();
|
||||
additionalParameters.put("item1", new String[] { "1", "2" });
|
||||
additionalParameters.put("item2", "value2");
|
||||
OAuth2AuthorizationRequest authorizationRequest = TestOAuth2AuthorizationRequests.request()
|
||||
.additionalParameters(additionalParameters)
|
||||
.build();
|
||||
assertThat(authorizationRequest.getAuthorizationRequestUri()).isNotNull();
|
||||
assertThat(authorizationRequest.getAuthorizationRequestUri())
|
||||
.isEqualTo("https://example.com/login/oauth/authorize?response_type=code&client_id=client-id&state=state&"
|
||||
+ "redirect_uri=https://example.com/authorize/oauth2/code/registration-id&"
|
||||
+ "item1=1&item1=2&item2=value2");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void buildWhenAdditionalParametersContainsIterableThenProperlyEncoded() {
|
||||
Map<String, Object> additionalParameters = new LinkedHashMap<>();
|
||||
additionalParameters.put("item1", Arrays.asList("1", "2"));
|
||||
additionalParameters.put("item2", "value2");
|
||||
OAuth2AuthorizationRequest authorizationRequest = TestOAuth2AuthorizationRequests.request()
|
||||
.additionalParameters(additionalParameters)
|
||||
.build();
|
||||
assertThat(authorizationRequest.getAuthorizationRequestUri()).isNotNull();
|
||||
assertThat(authorizationRequest.getAuthorizationRequestUri())
|
||||
.isEqualTo("https://example.com/login/oauth/authorize?response_type=code&client_id=client-id&state=state&"
|
||||
+ "redirect_uri=https://example.com/authorize/oauth2/code/registration-id&"
|
||||
+ "item1=1&item1=2&item2=value2");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void buildWhenAdditionalParametersContainsNullThenAuthorizationRequestUriContainsNull() {
|
||||
Map<String, Object> additionalParameters = new LinkedHashMap<>();
|
||||
additionalParameters.put("item1", null);
|
||||
additionalParameters.put("item2", "value2");
|
||||
OAuth2AuthorizationRequest authorizationRequest = TestOAuth2AuthorizationRequests.request()
|
||||
.additionalParameters(additionalParameters)
|
||||
.build();
|
||||
assertThat(authorizationRequest.getAuthorizationRequestUri()).isNotNull();
|
||||
assertThat(authorizationRequest.getAuthorizationRequestUri())
|
||||
.isEqualTo("https://example.com/login/oauth/authorize?response_type=code&client_id=client-id&state=state&"
|
||||
+ "redirect_uri=https://example.com/authorize/oauth2/code/registration-id&"
|
||||
+ "item1=null&item2=value2");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -20,11 +20,15 @@ import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
|
||||
import jakarta.servlet.FilterChain;
|
||||
import reactor.core.publisher.Flux;
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.server.firewall.HttpStatusExchangeRejectedHandler;
|
||||
import org.springframework.security.web.server.firewall.ServerExchangeRejectedException;
|
||||
import org.springframework.security.web.server.firewall.ServerExchangeRejectedHandler;
|
||||
import org.springframework.security.web.server.firewall.ServerWebExchangeFirewall;
|
||||
import org.springframework.security.web.server.firewall.StrictServerWebExchangeFirewall;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.web.server.ServerWebExchange;
|
||||
import org.springframework.web.server.WebFilter;
|
||||
@@ -43,6 +47,10 @@ public class WebFilterChainProxy implements WebFilter {
|
||||
|
||||
private WebFilterChainDecorator filterChainDecorator = new DefaultWebFilterChainDecorator();
|
||||
|
||||
private ServerWebExchangeFirewall firewall = new StrictServerWebExchangeFirewall();
|
||||
|
||||
private ServerExchangeRejectedHandler exchangeRejectedHandler = new HttpStatusExchangeRejectedHandler();
|
||||
|
||||
public WebFilterChainProxy(List<SecurityWebFilterChain> filters) {
|
||||
this.filters = filters;
|
||||
}
|
||||
@@ -53,14 +61,41 @@ public class WebFilterChainProxy implements WebFilter {
|
||||
|
||||
@Override
|
||||
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
|
||||
return this.firewall.getFirewalledExchange(exchange)
|
||||
.flatMap((firewalledExchange) -> filterFirewalledExchange(firewalledExchange, chain))
|
||||
.onErrorResume(ServerExchangeRejectedException.class,
|
||||
(rejected) -> this.exchangeRejectedHandler.handle(exchange, rejected).then(Mono.empty()));
|
||||
}
|
||||
|
||||
private Mono<Void> filterFirewalledExchange(ServerWebExchange firewalledExchange, WebFilterChain chain) {
|
||||
return Flux.fromIterable(this.filters)
|
||||
.filterWhen((securityWebFilterChain) -> securityWebFilterChain.matches(exchange))
|
||||
.filterWhen((securityWebFilterChain) -> securityWebFilterChain.matches(firewalledExchange))
|
||||
.next()
|
||||
.switchIfEmpty(
|
||||
Mono.defer(() -> this.filterChainDecorator.decorate(chain).filter(exchange).then(Mono.empty())))
|
||||
.switchIfEmpty(Mono
|
||||
.defer(() -> this.filterChainDecorator.decorate(chain).filter(firewalledExchange).then(Mono.empty())))
|
||||
.flatMap((securityWebFilterChain) -> securityWebFilterChain.getWebFilters().collectList())
|
||||
.map((filters) -> this.filterChainDecorator.decorate(chain, filters))
|
||||
.flatMap((securedChain) -> securedChain.filter(exchange));
|
||||
.flatMap((securedChain) -> securedChain.filter(firewalledExchange));
|
||||
}
|
||||
|
||||
/**
|
||||
* Protects the application using the provided
|
||||
* {@link StrictServerWebExchangeFirewall}.
|
||||
* @param firewall the {@link StrictServerWebExchangeFirewall} to use. Cannot be null.
|
||||
* @since 6.4
|
||||
*/
|
||||
public void setFirewall(ServerWebExchangeFirewall firewall) {
|
||||
Assert.notNull(firewall, "firewall cannot be null");
|
||||
this.firewall = firewall;
|
||||
}
|
||||
|
||||
/**
|
||||
* Handles {@link ServerExchangeRejectedException} when the
|
||||
* {@link ServerWebExchangeFirewall} rejects the provided {@link ServerWebExchange}.
|
||||
* @param exchangeRejectedHandler the {@link ServerExchangeRejectedHandler} to use.
|
||||
*/
|
||||
public void setExchangeRejectedHandler(ServerExchangeRejectedHandler exchangeRejectedHandler) {
|
||||
this.exchangeRejectedHandler = exchangeRejectedHandler;
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
+66
@@ -0,0 +1,66 @@
|
||||
/*
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.server.firewall;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.core.log.LogMessage;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.web.server.ServerWebExchange;
|
||||
|
||||
/**
|
||||
* A simple implementation of {@link ServerExchangeRejectedHandler} that sends an error
|
||||
* with configurable status code.
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @since 6.4
|
||||
*/
|
||||
public class HttpStatusExchangeRejectedHandler implements ServerExchangeRejectedHandler {
|
||||
|
||||
private static final Log logger = LogFactory.getLog(HttpStatusExchangeRejectedHandler.class);
|
||||
|
||||
private final HttpStatus status;
|
||||
|
||||
/**
|
||||
* Constructs an instance which uses {@code 400} as response code.
|
||||
*/
|
||||
public HttpStatusExchangeRejectedHandler() {
|
||||
this(HttpStatus.BAD_REQUEST);
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructs an instance which uses a configurable http code as response.
|
||||
* @param status http status code to use
|
||||
*/
|
||||
public HttpStatusExchangeRejectedHandler(HttpStatus status) {
|
||||
this.status = status;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Mono<Void> handle(ServerWebExchange exchange,
|
||||
ServerExchangeRejectedException serverExchangeRejectedException) {
|
||||
return Mono.fromRunnable(() -> {
|
||||
logger.debug(
|
||||
LogMessage.format("Rejecting request due to: %s", serverExchangeRejectedException.getMessage()),
|
||||
serverExchangeRejectedException);
|
||||
exchange.getResponse().setStatusCode(this.status);
|
||||
});
|
||||
}
|
||||
|
||||
}
|
||||
+31
@@ -0,0 +1,31 @@
|
||||
/*
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.server.firewall;
|
||||
|
||||
/**
|
||||
* Thrown when a {@link org.springframework.web.server.ServerWebExchange} is rejected.
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @since 6.4
|
||||
*/
|
||||
public class ServerExchangeRejectedException extends RuntimeException {
|
||||
|
||||
public ServerExchangeRejectedException(String message) {
|
||||
super(message);
|
||||
}
|
||||
|
||||
}
|
||||
+39
@@ -0,0 +1,39 @@
|
||||
/*
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.server.firewall;
|
||||
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.web.server.ServerWebExchange;
|
||||
|
||||
/**
|
||||
* Handles {@link ServerExchangeRejectedException} thrown by
|
||||
* {@link ServerWebExchangeFirewall}.
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @since 6.4
|
||||
*/
|
||||
public interface ServerExchangeRejectedHandler {
|
||||
|
||||
/**
|
||||
* Handles an request rejected failure.
|
||||
* @param exchange the {@link ServerWebExchange} that was rejected
|
||||
* @param serverExchangeRejectedException that caused the invocation
|
||||
*/
|
||||
Mono<Void> handle(ServerWebExchange exchange, ServerExchangeRejectedException serverExchangeRejectedException);
|
||||
|
||||
}
|
||||
+46
@@ -0,0 +1,46 @@
|
||||
/*
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.server.firewall;
|
||||
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.web.server.ServerWebExchange;
|
||||
|
||||
/**
|
||||
* Interface which can be used to reject potentially dangerous requests and/or wrap them
|
||||
* to control their behaviour.
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @since 6.4
|
||||
*/
|
||||
public interface ServerWebExchangeFirewall {
|
||||
|
||||
/**
|
||||
* An implementation of {@link StrictServerWebExchangeFirewall} that does nothing.
|
||||
* This is considered insecure and not recommended.
|
||||
*/
|
||||
ServerWebExchangeFirewall INSECURE_NOOP = (exchange) -> Mono.just(exchange);
|
||||
|
||||
/**
|
||||
* Get a {@link ServerWebExchange} that has firewall rules applied to it.
|
||||
* @param exchange the {@link ServerWebExchange} to apply firewall rules to.
|
||||
* @return the {@link ServerWebExchange} that has firewall rules applied to it.
|
||||
* @throws ServerExchangeRejectedException when a rule is broken.
|
||||
*/
|
||||
Mono<ServerWebExchange> getFirewalledExchange(ServerWebExchange exchange);
|
||||
|
||||
}
|
||||
+790
@@ -0,0 +1,790 @@
|
||||
/*
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.server.firewall;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
import java.util.function.Predicate;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.http.HttpHeaders;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.http.server.reactive.ServerHttpRequest;
|
||||
import org.springframework.http.server.reactive.ServerHttpRequestDecorator;
|
||||
import org.springframework.http.server.reactive.ServerHttpResponse;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.util.MultiValueMap;
|
||||
import org.springframework.web.server.ServerWebExchange;
|
||||
import org.springframework.web.server.ServerWebExchangeDecorator;
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* A strict implementation of {@link ServerWebExchangeFirewall} that rejects any
|
||||
* suspicious requests with a {@link ServerExchangeRejectedException}.
|
||||
* </p>
|
||||
* <p>
|
||||
* The following rules are applied to the firewall:
|
||||
* </p>
|
||||
* <ul>
|
||||
* <li>Rejects HTTP methods that are not allowed. This specified to block
|
||||
* <a href="https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)">HTTP Verb
|
||||
* tampering and XST attacks</a>. See {@link #setAllowedHttpMethods(Collection)}</li>
|
||||
* <li>Rejects URLs that are not normalized to avoid bypassing security constraints. There
|
||||
* is no way to disable this as it is considered extremely risky to disable this
|
||||
* constraint. A few options to allow this behavior is to normalize the request prior to
|
||||
* the firewall or using
|
||||
* {@link org.springframework.security.web.firewall.DefaultHttpFirewall} instead. Please
|
||||
* keep in mind that normalizing the request is fragile and why requests are rejected
|
||||
* rather than normalized.</li>
|
||||
* <li>Rejects URLs that contain characters that are not printable ASCII characters. There
|
||||
* is no way to disable this as it is considered extremely risky to disable this
|
||||
* constraint.</li>
|
||||
* <li>Rejects URLs that contain semicolons. See {@link #setAllowSemicolon(boolean)}</li>
|
||||
* <li>Rejects URLs that contain a URL encoded slash. See
|
||||
* {@link #setAllowUrlEncodedSlash(boolean)}</li>
|
||||
* <li>Rejects URLs that contain a backslash. See {@link #setAllowBackSlash(boolean)}</li>
|
||||
* <li>Rejects URLs that contain a null character. See {@link #setAllowNull(boolean)}</li>
|
||||
* <li>Rejects URLs that contain a URL encoded percent. See
|
||||
* {@link #setAllowUrlEncodedPercent(boolean)}</li>
|
||||
* <li>Rejects hosts that are not allowed. See {@link #setAllowedHostnames(Predicate)}
|
||||
* </li>
|
||||
* <li>Reject headers names that are not allowed. See
|
||||
* {@link #setAllowedHeaderNames(Predicate)}</li>
|
||||
* <li>Reject headers values that are not allowed. See
|
||||
* {@link #setAllowedHeaderValues(Predicate)}</li>
|
||||
* <li>Reject parameter names that are not allowed. See
|
||||
* {@link #setAllowedParameterNames(Predicate)}</li>
|
||||
* <li>Reject parameter values that are not allowed. See
|
||||
* {@link #setAllowedParameterValues(Predicate)}</li>
|
||||
* </ul>
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @since 6.4
|
||||
*/
|
||||
public class StrictServerWebExchangeFirewall implements ServerWebExchangeFirewall {
|
||||
|
||||
/**
|
||||
* Used to specify to {@link #setAllowedHttpMethods(Collection)} that any HTTP method
|
||||
* should be allowed.
|
||||
*/
|
||||
private static final Set<HttpMethod> ALLOW_ANY_HTTP_METHOD = Collections.emptySet();
|
||||
|
||||
private static final String ENCODED_PERCENT = "%25";
|
||||
|
||||
private static final String PERCENT = "%";
|
||||
|
||||
private static final List<String> FORBIDDEN_ENCODED_PERIOD = Collections
|
||||
.unmodifiableList(Arrays.asList("%2e", "%2E"));
|
||||
|
||||
private static final List<String> FORBIDDEN_SEMICOLON = Collections
|
||||
.unmodifiableList(Arrays.asList(";", "%3b", "%3B"));
|
||||
|
||||
private static final List<String> FORBIDDEN_FORWARDSLASH = Collections
|
||||
.unmodifiableList(Arrays.asList("%2f", "%2F"));
|
||||
|
||||
private static final List<String> FORBIDDEN_DOUBLE_FORWARDSLASH = Collections
|
||||
.unmodifiableList(Arrays.asList("//", "%2f%2f", "%2f%2F", "%2F%2f", "%2F%2F"));
|
||||
|
||||
private static final List<String> FORBIDDEN_BACKSLASH = Collections
|
||||
.unmodifiableList(Arrays.asList("\\", "%5c", "%5C"));
|
||||
|
||||
private static final List<String> FORBIDDEN_NULL = Collections.unmodifiableList(Arrays.asList("\0", "%00"));
|
||||
|
||||
private static final List<String> FORBIDDEN_LF = Collections.unmodifiableList(Arrays.asList("\n", "%0a", "%0A"));
|
||||
|
||||
private static final List<String> FORBIDDEN_CR = Collections.unmodifiableList(Arrays.asList("\r", "%0d", "%0D"));
|
||||
|
||||
private static final List<String> FORBIDDEN_LINE_SEPARATOR = Collections.unmodifiableList(Arrays.asList("\u2028"));
|
||||
|
||||
private static final List<String> FORBIDDEN_PARAGRAPH_SEPARATOR = Collections
|
||||
.unmodifiableList(Arrays.asList("\u2029"));
|
||||
|
||||
private Set<String> encodedUrlBlocklist = new HashSet<>();
|
||||
|
||||
private Set<String> decodedUrlBlocklist = new HashSet<>();
|
||||
|
||||
private Set<HttpMethod> allowedHttpMethods = createDefaultAllowedHttpMethods();
|
||||
|
||||
private Predicate<String> allowedHostnames = (hostname) -> true;
|
||||
|
||||
private static final Pattern ASSIGNED_AND_NOT_ISO_CONTROL_PATTERN = Pattern
|
||||
.compile("[\\p{IsAssigned}&&[^\\p{IsControl}]]*");
|
||||
|
||||
private static final Predicate<String> ASSIGNED_AND_NOT_ISO_CONTROL_PREDICATE = (
|
||||
s) -> ASSIGNED_AND_NOT_ISO_CONTROL_PATTERN.matcher(s).matches();
|
||||
|
||||
private static final Pattern HEADER_VALUE_PATTERN = Pattern.compile("[\\p{IsAssigned}&&[[^\\p{IsControl}]||\\t]]*");
|
||||
|
||||
private static final Predicate<String> HEADER_VALUE_PREDICATE = (s) -> s == null
|
||||
|| HEADER_VALUE_PATTERN.matcher(s).matches();
|
||||
|
||||
private Predicate<String> allowedHeaderNames = ALLOWED_HEADER_NAMES;
|
||||
|
||||
public static final Predicate<String> ALLOWED_HEADER_NAMES = ASSIGNED_AND_NOT_ISO_CONTROL_PREDICATE;
|
||||
|
||||
private Predicate<String> allowedHeaderValues = ALLOWED_HEADER_VALUES;
|
||||
|
||||
public static final Predicate<String> ALLOWED_HEADER_VALUES = HEADER_VALUE_PREDICATE;
|
||||
|
||||
private Predicate<String> allowedParameterNames = ALLOWED_PARAMETER_NAMES;
|
||||
|
||||
public static final Predicate<String> ALLOWED_PARAMETER_NAMES = ASSIGNED_AND_NOT_ISO_CONTROL_PREDICATE;
|
||||
|
||||
private Predicate<String> allowedParameterValues = ALLOWED_PARAMETER_VALUES;
|
||||
|
||||
public static final Predicate<String> ALLOWED_PARAMETER_VALUES = (value) -> true;
|
||||
|
||||
public StrictServerWebExchangeFirewall() {
|
||||
urlBlocklistsAddAll(FORBIDDEN_SEMICOLON);
|
||||
urlBlocklistsAddAll(FORBIDDEN_FORWARDSLASH);
|
||||
urlBlocklistsAddAll(FORBIDDEN_DOUBLE_FORWARDSLASH);
|
||||
urlBlocklistsAddAll(FORBIDDEN_BACKSLASH);
|
||||
urlBlocklistsAddAll(FORBIDDEN_NULL);
|
||||
urlBlocklistsAddAll(FORBIDDEN_LF);
|
||||
urlBlocklistsAddAll(FORBIDDEN_CR);
|
||||
|
||||
this.encodedUrlBlocklist.add(ENCODED_PERCENT);
|
||||
this.encodedUrlBlocklist.addAll(FORBIDDEN_ENCODED_PERIOD);
|
||||
this.decodedUrlBlocklist.add(PERCENT);
|
||||
this.decodedUrlBlocklist.addAll(FORBIDDEN_LINE_SEPARATOR);
|
||||
this.decodedUrlBlocklist.addAll(FORBIDDEN_PARAGRAPH_SEPARATOR);
|
||||
}
|
||||
|
||||
public Set<String> getEncodedUrlBlocklist() {
|
||||
return this.encodedUrlBlocklist;
|
||||
}
|
||||
|
||||
public Set<String> getDecodedUrlBlocklist() {
|
||||
return this.decodedUrlBlocklist;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Mono<ServerWebExchange> getFirewalledExchange(ServerWebExchange exchange) {
|
||||
return Mono.fromCallable(() -> {
|
||||
ServerHttpRequest request = exchange.getRequest();
|
||||
rejectForbiddenHttpMethod(request);
|
||||
rejectedBlocklistedUrls(request);
|
||||
rejectedUntrustedHosts(request);
|
||||
if (!isNormalized(request)) {
|
||||
throw new ServerExchangeRejectedException(
|
||||
"The request was rejected because the URL was not normalized");
|
||||
}
|
||||
|
||||
exchange.getResponse().beforeCommit(() -> Mono.fromRunnable(() -> {
|
||||
ServerHttpResponse response = exchange.getResponse();
|
||||
HttpHeaders headers = response.getHeaders();
|
||||
for (Map.Entry<String, List<String>> header : headers.entrySet()) {
|
||||
String headerName = header.getKey();
|
||||
List<String> headerValues = header.getValue();
|
||||
for (String headerValue : headerValues) {
|
||||
validateCrlf(headerName, headerValue);
|
||||
}
|
||||
}
|
||||
}));
|
||||
return new StrictFirewallServerWebExchange(exchange);
|
||||
});
|
||||
}
|
||||
|
||||
private static void validateCrlf(String name, String value) {
|
||||
Assert.isTrue(!hasCrlf(name) && !hasCrlf(value), () -> "Invalid characters (CR/LF) in header " + name);
|
||||
}
|
||||
|
||||
private static boolean hasCrlf(String value) {
|
||||
return value != null && (value.indexOf('\n') != -1 || value.indexOf('\r') != -1);
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets if any HTTP method is allowed. If this set to true, then no validation on the
|
||||
* HTTP method will be performed. This can open the application up to
|
||||
* <a href="https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)"> HTTP
|
||||
* Verb tampering and XST attacks</a>
|
||||
* @param unsafeAllowAnyHttpMethod if true, disables HTTP method validation, else
|
||||
* resets back to the defaults. Default is false.
|
||||
* @since 5.1
|
||||
* @see #setAllowedHttpMethods(Collection)
|
||||
*/
|
||||
public void setUnsafeAllowAnyHttpMethod(boolean unsafeAllowAnyHttpMethod) {
|
||||
this.allowedHttpMethods = unsafeAllowAnyHttpMethod ? ALLOW_ANY_HTTP_METHOD : createDefaultAllowedHttpMethods();
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines which HTTP methods should be allowed. The default is to allow "DELETE",
|
||||
* "GET", "HEAD", "OPTIONS", "PATCH", "POST", and "PUT".
|
||||
* </p>
|
||||
* @param allowedHttpMethods the case-sensitive collection of HTTP methods that are
|
||||
* allowed.
|
||||
* @since 5.1
|
||||
* @see #setUnsafeAllowAnyHttpMethod(boolean)
|
||||
*/
|
||||
public void setAllowedHttpMethods(Collection<HttpMethod> allowedHttpMethods) {
|
||||
Assert.notNull(allowedHttpMethods, "allowedHttpMethods cannot be null");
|
||||
this.allowedHttpMethods = (allowedHttpMethods != ALLOW_ANY_HTTP_METHOD) ? new HashSet<>(allowedHttpMethods)
|
||||
: ALLOW_ANY_HTTP_METHOD;
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines if semicolon is allowed in the URL (i.e. matrix variables). The default
|
||||
* is to disable this behavior because it is a common way of attempting to perform
|
||||
* <a href="https://www.owasp.org/index.php/Reflected_File_Download">Reflected File
|
||||
* Download Attacks</a>. It is also the source of many exploits which bypass URL based
|
||||
* security.
|
||||
* </p>
|
||||
* <p>
|
||||
* For example, the following CVEs are a subset of the issues related to ambiguities
|
||||
* in the Servlet Specification on how to treat semicolons that led to CVEs:
|
||||
* </p>
|
||||
* <ul>
|
||||
* <li><a href="https://pivotal.io/security/cve-2016-5007">cve-2016-5007</a></li>
|
||||
* <li><a href="https://pivotal.io/security/cve-2016-9879">cve-2016-9879</a></li>
|
||||
* <li><a href="https://pivotal.io/security/cve-2018-1199">cve-2018-1199</a></li>
|
||||
* </ul>
|
||||
*
|
||||
* <p>
|
||||
* If you are wanting to allow semicolons, please reconsider as it is a very common
|
||||
* source of security bypasses. A few common reasons users want semicolons and
|
||||
* alternatives are listed below:
|
||||
* </p>
|
||||
* <ul>
|
||||
* <li>Including the JSESSIONID in the path - You should not include session id (or
|
||||
* any sensitive information) in a URL as it can lead to leaking. Instead use Cookies.
|
||||
* </li>
|
||||
* <li>Matrix Variables - Users wanting to leverage Matrix Variables should consider
|
||||
* using HTTP parameters instead.</li>
|
||||
* </ul>
|
||||
* @param allowSemicolon should semicolons be allowed in the URL. Default is false
|
||||
*/
|
||||
public void setAllowSemicolon(boolean allowSemicolon) {
|
||||
if (allowSemicolon) {
|
||||
urlBlocklistsRemoveAll(FORBIDDEN_SEMICOLON);
|
||||
}
|
||||
else {
|
||||
urlBlocklistsAddAll(FORBIDDEN_SEMICOLON);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines if a slash "/" that is URL encoded "%2F" should be allowed in the path
|
||||
* or not. The default is to not allow this behavior because it is a common way to
|
||||
* bypass URL based security.
|
||||
* </p>
|
||||
* <p>
|
||||
* For example, due to ambiguities in the servlet specification, the value is not
|
||||
* parsed consistently which results in different values in {@code HttpServletRequest}
|
||||
* path related values which allow bypassing certain security constraints.
|
||||
* </p>
|
||||
* @param allowUrlEncodedSlash should a slash "/" that is URL encoded "%2F" be allowed
|
||||
* in the path or not. Default is false.
|
||||
*/
|
||||
public void setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash) {
|
||||
if (allowUrlEncodedSlash) {
|
||||
urlBlocklistsRemoveAll(FORBIDDEN_FORWARDSLASH);
|
||||
}
|
||||
else {
|
||||
urlBlocklistsAddAll(FORBIDDEN_FORWARDSLASH);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines if double slash "//" that is URL encoded "%2F%2F" should be allowed in
|
||||
* the path or not. The default is to not allow.
|
||||
* </p>
|
||||
* @param allowUrlEncodedDoubleSlash should a slash "//" that is URL encoded "%2F%2F"
|
||||
* be allowed in the path or not. Default is false.
|
||||
*/
|
||||
public void setAllowUrlEncodedDoubleSlash(boolean allowUrlEncodedDoubleSlash) {
|
||||
if (allowUrlEncodedDoubleSlash) {
|
||||
urlBlocklistsRemoveAll(FORBIDDEN_DOUBLE_FORWARDSLASH);
|
||||
}
|
||||
else {
|
||||
urlBlocklistsAddAll(FORBIDDEN_DOUBLE_FORWARDSLASH);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines if a period "." that is URL encoded "%2E" should be allowed in the path
|
||||
* or not. The default is to not allow this behavior because it is a frequent source
|
||||
* of security exploits.
|
||||
* </p>
|
||||
* <p>
|
||||
* For example, due to ambiguities in the servlet specification a URL encoded period
|
||||
* might lead to bypassing security constraints through a directory traversal attack.
|
||||
* This is because the path is not parsed consistently which results in different
|
||||
* values in {@code HttpServletRequest} path related values which allow bypassing
|
||||
* certain security constraints.
|
||||
* </p>
|
||||
* @param allowUrlEncodedPeriod should a period "." that is URL encoded "%2E" be
|
||||
* allowed in the path or not. Default is false.
|
||||
*/
|
||||
public void setAllowUrlEncodedPeriod(boolean allowUrlEncodedPeriod) {
|
||||
if (allowUrlEncodedPeriod) {
|
||||
this.encodedUrlBlocklist.removeAll(FORBIDDEN_ENCODED_PERIOD);
|
||||
}
|
||||
else {
|
||||
this.encodedUrlBlocklist.addAll(FORBIDDEN_ENCODED_PERIOD);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines if a backslash "\" or a URL encoded backslash "%5C" should be allowed in
|
||||
* the path or not. The default is not to allow this behavior because it is a frequent
|
||||
* source of security exploits.
|
||||
* </p>
|
||||
* <p>
|
||||
* For example, due to ambiguities in the servlet specification a URL encoded period
|
||||
* might lead to bypassing security constraints through a directory traversal attack.
|
||||
* This is because the path is not parsed consistently which results in different
|
||||
* values in {@code HttpServletRequest} path related values which allow bypassing
|
||||
* certain security constraints.
|
||||
* </p>
|
||||
* @param allowBackSlash a backslash "\" or a URL encoded backslash "%5C" be allowed
|
||||
* in the path or not. Default is false
|
||||
*/
|
||||
public void setAllowBackSlash(boolean allowBackSlash) {
|
||||
if (allowBackSlash) {
|
||||
urlBlocklistsRemoveAll(FORBIDDEN_BACKSLASH);
|
||||
}
|
||||
else {
|
||||
urlBlocklistsAddAll(FORBIDDEN_BACKSLASH);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines if a null "\0" or a URL encoded nul "%00" should be allowed in the path
|
||||
* or not. The default is not to allow this behavior because it is a frequent source
|
||||
* of security exploits.
|
||||
* </p>
|
||||
* @param allowNull a null "\0" or a URL encoded null "%00" be allowed in the path or
|
||||
* not. Default is false
|
||||
* @since 5.4
|
||||
*/
|
||||
public void setAllowNull(boolean allowNull) {
|
||||
if (allowNull) {
|
||||
urlBlocklistsRemoveAll(FORBIDDEN_NULL);
|
||||
}
|
||||
else {
|
||||
urlBlocklistsAddAll(FORBIDDEN_NULL);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines if a percent "%" that is URL encoded "%25" should be allowed in the path
|
||||
* or not. The default is not to allow this behavior because it is a frequent source
|
||||
* of security exploits.
|
||||
* </p>
|
||||
* <p>
|
||||
* For example, this can lead to exploits that involve double URL encoding that lead
|
||||
* to bypassing security constraints.
|
||||
* </p>
|
||||
* @param allowUrlEncodedPercent if a percent "%" that is URL encoded "%25" should be
|
||||
* allowed in the path or not. Default is false
|
||||
*/
|
||||
public void setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent) {
|
||||
if (allowUrlEncodedPercent) {
|
||||
this.encodedUrlBlocklist.remove(ENCODED_PERCENT);
|
||||
this.decodedUrlBlocklist.remove(PERCENT);
|
||||
}
|
||||
else {
|
||||
this.encodedUrlBlocklist.add(ENCODED_PERCENT);
|
||||
this.decodedUrlBlocklist.add(PERCENT);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines if a URL encoded Carriage Return is allowed in the path or not. The
|
||||
* default is not to allow this behavior because it is a frequent source of security
|
||||
* exploits.
|
||||
* @param allowUrlEncodedCarriageReturn if URL encoded Carriage Return is allowed in
|
||||
* the URL or not. Default is false.
|
||||
*/
|
||||
public void setAllowUrlEncodedCarriageReturn(boolean allowUrlEncodedCarriageReturn) {
|
||||
if (allowUrlEncodedCarriageReturn) {
|
||||
urlBlocklistsRemoveAll(FORBIDDEN_CR);
|
||||
}
|
||||
else {
|
||||
urlBlocklistsAddAll(FORBIDDEN_CR);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines if a URL encoded Line Feed is allowed in the path or not. The default is
|
||||
* not to allow this behavior because it is a frequent source of security exploits.
|
||||
* @param allowUrlEncodedLineFeed if URL encoded Line Feed is allowed in the URL or
|
||||
* not. Default is false.
|
||||
*/
|
||||
public void setAllowUrlEncodedLineFeed(boolean allowUrlEncodedLineFeed) {
|
||||
if (allowUrlEncodedLineFeed) {
|
||||
urlBlocklistsRemoveAll(FORBIDDEN_LF);
|
||||
}
|
||||
else {
|
||||
urlBlocklistsAddAll(FORBIDDEN_LF);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines if a URL encoded paragraph separator is allowed in the path or not. The
|
||||
* default is not to allow this behavior because it is a frequent source of security
|
||||
* exploits.
|
||||
* @param allowUrlEncodedParagraphSeparator if URL encoded paragraph separator is
|
||||
* allowed in the URL or not. Default is false.
|
||||
*/
|
||||
public void setAllowUrlEncodedParagraphSeparator(boolean allowUrlEncodedParagraphSeparator) {
|
||||
if (allowUrlEncodedParagraphSeparator) {
|
||||
this.decodedUrlBlocklist.removeAll(FORBIDDEN_PARAGRAPH_SEPARATOR);
|
||||
}
|
||||
else {
|
||||
this.decodedUrlBlocklist.addAll(FORBIDDEN_PARAGRAPH_SEPARATOR);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines if a URL encoded line separator is allowed in the path or not. The
|
||||
* default is not to allow this behavior because it is a frequent source of security
|
||||
* exploits.
|
||||
* @param allowUrlEncodedLineSeparator if URL encoded line separator is allowed in the
|
||||
* URL or not. Default is false.
|
||||
*/
|
||||
public void setAllowUrlEncodedLineSeparator(boolean allowUrlEncodedLineSeparator) {
|
||||
if (allowUrlEncodedLineSeparator) {
|
||||
this.decodedUrlBlocklist.removeAll(FORBIDDEN_LINE_SEPARATOR);
|
||||
}
|
||||
else {
|
||||
this.decodedUrlBlocklist.addAll(FORBIDDEN_LINE_SEPARATOR);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines which header names should be allowed. The default is to reject header
|
||||
* names that contain ISO control characters and characters that are not defined.
|
||||
* </p>
|
||||
* @param allowedHeaderNames the predicate for testing header names
|
||||
* @since 5.4
|
||||
* @see Character#isISOControl(int)
|
||||
* @see Character#isDefined(int)
|
||||
*/
|
||||
public void setAllowedHeaderNames(Predicate<String> allowedHeaderNames) {
|
||||
Assert.notNull(allowedHeaderNames, "allowedHeaderNames cannot be null");
|
||||
this.allowedHeaderNames = allowedHeaderNames;
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines which header values should be allowed. The default is to reject header
|
||||
* values that contain ISO control characters and characters that are not defined.
|
||||
* </p>
|
||||
* @param allowedHeaderValues the predicate for testing hostnames
|
||||
* @since 5.4
|
||||
* @see Character#isISOControl(int)
|
||||
* @see Character#isDefined(int)
|
||||
*/
|
||||
public void setAllowedHeaderValues(Predicate<String> allowedHeaderValues) {
|
||||
Assert.notNull(allowedHeaderValues, "allowedHeaderValues cannot be null");
|
||||
this.allowedHeaderValues = allowedHeaderValues;
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines which parameter names should be allowed. The default is to reject header
|
||||
* names that contain ISO control characters and characters that are not defined.
|
||||
* @param allowedParameterNames the predicate for testing parameter names
|
||||
* @since 5.4
|
||||
* @see Character#isISOControl(int)
|
||||
* @see Character#isDefined(int)
|
||||
*/
|
||||
public void setAllowedParameterNames(Predicate<String> allowedParameterNames) {
|
||||
Assert.notNull(allowedParameterNames, "allowedParameterNames cannot be null");
|
||||
this.allowedParameterNames = allowedParameterNames;
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines which parameter values should be allowed. The default is to allow any
|
||||
* parameter value.
|
||||
* </p>
|
||||
* @param allowedParameterValues the predicate for testing parameter values
|
||||
* @since 5.4
|
||||
*/
|
||||
public void setAllowedParameterValues(Predicate<String> allowedParameterValues) {
|
||||
Assert.notNull(allowedParameterValues, "allowedParameterValues cannot be null");
|
||||
this.allowedParameterValues = allowedParameterValues;
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Determines which hostnames should be allowed. The default is to allow any hostname.
|
||||
* </p>
|
||||
* @param allowedHostnames the predicate for testing hostnames
|
||||
* @since 5.2
|
||||
*/
|
||||
public void setAllowedHostnames(Predicate<String> allowedHostnames) {
|
||||
Assert.notNull(allowedHostnames, "allowedHostnames cannot be null");
|
||||
this.allowedHostnames = allowedHostnames;
|
||||
}
|
||||
|
||||
private void urlBlocklistsAddAll(Collection<String> values) {
|
||||
this.encodedUrlBlocklist.addAll(values);
|
||||
this.decodedUrlBlocklist.addAll(values);
|
||||
}
|
||||
|
||||
private void urlBlocklistsRemoveAll(Collection<String> values) {
|
||||
this.encodedUrlBlocklist.removeAll(values);
|
||||
this.decodedUrlBlocklist.removeAll(values);
|
||||
}
|
||||
|
||||
private void rejectNonPrintableAsciiCharactersInFieldName(String toCheck, String propertyName) {
|
||||
if (!containsOnlyPrintableAsciiCharacters(toCheck)) {
|
||||
throw new ServerExchangeRejectedException(String
|
||||
.format("The %s was rejected because it can only contain printable ASCII characters.", propertyName));
|
||||
}
|
||||
}
|
||||
|
||||
private void rejectForbiddenHttpMethod(ServerHttpRequest request) {
|
||||
if (this.allowedHttpMethods == ALLOW_ANY_HTTP_METHOD) {
|
||||
return;
|
||||
}
|
||||
if (!this.allowedHttpMethods.contains(request.getMethod())) {
|
||||
throw new ServerExchangeRejectedException(
|
||||
"The request was rejected because the HTTP method \"" + request.getMethod()
|
||||
+ "\" was not included within the list of allowed HTTP methods " + this.allowedHttpMethods);
|
||||
}
|
||||
}
|
||||
|
||||
private void rejectedBlocklistedUrls(ServerHttpRequest request) {
|
||||
for (String forbidden : this.encodedUrlBlocklist) {
|
||||
if (encodedUrlContains(request, forbidden)) {
|
||||
throw new ServerExchangeRejectedException(
|
||||
"The request was rejected because the URL contained a potentially malicious String \""
|
||||
+ forbidden + "\"");
|
||||
}
|
||||
}
|
||||
for (String forbidden : this.decodedUrlBlocklist) {
|
||||
if (decodedUrlContains(request, forbidden)) {
|
||||
throw new ServerExchangeRejectedException(
|
||||
"The request was rejected because the URL contained a potentially malicious String \""
|
||||
+ forbidden + "\"");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private void rejectedUntrustedHosts(ServerHttpRequest request) {
|
||||
String hostName = request.getURI().getHost();
|
||||
if (hostName != null && !this.allowedHostnames.test(hostName)) {
|
||||
throw new ServerExchangeRejectedException(
|
||||
"The request was rejected because the domain " + hostName + " is untrusted.");
|
||||
}
|
||||
}
|
||||
|
||||
private static Set<HttpMethod> createDefaultAllowedHttpMethods() {
|
||||
Set<HttpMethod> result = new HashSet<>();
|
||||
result.add(HttpMethod.DELETE);
|
||||
result.add(HttpMethod.GET);
|
||||
result.add(HttpMethod.HEAD);
|
||||
result.add(HttpMethod.OPTIONS);
|
||||
result.add(HttpMethod.PATCH);
|
||||
result.add(HttpMethod.POST);
|
||||
result.add(HttpMethod.PUT);
|
||||
return result;
|
||||
}
|
||||
|
||||
private boolean isNormalized(ServerHttpRequest request) {
|
||||
if (!isNormalized(request.getPath().value())) {
|
||||
return false;
|
||||
}
|
||||
if (!isNormalized(request.getURI().getRawPath())) {
|
||||
return false;
|
||||
}
|
||||
if (!isNormalized(request.getURI().getPath())) {
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
private void validateAllowedHeaderName(String headerNames) {
|
||||
if (!StrictServerWebExchangeFirewall.this.allowedHeaderNames.test(headerNames)) {
|
||||
throw new ServerExchangeRejectedException(
|
||||
"The request was rejected because the header name \"" + headerNames + "\" is not allowed.");
|
||||
}
|
||||
}
|
||||
|
||||
private void validateAllowedHeaderValue(Object key, String value) {
|
||||
if (!StrictServerWebExchangeFirewall.this.allowedHeaderValues.test(value)) {
|
||||
throw new ServerExchangeRejectedException("The request was rejected because the header: \"" + key
|
||||
+ " \" has a value \"" + value + "\" that is not allowed.");
|
||||
}
|
||||
}
|
||||
|
||||
private void validateAllowedParameterName(String name) {
|
||||
if (!StrictServerWebExchangeFirewall.this.allowedParameterNames.test(name)) {
|
||||
throw new ServerExchangeRejectedException(
|
||||
"The request was rejected because the parameter name \"" + name + "\" is not allowed.");
|
||||
}
|
||||
}
|
||||
|
||||
private void validateAllowedParameterValue(String name, String value) {
|
||||
if (!StrictServerWebExchangeFirewall.this.allowedParameterValues.test(value)) {
|
||||
throw new ServerExchangeRejectedException("The request was rejected because the parameter: \"" + name
|
||||
+ " \" has a value \"" + value + "\" that is not allowed.");
|
||||
}
|
||||
}
|
||||
|
||||
private static boolean encodedUrlContains(ServerHttpRequest request, String value) {
|
||||
if (valueContains(request.getPath().value(), value)) {
|
||||
return true;
|
||||
}
|
||||
return valueContains(request.getURI().getRawPath(), value);
|
||||
}
|
||||
|
||||
private static boolean decodedUrlContains(ServerHttpRequest request, String value) {
|
||||
return valueContains(request.getURI().getPath(), value);
|
||||
}
|
||||
|
||||
private static boolean containsOnlyPrintableAsciiCharacters(String uri) {
|
||||
if (uri == null) {
|
||||
return true;
|
||||
}
|
||||
int length = uri.length();
|
||||
for (int i = 0; i < length; i++) {
|
||||
char ch = uri.charAt(i);
|
||||
if (ch < '\u0020' || ch > '\u007e') {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
private static boolean valueContains(String value, String contains) {
|
||||
return value != null && value.contains(contains);
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks whether a path is normalized (doesn't contain path traversal sequences like
|
||||
* "./", "/../" or "/.")
|
||||
* @param path the path to test
|
||||
* @return true if the path doesn't contain any path-traversal character sequences.
|
||||
*/
|
||||
private static boolean isNormalized(String path) {
|
||||
if (path == null) {
|
||||
return true;
|
||||
}
|
||||
for (int i = path.length(); i > 0;) {
|
||||
int slashIndex = path.lastIndexOf('/', i - 1);
|
||||
int gap = i - slashIndex;
|
||||
if (gap == 2 && path.charAt(slashIndex + 1) == '.') {
|
||||
return false; // ".", "/./" or "/."
|
||||
}
|
||||
if (gap == 3 && path.charAt(slashIndex + 1) == '.' && path.charAt(slashIndex + 2) == '.') {
|
||||
return false;
|
||||
}
|
||||
i = slashIndex;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
private final class StrictFirewallServerWebExchange extends ServerWebExchangeDecorator {
|
||||
|
||||
private StrictFirewallServerWebExchange(ServerWebExchange delegate) {
|
||||
super(delegate);
|
||||
}
|
||||
|
||||
@Override
|
||||
public ServerHttpRequest getRequest() {
|
||||
return new StrictFirewallHttpRequest(super.getRequest());
|
||||
}
|
||||
|
||||
private final class StrictFirewallHttpRequest extends ServerHttpRequestDecorator {
|
||||
|
||||
private StrictFirewallHttpRequest(ServerHttpRequest delegate) {
|
||||
super(delegate);
|
||||
}
|
||||
|
||||
@Override
|
||||
public HttpHeaders getHeaders() {
|
||||
return new StrictFirewallHttpHeaders(super.getHeaders());
|
||||
}
|
||||
|
||||
@Override
|
||||
public MultiValueMap<String, String> getQueryParams() {
|
||||
MultiValueMap<String, String> queryParams = super.getQueryParams();
|
||||
for (Map.Entry<String, List<String>> paramEntry : queryParams.entrySet()) {
|
||||
String paramName = paramEntry.getKey();
|
||||
validateAllowedParameterName(paramName);
|
||||
for (String paramValue : paramEntry.getValue()) {
|
||||
validateAllowedParameterValue(paramName, paramValue);
|
||||
}
|
||||
}
|
||||
return queryParams;
|
||||
}
|
||||
|
||||
private final class StrictFirewallHttpHeaders extends HttpHeaders {
|
||||
|
||||
private StrictFirewallHttpHeaders(HttpHeaders delegate) {
|
||||
super(delegate);
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getFirst(String headerName) {
|
||||
validateAllowedHeaderName(headerName);
|
||||
String headerValue = super.getFirst(headerName);
|
||||
validateAllowedHeaderValue(headerName, headerValue);
|
||||
return headerValue;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<String> get(Object key) {
|
||||
if (key instanceof String headerName) {
|
||||
validateAllowedHeaderName(headerName);
|
||||
}
|
||||
List<String> headerValues = super.get(key);
|
||||
if (headerValues == null) {
|
||||
return headerValues;
|
||||
}
|
||||
for (String headerValue : headerValues) {
|
||||
validateAllowedHeaderValue(key, headerValue);
|
||||
}
|
||||
return headerValues;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Set<String> keySet() {
|
||||
Set<String> headerNames = super.keySet();
|
||||
for (String headerName : headerNames) {
|
||||
validateAllowedHeaderName(headerName);
|
||||
}
|
||||
return headerNames;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
+76
@@ -27,12 +27,16 @@ import org.junit.jupiter.api.Test;
|
||||
import org.mockito.ArgumentCaptor;
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
|
||||
import org.springframework.mock.web.server.MockServerWebExchange;
|
||||
import org.springframework.security.web.server.ObservationWebFilterChainDecorator.WebFilterChainObservationContext;
|
||||
import org.springframework.security.web.server.ObservationWebFilterChainDecorator.WebFilterChainObservationConvention;
|
||||
import org.springframework.security.web.server.ObservationWebFilterChainDecorator.WebFilterObservation;
|
||||
import org.springframework.security.web.server.firewall.ServerExchangeRejectedException;
|
||||
import org.springframework.security.web.server.firewall.ServerExchangeRejectedHandler;
|
||||
import org.springframework.security.web.server.firewall.ServerWebExchangeFirewall;
|
||||
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
|
||||
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher.MatchResult;
|
||||
import org.springframework.test.web.reactive.server.WebTestClient;
|
||||
@@ -48,6 +52,7 @@ import static org.mockito.Mockito.atLeastOnce;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.times;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.verifyNoInteractions;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
@@ -143,6 +148,77 @@ public class WebFilterChainProxyTests {
|
||||
assertFilterChainObservation(contexts.next(), "before", 1);
|
||||
}
|
||||
|
||||
@Test
|
||||
void doFilterWhenFirewallThenBadRequest() {
|
||||
List<WebFilter> filters = Arrays.asList(new Http200WebFilter());
|
||||
ServerWebExchangeMatcher notMatch = (exchange) -> MatchResult.notMatch();
|
||||
MatcherSecurityWebFilterChain chain = new MatcherSecurityWebFilterChain(notMatch, filters);
|
||||
WebFilterChainProxy filter = new WebFilterChainProxy(chain);
|
||||
WebTestClient.bindToController(new Object())
|
||||
.webFilter(filter)
|
||||
.build()
|
||||
.method(HttpMethod.valueOf("INVALID"))
|
||||
.exchange()
|
||||
.expectStatus()
|
||||
.isBadRequest();
|
||||
}
|
||||
|
||||
@Test
|
||||
void doFilterWhenCustomFirewallThenInvoked() {
|
||||
List<WebFilter> filters = Arrays.asList(new Http200WebFilter());
|
||||
ServerWebExchangeMatcher notMatch = (exchange) -> MatchResult.notMatch();
|
||||
MatcherSecurityWebFilterChain chain = new MatcherSecurityWebFilterChain(notMatch, filters);
|
||||
WebFilterChainProxy filter = new WebFilterChainProxy(chain);
|
||||
ServerExchangeRejectedHandler handler = mock(ServerExchangeRejectedHandler.class);
|
||||
ServerWebExchangeFirewall firewall = mock(ServerWebExchangeFirewall.class);
|
||||
filter.setFirewall(firewall);
|
||||
filter.setExchangeRejectedHandler(handler);
|
||||
WebTestClient.bindToController(new Object()).webFilter(filter).build().get().exchange();
|
||||
verify(firewall).getFirewalledExchange(any());
|
||||
verifyNoInteractions(handler);
|
||||
}
|
||||
|
||||
@Test
|
||||
void doFilterWhenCustomExchangeRejectedHandlerThenInvoked() {
|
||||
List<WebFilter> filters = Arrays.asList(new Http200WebFilter());
|
||||
ServerWebExchangeMatcher notMatch = (exchange) -> MatchResult.notMatch();
|
||||
MatcherSecurityWebFilterChain chain = new MatcherSecurityWebFilterChain(notMatch, filters);
|
||||
WebFilterChainProxy filter = new WebFilterChainProxy(chain);
|
||||
ServerExchangeRejectedHandler handler = mock(ServerExchangeRejectedHandler.class);
|
||||
ServerWebExchangeFirewall firewall = mock(ServerWebExchangeFirewall.class);
|
||||
given(firewall.getFirewalledExchange(any()))
|
||||
.willReturn(Mono.error(new ServerExchangeRejectedException("Oops")));
|
||||
filter.setFirewall(firewall);
|
||||
filter.setExchangeRejectedHandler(handler);
|
||||
WebTestClient.bindToController(new Object()).webFilter(filter).build().get().exchange();
|
||||
verify(firewall).getFirewalledExchange(any());
|
||||
verify(handler).handle(any(), any());
|
||||
}
|
||||
|
||||
@Test
|
||||
void doFilterWhenDelayedServerExchangeRejectedException() {
|
||||
List<WebFilter> filters = Arrays.asList(new WebFilter() {
|
||||
@Override
|
||||
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
|
||||
// simulate a delayed error (e.g. reading parameters)
|
||||
return Mono.error(new ServerExchangeRejectedException("Ooops"));
|
||||
}
|
||||
});
|
||||
ServerWebExchangeMatcher match = (exchange) -> MatchResult.match();
|
||||
MatcherSecurityWebFilterChain chain = new MatcherSecurityWebFilterChain(match, filters);
|
||||
WebFilterChainProxy filter = new WebFilterChainProxy(chain);
|
||||
ServerExchangeRejectedHandler handler = mock(ServerExchangeRejectedHandler.class);
|
||||
filter.setExchangeRejectedHandler(handler);
|
||||
// @formatter:off
|
||||
WebTestClient.bindToController(new Object())
|
||||
.webFilter(filter)
|
||||
.build()
|
||||
.get()
|
||||
.exchange();
|
||||
// @formatter:on
|
||||
verify(handler).handle(any(), any());
|
||||
}
|
||||
|
||||
static void assertFilterChainObservation(Observation.Context context, String filterSection, int chainPosition) {
|
||||
assertThat(context).isInstanceOf(WebFilterChainObservationContext.class);
|
||||
WebFilterChainObservationContext filterChainObservationContext = (WebFilterChainObservationContext) context;
|
||||
|
||||
+516
@@ -0,0 +1,516 @@
|
||||
/*
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.server.firewall;
|
||||
|
||||
import java.net.URI;
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
import org.springframework.http.HttpHeaders;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.http.ResponseCookie;
|
||||
import org.springframework.http.server.reactive.ServerHttpRequest;
|
||||
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
|
||||
import org.springframework.mock.web.server.MockServerWebExchange;
|
||||
import org.springframework.web.server.ServerWebExchange;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
|
||||
/**
|
||||
* Tests for {@link StrictServerWebExchangeFirewall}.
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @since 6.4
|
||||
*/
|
||||
class StrictServerWebExchangeFirewallTests {
|
||||
|
||||
public String[] unnormalizedPaths = { "http://exploit.example/..", "http://exploit.example/./path/",
|
||||
"http://exploit.example/path/path/.", "http://exploit.example/path/path//.",
|
||||
"http://exploit.example/./path/../path//.", "http://exploit.example/./path",
|
||||
"http://exploit.example/.//path", "http://exploit.example/.", "http://exploit.example//path",
|
||||
"http://exploit.example//path/path", "http://exploit.example//path//path",
|
||||
"http://exploit.example/path//path" };
|
||||
|
||||
private StrictServerWebExchangeFirewall firewall = new StrictServerWebExchangeFirewall();
|
||||
|
||||
private MockServerHttpRequest.BaseBuilder<?> request = get("/");
|
||||
|
||||
@Test
|
||||
void cookieWhenHasNewLineThenThrowsException() {
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> ResponseCookie.from("test").value("Something\nhere").build());
|
||||
}
|
||||
|
||||
@Test
|
||||
void cookieWhenHasLineFeedThenThrowsException() {
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> ResponseCookie.from("test").value("Something\rhere").build());
|
||||
}
|
||||
|
||||
@Test
|
||||
void responseHeadersWhenValueHasNewLineThenThrowsException() {
|
||||
this.request = MockServerHttpRequest.get("/");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
exchange.getResponse().getHeaders().set("FOO", "new\nline");
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> exchange.getResponse().setComplete().block());
|
||||
}
|
||||
|
||||
@Test
|
||||
void responseHeadersWhenValueHasLineFeedThenThrowsException() {
|
||||
this.request = MockServerHttpRequest.get("/");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
exchange.getResponse().getHeaders().set("FOO", "line\rfeed");
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> exchange.getResponse().setComplete().block());
|
||||
}
|
||||
|
||||
@Test
|
||||
void responseHeadersWhenNameHasNewLineThenThrowsException() {
|
||||
this.request = MockServerHttpRequest.get("/");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
exchange.getResponse().getHeaders().set("new\nline", "FOO");
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> exchange.getResponse().setComplete().block());
|
||||
}
|
||||
|
||||
@Test
|
||||
void responseHeadersWhenNameHasLineFeedThenThrowsException() {
|
||||
this.request = MockServerHttpRequest.get("/");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
exchange.getResponse().getHeaders().set("line\rfeed", "FOO");
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> exchange.getResponse().setComplete().block());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenInvalidMethodThenThrowsServerExchangeRejectedException() {
|
||||
this.request = MockServerHttpRequest.method(HttpMethod.valueOf("INVALID"), "/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
private ServerWebExchange getFirewalledExchange() {
|
||||
MockServerWebExchange exchange = MockServerWebExchange.from(this.request.build());
|
||||
return this.firewall.getFirewalledExchange(exchange).block();
|
||||
}
|
||||
|
||||
private MockServerHttpRequest.BodyBuilder get(String uri) {
|
||||
URI url = URI.create(uri);
|
||||
return MockServerHttpRequest.method(HttpMethod.GET, url);
|
||||
}
|
||||
|
||||
// blocks XST attacks
|
||||
@Test
|
||||
void getFirewalledExchangeWhenTraceMethodThenThrowsServerExchangeRejectedException() {
|
||||
this.request = MockServerHttpRequest.method(HttpMethod.TRACE, "/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
// blocks XST attack if request is forwarded to a Microsoft IIS web server
|
||||
void getFirewalledExchangeWhenTrackMethodThenThrowsServerExchangeRejectedException() {
|
||||
this.request = MockServerHttpRequest.method(HttpMethod.TRACE, "/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
// HTTP methods are case sensitive
|
||||
void getFirewalledExchangeWhenLowercaseGetThenThrowsServerExchangeRejectedException() {
|
||||
this.request = MockServerHttpRequest.method(HttpMethod.valueOf("get"), "/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenAllowedThenNoException() {
|
||||
List<String> allowedMethods = Arrays.asList("DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT");
|
||||
for (String allowedMethod : allowedMethods) {
|
||||
this.request = MockServerHttpRequest.method(HttpMethod.valueOf(allowedMethod), "/");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenInvalidMethodAndAnyMethodThenNoException() {
|
||||
this.firewall.setUnsafeAllowAnyHttpMethod(true);
|
||||
this.request = MockServerHttpRequest.method(HttpMethod.valueOf("INVALID"), "/");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenURINotNormalizedThenThrowsServerExchangeRejectedException() {
|
||||
for (String path : this.unnormalizedPaths) {
|
||||
this.request = get(path);
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class)
|
||||
.describedAs("The path '" + path + "' is not normalized")
|
||||
.isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenSemicolonInRequestUriThenThrowsServerExchangeRejectedException() {
|
||||
this.request = get("/path;/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenEncodedSemicolonInRequestUriThenThrowsServerExchangeRejectedException() {
|
||||
this.request = get("/path%3B/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenLowercaseEncodedSemicolonInRequestUriThenThrowsServerExchangeRejectedException() {
|
||||
this.request = MockServerHttpRequest.method(HttpMethod.GET, URI.create("/path%3b/"));
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenSemicolonInRequestUriAndAllowSemicolonThenNoException() {
|
||||
this.firewall.setAllowSemicolon(true);
|
||||
this.request = get("/path;/");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenEncodedSemicolonInRequestUriAndAllowSemicolonThenNoException() {
|
||||
this.firewall.setAllowSemicolon(true);
|
||||
this.request = get("/path%3B/");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenLowercaseEncodedSemicolonInRequestUriAndAllowSemicolonThenNoException() {
|
||||
this.firewall.setAllowSemicolon(true);
|
||||
this.request = get("/path%3b/");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenLowercaseEncodedPeriodInThenThrowsServerExchangeRejectedException() {
|
||||
this.request = get("/%2e/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsLowerboundAsciiThenNoException() {
|
||||
this.request = get("/%20");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsUpperboundAsciiThenNoException() {
|
||||
this.request = get("/~");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenJapaneseCharacterThenNoException() {
|
||||
// FIXME: .method(HttpMethod.GET to .get and similar methods
|
||||
this.request = get("/\u3042");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsEncodedNullThenException() {
|
||||
this.request = get("/something%00/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsLowercaseEncodedLineFeedThenException() {
|
||||
this.request = get("/something%0a/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsUppercaseEncodedLineFeedThenException() {
|
||||
this.request = get("/something%0A/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsLowercaseEncodedCarriageReturnThenException() {
|
||||
this.request = get("/something%0d/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsUppercaseEncodedCarriageReturnThenException() {
|
||||
this.request = get("/something%0D/");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsLowercaseEncodedLineFeedAndAllowedThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedLineFeed(true);
|
||||
this.request = get("/something%0a/");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsUppercaseEncodedLineFeedAndAllowedThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedLineFeed(true);
|
||||
this.request = get("/something%0A/");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsLowercaseEncodedCarriageReturnAndAllowedThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedCarriageReturn(true);
|
||||
this.request = get("/something%0d/");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenContainsUppercaseEncodedCarriageReturnAndAllowedThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedCarriageReturn(true);
|
||||
this.request = get("/something%0D/");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
/**
|
||||
* On WebSphere 8.5 a URL like /context-root/a/b;%2f1/c can bypass a rule on /a/b/c
|
||||
* because the pathInfo is /a/b;/1/c which ends up being /a/b/1/c while Spring MVC
|
||||
* will strip the ; content from requestURI before the path is URL decoded.
|
||||
*/
|
||||
@Test
|
||||
void getFirewalledExchangeWhenLowercaseEncodedPathThenException() {
|
||||
this.request = get("/context-root/a/b;%2f1/c");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenUppercaseEncodedPathThenException() {
|
||||
this.request = get("/context-root/a/b;%2F1/c");
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenAllowUrlEncodedSlashAndLowercaseEncodedPathThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedSlash(true);
|
||||
this.firewall.setAllowSemicolon(true);
|
||||
this.request = get("/context-root/a/b;%2f1/c");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenAllowUrlEncodedSlashAndUppercaseEncodedPathThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedSlash(true);
|
||||
this.firewall.setAllowSemicolon(true);
|
||||
this.request = get("/context-root/a/b;%2F1/c");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenAllowUrlLowerCaseEncodedDoubleSlashThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedSlash(true);
|
||||
this.firewall.setAllowUrlEncodedDoubleSlash(true);
|
||||
this.request = get("/context-root/a/b%2f%2fc");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenAllowUrlUpperCaseEncodedDoubleSlashThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedSlash(true);
|
||||
this.firewall.setAllowUrlEncodedDoubleSlash(true);
|
||||
this.request = get("/context-root/a/b%2F%2Fc");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenAllowUrlLowerCaseAndUpperCaseEncodedDoubleSlashThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedSlash(true);
|
||||
this.firewall.setAllowUrlEncodedDoubleSlash(true);
|
||||
this.request = get("/context-root/a/b%2f%2Fc");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenAllowUrlUpperCaseAndLowerCaseEncodedDoubleSlashThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedSlash(true);
|
||||
this.firewall.setAllowUrlEncodedDoubleSlash(true);
|
||||
this.request = get("/context-root/a/b%2F%2fc");
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenRemoveFromUpperCaseEncodedUrlBlocklistThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedSlash(true);
|
||||
this.request = get("/context-root/a/b%2Fc");
|
||||
this.firewall.getEncodedUrlBlocklist().removeAll(Arrays.asList("%2F%2F"));
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenRemoveFromDecodedUrlBlocklistThenNoException() {
|
||||
this.request = get("/a/b%2F%2Fc");
|
||||
this.firewall.getDecodedUrlBlocklist().removeAll(Arrays.asList("//"));
|
||||
this.firewall.getEncodedUrlBlocklist().removeAll(Arrays.asList("%2F%2F"));
|
||||
this.firewall.getEncodedUrlBlocklist().removeAll(Arrays.asList("%2F"));
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenTrustedDomainThenNoException() {
|
||||
this.request.header("Host", "example.org");
|
||||
this.firewall.setAllowedHostnames((hostname) -> hostname.equals("example.org"));
|
||||
getFirewalledExchange();
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenUntrustedDomainThenException() {
|
||||
this.request = get("https://example.org");
|
||||
this.firewall.setAllowedHostnames((hostname) -> hostname.equals("myexample.org"));
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> getFirewalledExchange());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetHeaderWhenNotAllowedHeaderNameThenException() {
|
||||
this.firewall.setAllowedHeaderNames((name) -> !name.equals("bad name"));
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> headers.get("bad name"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenHeaderNameNotAllowedWithAugmentedHeaderNamesThenException() {
|
||||
this.firewall.setAllowedHeaderNames(
|
||||
StrictServerWebExchangeFirewall.ALLOWED_HEADER_NAMES.and((name) -> !name.equals("bad name")));
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> headers.getFirst("bad name"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetHeaderWhenNotAllowedHeaderValueThenException() {
|
||||
this.request.header("good name", "bad value");
|
||||
this.firewall.setAllowedHeaderValues((value) -> !value.equals("bad value"));
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> headers.get("good name"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeWhenHeaderValueNotAllowedWithAugmentedHeaderValuesThenException() {
|
||||
this.request.header("good name", "bad value");
|
||||
this.firewall.setAllowedHeaderValues(
|
||||
StrictServerWebExchangeFirewall.ALLOWED_HEADER_VALUES.and((value) -> !value.equals("bad value")));
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> headers.get("good name"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetDateHeaderWhenControlCharacterInHeaderNameThenException() {
|
||||
this.request.header("Bad\0Name", "some value");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> headers.get("Bad\0Name"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetHeaderWhenUndefinedCharacterInHeaderNameThenException() {
|
||||
this.request.header("Bad\uFFFEName", "some value");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> headers.get("Bad\uFFFEName"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetHeadersWhenControlCharacterInHeaderNameThenException() {
|
||||
this.request.header("Bad\0Name", "some value");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> headers.get("Bad\0Name"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetHeaderNamesWhenControlCharacterInHeaderNameThenException() {
|
||||
this.request.header("Bad\0Name", "some value");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class)
|
||||
.isThrownBy(() -> headers.keySet().iterator().next());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetHeaderWhenControlCharacterInHeaderValueThenException() {
|
||||
this.request.header("Something", "bad\0value");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> headers.get("Something"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetHeaderWhenHorizontalTabInHeaderValueThenNoException() {
|
||||
this.request.header("Something", "tab\tvalue");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThat(headers.getFirst("Something")).isEqualTo("tab\tvalue");
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetHeaderWhenUndefinedCharacterInHeaderValueThenException() {
|
||||
this.request.header("Something", "bad\uFFFEvalue");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class)
|
||||
.isThrownBy(() -> headers.getFirst("Something"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetHeadersWhenControlCharacterInHeaderValueThenException() {
|
||||
this.request.header("Something", "bad\0value");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
HttpHeaders headers = exchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> headers.get("Something"));
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetParameterWhenControlCharacterInParameterNameThenException() {
|
||||
this.request.queryParam("Bad\0Name", "some value");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
ServerHttpRequest request = exchange.getRequest();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(request::getQueryParams);
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetParameterValuesWhenNotAllowedInParameterValueThenException() {
|
||||
this.firewall.setAllowedParameterValues((value) -> !value.equals("bad value"));
|
||||
this.request.queryParam("Something", "bad value");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
ServerHttpRequest request = exchange.getRequest();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> request.getQueryParams());
|
||||
}
|
||||
|
||||
@Test
|
||||
void getFirewalledExchangeGetParameterValuesWhenNotAllowedInParameterNameThenException() {
|
||||
this.firewall.setAllowedParameterNames((value) -> !value.equals("bad name"));
|
||||
this.request.queryParam("bad name", "good value");
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
ServerHttpRequest request = exchange.getRequest();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class).isThrownBy(() -> request.getQueryParams());
|
||||
}
|
||||
|
||||
// gh-9598
|
||||
@Test
|
||||
void getFirewalledExchangeGetHeaderWhenNameIsNullThenNull() {
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
assertThat(exchange.getRequest().getHeaders().get(null)).isNull();
|
||||
}
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user