From f5acb2ee334d3b1c431e3520ebe748a4c7253312 Mon Sep 17 00:00:00 2001 From: Oliver Drotbohm Date: Tue, 12 Sep 2023 14:20:34 +0200 Subject: [PATCH] GH-441 - Adapt to changes in Spring Security. We need to use a MvcRequestMatcher now to avoid problems if multiple servlets are deployed (in case of H2 for example). https://github.com/spring-projects/spring-security/issues/13568#issuecomment-1650288805 --- .../SalespointWebSecurityConfiguration.java | 12 ++++++++++-- .../ExampleControllerIntegrationTests.java | 15 ++++++++++----- 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/src/main/java/org/salespointframework/SalespointWebSecurityConfiguration.java b/src/main/java/org/salespointframework/SalespointWebSecurityConfiguration.java index 165eb54f..23ce460a 100644 --- a/src/main/java/org/salespointframework/SalespointWebSecurityConfiguration.java +++ b/src/main/java/org/salespointframework/SalespointWebSecurityConfiguration.java @@ -24,6 +24,8 @@ import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.SecurityFilterChain; +import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher; +import org.springframework.web.servlet.handler.HandlerMappingIntrospector; /** * Basic Salespoint security configuration setting up the {@link AuthenticationManagerBuilder} to work with the @@ -38,11 +40,17 @@ class SalespointWebSecurityConfiguration { @Bean @ConditionalOnWebApplication - SecurityFilterChain filterChain(HttpSecurity security) throws Exception { + MvcRequestMatcher.Builder mvc(HandlerMappingIntrospector introspector) { + return new MvcRequestMatcher.Builder(introspector).servletPath("/"); + } + + @Bean + @ConditionalOnWebApplication + SecurityFilterChain filterChain(HttpSecurity security, MvcRequestMatcher.Builder mvc) throws Exception { return security .userDetailsService(userDetailsService) - .authorizeHttpRequests(http -> http.requestMatchers("/resources/**").permitAll()) + .authorizeHttpRequests(http -> http.requestMatchers(mvc.pattern("/resources/**")).permitAll()) .build(); } } diff --git a/src/test/java/example/ExampleControllerIntegrationTests.java b/src/test/java/example/ExampleControllerIntegrationTests.java index 78ea8688..d9e2e703 100644 --- a/src/test/java/example/ExampleControllerIntegrationTests.java +++ b/src/test/java/example/ExampleControllerIntegrationTests.java @@ -27,8 +27,10 @@ import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.SecurityFilterChain; +import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher; import org.springframework.util.LinkedMultiValueMap; import org.springframework.web.client.RestTemplate; +import org.springframework.web.servlet.handler.HandlerMappingIntrospector; /** * Integration tests for sample components. @@ -51,16 +53,19 @@ class ExampleControllerIntegrationTests { static class Config { @Bean - SecurityFilterChain testSecurity(HttpSecurity security) throws Exception { + SecurityFilterChain testSecurity(HttpSecurity security, HandlerMappingIntrospector introspector) throws Exception { - return security.csrf().disable() - .authorizeHttpRequests().requestMatchers("/**").permitAll() - .and().build(); + var mvc = new MvcRequestMatcher.Builder(introspector); + + return security + .authorizeHttpRequests(it -> it.requestMatchers(mvc.pattern("/**")).permitAll() + .anyRequest().authenticated()) + .csrf(it -> it.disable()) + .build(); } } @Test // #72 - @SuppressWarnings("resource") void usesUtf8ToDecodePayload() { var template = new RestTemplate();