Simplify RequestMatcherDelegatingAuthorizationManager.Builder matcher registration

evgeniycheban · marcusdacoregio · commit 0cefb279280f · 2023-06-22T16:07:30.000-03:00
Closes gh-11624
diff --git a/core/src/test/java/org/springframework/security/authentication/TestAuthentication.java b/core/src/test/java/org/springframework/security/authentication/TestAuthentication.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,15 +17,23 @@
 package org.springframework.security.authentication;
 
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import org.springframework.security.core.userdetails.UserDetails;
 
 /**
  * @author Rob Winch
+ * @author Evgeniy Cheban
  * @since 5.0
  */
 public class TestAuthentication extends PasswordEncodedUser {
 
+	private static final Authentication ANONYMOUS = new AnonymousAuthenticationToken("key", "anonymous",
+			AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
+
+	private static final RememberMeAuthenticationToken REMEMBER_ME = new RememberMeAuthenticationToken("key", "user",
+			AuthorityUtils.createAuthorityList("ROLE_USER"));
+
 	public static Authentication authenticatedAdmin() {
 		return autheticated(admin());
 	}
@@ -38,4 +46,12 @@ public static Authentication autheticated(UserDetails user) {
 		return UsernamePasswordAuthenticationToken.authenticated(user, null, user.getAuthorities());
 	}
 
+	public static Authentication anonymousUser() {
+		return ANONYMOUS;
+	}
+
+	public static Authentication rememberMeUser() {
+		return REMEMBER_ME;
+	}
+
 }
diff --git a/web/src/main/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManager.java b/web/src/main/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManager.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,9 +26,12 @@
 import org.apache.commons.logging.LogFactory;
 
 import org.springframework.core.log.LogMessage;
+import org.springframework.security.authorization.AuthenticatedAuthorizationManager;
+import org.springframework.security.authorization.AuthorityAuthorizationManager;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher.MatchResult;
 import org.springframework.security.web.util.matcher.RequestMatcherEntry;
@@ -102,6 +105,8 @@ public static Builder builder() {
 	 */
 	public static final class Builder {
 
+		private boolean anyRequestConfigured;
+
 		private final List<RequestMatcherEntry<AuthorizationManager<RequestAuthorizationContext>>> mappings = new ArrayList<>();
 
 		/**
@@ -111,6 +116,7 @@ public static final class Builder {
 		 * @return the {@link Builder} for further customizations
 		 */
 		public Builder add(RequestMatcher matcher, AuthorizationManager<RequestAuthorizationContext> manager) {
+			Assert.state(!this.anyRequestConfigured, "Can't add mappings after anyRequest");
 			Assert.notNull(matcher, "matcher cannot be null");
 			Assert.notNull(manager, "manager cannot be null");
 			this.mappings.add(new RequestMatcherEntry<>(matcher, manager));
@@ -127,11 +133,34 @@ public Builder add(RequestMatcher matcher, AuthorizationManager<RequestAuthoriza
 		 */
 		public Builder mappings(
 				Consumer<List<RequestMatcherEntry<AuthorizationManager<RequestAuthorizationContext>>>> mappingsConsumer) {
+			Assert.state(!this.anyRequestConfigured, "Can't configure mappings after anyRequest");
 			Assert.notNull(mappingsConsumer, "mappingsConsumer cannot be null");
 			mappingsConsumer.accept(this.mappings);
 			return this;
 		}
 
+		/**
+		 * Maps any request.
+		 * @return the {@link AuthorizedUrl} for further customizations
+		 * @since 6.2
+		 */
+		public AuthorizedUrl anyRequest() {
+			Assert.state(!this.anyRequestConfigured, "Can't configure anyRequest after itself");
+			this.anyRequestConfigured = true;
+			return new AuthorizedUrl(AnyRequestMatcher.INSTANCE);
+		}
+
+		/**
+		 * Maps {@link RequestMatcher}s to {@link AuthorizationManager}.
+		 * @param matchers the {@link RequestMatcher}s to map
+		 * @return the {@link AuthorizedUrl} for further customizations
+		 * @since 6.2
+		 */
+		public AuthorizedUrl requestMatchers(RequestMatcher... matchers) {
+			Assert.state(!this.anyRequestConfigured, "Can't configure requestMatchers after anyRequest");
+			return new AuthorizedUrl(matchers);
+		}
+
 		/**
 		 * Creates a {@link RequestMatcherDelegatingAuthorizationManager} instance.
 		 * @return the {@link RequestMatcherDelegatingAuthorizationManager} instance
@@ -140,6 +169,123 @@ public RequestMatcherDelegatingAuthorizationManager build() {
 			return new RequestMatcherDelegatingAuthorizationManager(this.mappings);
 		}
 
+		/**
+		 * An object that allows configuring the {@link AuthorizationManager} for
+		 * {@link RequestMatcher}s.
+		 *
+		 * @author Evgeniy Cheban
+		 * @since 6.2
+		 */
+		public final class AuthorizedUrl {
+
+			private final List<RequestMatcher> matchers;
+
+			private AuthorizedUrl(RequestMatcher... matchers) {
+				this(List.of(matchers));
+			}
+
+			private AuthorizedUrl(List<RequestMatcher> matchers) {
+				this.matchers = matchers;
+			}
+
+			/**
+			 * Specify that URLs are allowed by anyone.
+			 * @return the {@link Builder} for further customizations
+			 */
+			public Builder permitAll() {
+				return access((a, o) -> new AuthorizationDecision(true));
+			}
+
+			/**
+			 * Specify that URLs are not allowed by anyone.
+			 * @return the {@link Builder} for further customizations
+			 */
+			public Builder denyAll() {
+				return access((a, o) -> new AuthorizationDecision(false));
+			}
+
+			/**
+			 * Specify that URLs are allowed by any authenticated user.
+			 * @return the {@link Builder} for further customizations
+			 */
+			public Builder authenticated() {
+				return access(AuthenticatedAuthorizationManager.authenticated());
+			}
+
+			/**
+			 * Specify that URLs are allowed by users who have authenticated and were not
+			 * "remembered".
+			 * @return the {@link Builder} for further customization
+			 */
+			public Builder fullyAuthenticated() {
+				return access(AuthenticatedAuthorizationManager.fullyAuthenticated());
+			}
+
+			/**
+			 * Specify that URLs are allowed by users that have been remembered.
+			 * @return the {@link Builder} for further customization
+			 */
+			public Builder rememberMe() {
+				return access(AuthenticatedAuthorizationManager.rememberMe());
+			}
+
+			/**
+			 * Specify that URLs are allowed by anonymous users.
+			 * @return the {@link Builder} for further customization
+			 */
+			public Builder anonymous() {
+				return access(AuthenticatedAuthorizationManager.anonymous());
+			}
+
+			/**
+			 * Specifies a user requires a role.
+			 * @param role the role that should be required which is prepended with ROLE_
+			 * automatically (i.e. USER, ADMIN, etc). It should not start with ROLE_
+			 * @return {@link Builder} for further customizations
+			 */
+			public Builder hasRole(String role) {
+				return access(AuthorityAuthorizationManager.hasRole(role));
+			}
+
+			/**
+			 * Specifies that a user requires one of many roles.
+			 * @param roles the roles that the user should have at least one of (i.e.
+			 * ADMIN, USER, etc). Each role should not start with ROLE_ since it is
+			 * automatically prepended already
+			 * @return the {@link Builder} for further customizations
+			 */
+			public Builder hasAnyRole(String... roles) {
+				return access(AuthorityAuthorizationManager.hasAnyRole(roles));
+			}
+
+			/**
+			 * Specifies a user requires an authority.
+			 * @param authority the authority that should be required
+			 * @return the {@link Builder} for further customizations
+			 */
+			public Builder hasAuthority(String authority) {
+				return access(AuthorityAuthorizationManager.hasAuthority(authority));
+			}
+
+			/**
+			 * Specifies that a user requires one of many authorities.
+			 * @param authorities the authorities that the user should have at least one
+			 * of (i.e. ROLE_USER, ROLE_ADMIN, etc)
+			 * @return the {@link Builder} for further customizations
+			 */
+			public Builder hasAnyAuthority(String... authorities) {
+				return access(AuthorityAuthorizationManager.hasAnyAuthority(authorities));
+			}
+
+			private Builder access(AuthorizationManager<RequestAuthorizationContext> manager) {
+				for (RequestMatcher matcher : this.matchers) {
+					Builder.this.mappings.add(new RequestMatcherEntry<>(matcher, manager));
+				}
+				return Builder.this;
+			}
+
+		}
+
 	}
 
 }
diff --git a/web/src/test/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManagerTests.java b/web/src/test/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManagerTests.java
