Mark Observations with CSRF Failures

Closes gh-11993

Author: jzheaux

Diff for: config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java

@@ -20,6 +20,7 @@
 import java.util.LinkedHashMap;
 import java.util.List;
 
+import io.micrometer.observation.ObservationRegistry;
 import jakarta.servlet.http.HttpServletRequest;
 
 import org.springframework.context.ApplicationContext;
@@ -29,7 +30,9 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.access.AccessDeniedHandlerImpl;
+import org.springframework.security.web.access.CompositeAccessDeniedHandler;
 import org.springframework.security.web.access.DelegatingAccessDeniedHandler;
+import org.springframework.security.web.access.ObservationMarkingAccessDeniedHandler;
 import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
 import org.springframework.security.web.csrf.CsrfAuthenticationStrategy;
 import org.springframework.security.web.csrf.CsrfFilter;
@@ -221,6 +224,11 @@ public void configure(H http) {
 			filter.setRequireCsrfProtectionMatcher(requireCsrfProtectionMatcher);
 		}
 		AccessDeniedHandler accessDeniedHandler = createAccessDeniedHandler(http);
+		ObservationRegistry registry = getObservationRegistry();
+		if (!registry.isNoop()) {
+			ObservationMarkingAccessDeniedHandler observable = new ObservationMarkingAccessDeniedHandler(registry);
+			accessDeniedHandler = new CompositeAccessDeniedHandler(observable, accessDeniedHandler);
+		}
 		if (accessDeniedHandler != null) {
 			filter.setAccessDeniedHandler(accessDeniedHandler);
 		}
@@ -331,6 +339,17 @@ private SessionAuthenticationStrategy getSessionAuthenticationStrategy() {
 		return csrfAuthenticationStrategy;
 	}
 
+	private ObservationRegistry getObservationRegistry() {
+		ApplicationContext context = getBuilder().getSharedObject(ApplicationContext.class);
+		String[] names = context.getBeanNamesForType(ObservationRegistry.class);
+		if (names.length == 1) {
+			return context.getBean(ObservationRegistry.class);
+		}
+		else {
+			return ObservationRegistry.NOOP;
+		}
+	}
+
 	/**
 	 * Allows registering {@link RequestMatcher} instances that should be ignored (even if
 	 * the {@link HttpServletRequest} matches the

Diff for: config/src/main/java/org/springframework/security/config/http/CsrfBeanDefinitionParser.java

@@ -36,7 +36,9 @@
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.web.access.AccessDeniedHandler;
+import org.springframework.security.web.access.CompositeAccessDeniedHandler;
 import org.springframework.security.web.access.DelegatingAccessDeniedHandler;
+import org.springframework.security.web.access.ObservationMarkingAccessDeniedHandler;
 import org.springframework.security.web.csrf.CsrfAuthenticationStrategy;
 import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.security.web.csrf.CsrfLogoutHandler;
@@ -80,6 +82,8 @@ public class CsrfBeanDefinitionParser implements BeanDefinitionParser {
 
 	private String requestHandlerRef;
 
+	private BeanMetadataElement observationRegistry;
+
 	@Override
 	public BeanDefinition parse(Element element, ParserContext pc) {
 		boolean disabled = element != null && "true".equals(element.getAttribute("disabled"));
@@ -160,7 +164,16 @@ private BeanMetadataElement createAccessDeniedHandler(BeanDefinition invalidSess
 				.rootBeanDefinition(DelegatingAccessDeniedHandler.class);
 		deniedBldr.addConstructorArgValue(handlers);
 		deniedBldr.addConstructorArgValue(defaultDeniedHandler);
-		return deniedBldr.getBeanDefinition();
+		BeanDefinition denied = deniedBldr.getBeanDefinition();
+		ManagedList compositeList = new ManagedList();
+		BeanDefinitionBuilder compositeBldr = BeanDefinitionBuilder
+				.rootBeanDefinition(CompositeAccessDeniedHandler.class);
+		BeanDefinition observing = BeanDefinitionBuilder.rootBeanDefinition(ObservationMarkingAccessDeniedHandler.class)
+				.addConstructorArgValue(this.observationRegistry).getBeanDefinition();
+		compositeList.add(denied);
+		compositeList.add(observing);
+		compositeBldr.addConstructorArgValue(compositeList);
+		return compositeBldr.getBeanDefinition();
 	}
 
 	BeanDefinition getCsrfAuthenticationStrategy() {
@@ -195,6 +208,10 @@ void setIgnoreCsrfRequestMatchers(List<BeanDefinition> requestMatchers) {
 		}
 	}
 
+	void setObservationRegistry(BeanMetadataElement observationRegistry) {
+		this.observationRegistry = observationRegistry;
+	}
+
 	private static final class DefaultRequiresCsrfMatcher implements RequestMatcher {
 
 		private final HashSet<String> allowedMethods = new HashSet<>(Arrays.asList("GET", "HEAD", "TRACE", "OPTIONS"));

Diff for: config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java

@@ -19,6 +19,7 @@
 import java.util.ArrayList;
 import java.util.List;
 
+import io.micrometer.observation.ObservationRegistry;
 import jakarta.servlet.ServletRequest;
 import org.w3c.dom.Element;
 
@@ -106,6 +107,8 @@ class HttpConfigurationBuilder {
 
 	private static final String ATT_INVALID_SESSION_URL = "invalid-session-url";
 
+	private static final String ATT_OBSERVATION_REGISTRY_REF = "observation-registry-ref";
+
 	private static final String ATT_SESSION_AUTH_STRATEGY_REF = "session-authentication-strategy-ref";
 
 	private static final String ATT_SESSION_AUTH_ERROR_URL = "session-authentication-error-url";
@@ -211,7 +214,7 @@ class HttpConfigurationBuilder {
 	private boolean addAllAuth;
 
 	HttpConfigurationBuilder(Element element, boolean addAllAuth, ParserContext pc, BeanReference portMapper,
-			BeanReference portResolver, BeanReference authenticationManager) {
+			BeanReference portResolver, BeanReference authenticationManager, BeanMetadataElement observationRegistry) {
 		this.httpElt = element;
 		this.addAllAuth = addAllAuth;
 		this.pc = pc;
@@ -226,7 +229,7 @@ class HttpConfigurationBuilder {
 		createSecurityContextHolderStrategy();
 		createForceEagerSessionCreationFilter();
 		createDisableEncodeUrlFilter();
-		createCsrfFilter();
+		createCsrfFilter(observationRegistry);
 		createSecurityPersistence();
 		createSessionManagementFilters();
 		createWebAsyncManagerFilter();
@@ -812,9 +815,10 @@ private void createDisableEncodeUrlFilter() {
 		}
 	}
 
-	private void createCsrfFilter() {
+	private void createCsrfFilter(BeanMetadataElement observationRegistry) {
 		Element elmt = DomUtils.getChildElementByTagName(this.httpElt, Elements.CSRF);
 		this.csrfParser = new CsrfBeanDefinitionParser();
+		this.csrfParser.setObservationRegistry(observationRegistry);
 		this.csrfFilter = this.csrfParser.parse(elmt, this.pc);
 		if (this.csrfFilter == null) {
 			this.csrfParser = null;
@@ -897,6 +901,14 @@ List<OrderDecorator> getFilters() {
 		return filters;
 	}
 
+	private static BeanMetadataElement getObservationRegistry(Element httpElmt) {
+		String holderStrategyRef = httpElmt.getAttribute(ATT_OBSERVATION_REGISTRY_REF);
+		if (StringUtils.hasText(holderStrategyRef)) {
+			return new RuntimeBeanReference(holderStrategyRef);
+		}
+		return BeanDefinitionBuilder.rootBeanDefinition(ObservationRegistryFactory.class).getBeanDefinition();
+	}
+
 	static class RoleVoterBeanFactory extends AbstractGrantedAuthorityDefaultsBeanFactory {
 
 		private RoleVoter voter = new RoleVoter();
@@ -944,4 +956,18 @@ public Class<?> getObjectType() {
 
 	}
 
+	static class ObservationRegistryFactory implements FactoryBean<ObservationRegistry> {
+
+		@Override
+		public ObservationRegistry getObject() throws Exception {
+			return ObservationRegistry.NOOP;
+		}
+
+		@Override
+		public Class<?> getObjectType() {
+			return ObservationRegistry.class;
+		}
+
+	}
+
 }

Diff for: config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java

@@ -150,8 +150,9 @@ private BeanReference createFilterChain(Element element, ParserContext pc) {
 		ManagedList<BeanReference> authenticationProviders = new ManagedList<>();
 		BeanReference authenticationManager = createAuthenticationManager(element, pc, authenticationProviders);
 		boolean forceAutoConfig = isDefaultHttpConfig(element);
+		BeanMetadataElement observationRegistry = getObservationRegistry(element);
 		HttpConfigurationBuilder httpBldr = new HttpConfigurationBuilder(element, forceAutoConfig, pc, portMapper,
-				portResolver, authenticationManager);
+				portResolver, authenticationManager, observationRegistry);
 		httpBldr.getSecurityContextRepositoryForAuthenticationFilters();
 		AuthenticationConfigBuilder authBldr = new AuthenticationConfigBuilder(element, forceAutoConfig, pc,
 				httpBldr.getSessionCreationPolicy(), httpBldr.getRequestCache(), authenticationManager,

Diff for: web/src/main/java/org/springframework/security/web/access/CompositeAccessDeniedHandler.java

@@ -0,0 +1,50 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.access;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.springframework.security.access.AccessDeniedException;
+
+public final class CompositeAccessDeniedHandler implements AccessDeniedHandler {
+
+	private Collection<AccessDeniedHandler> handlers;
+
+	public CompositeAccessDeniedHandler(AccessDeniedHandler... handlers) {
+		this(Arrays.asList(handlers));
+	}
+
+	public CompositeAccessDeniedHandler(Collection<AccessDeniedHandler> handlers) {
+		this.handlers = new ArrayList<>(handlers);
+	}
+
+	@Override
+	public void handle(HttpServletRequest request, HttpServletResponse response,
+			AccessDeniedException accessDeniedException) throws IOException, ServletException {
+		for (AccessDeniedHandler handler : this.handlers) {
+			handler.handle(request, response, accessDeniedException);
+		}
+	}
+
+}

Diff for: web/src/main/java/org/springframework/security/web/access/ObservationMarkingAccessDeniedHandler.java

@@ -0,0 +1,46 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.access;
+
+import java.io.IOException;
+
+import io.micrometer.observation.Observation;
+import io.micrometer.observation.ObservationRegistry;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.springframework.security.access.AccessDeniedException;
+
+public final class ObservationMarkingAccessDeniedHandler implements AccessDeniedHandler {
+
+	private final ObservationRegistry registry;
+
+	public ObservationMarkingAccessDeniedHandler(ObservationRegistry registry) {
+		this.registry = registry;
+	}
+
+	@Override
+	public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException exception)
+			throws IOException, ServletException {
+		Observation observation = this.registry.getCurrentObservation();
+		if (observation != null) {
+			observation.error(exception);
+		}
+	}
+
+}