Print ignore message DefaultSecurityFilterChain #9526
Conversation
When either `web.ignoring().mvcMatchers(...)` or `web.ignoring().antMatchers(...)` methods are used, for all their variations, the DefaultSecurityFilterChain class now indicates correctly through its ouput what paths are ignored according the `ignoring()` settings. Closes spring-projectsgh-9334
spring-projects-issues
added
the
status: waiting-for-triage
There was a problem hiding this comment.
Thanks for the PR, @manueljordan!
I'm hesitant to add this much code to support logging. In this PR, we should not:
- Increase the visibility of existing APIs
- Introduce new interfaces
I've left some additional feedback inline.
| @@ -48,7 +49,18 @@ public DefaultSecurityFilterChain(RequestMatcher requestMatcher, Filter... filte | |||
| } | |||
|
|
|||
| public DefaultSecurityFilterChain(RequestMatcher requestMatcher, List<Filter> filters) { | |||
| logger.info(LogMessage.format("Will secure %s with %s", requestMatcher, filters)); | |||
| if (requestMatcher instanceof IgnoreRequestMatcher) { | |||
There was a problem hiding this comment.
Maybe we could start with something simpler like this:
if (filters.isEmpty()) {
logger.info(LogMessage.format("Will not secure %s", requestMatcher));
} else {
logger.info(LogMessage.format("Will secure %s with %s", requestMatcher, filters));
}If Spring Security has no filters assigned to a given request matcher, then it's true that Spring Security will not be securing that request.
| * @param pathPattern the path pattern to be ignored | ||
| * @since 5.5 | ||
| */ | ||
| private void printWarnSecurityMessage(HttpMethod method, String pathPattern) { |
There was a problem hiding this comment.
This warning message may need to wait as there are numerous other scenarios to cover in order for that to be complete, e.g. regexMatchers, anyRequest(), and requestMatcher(AnyRequestMatcher.INSTANCE). It may be best to begin with the simplest case and do:
@Override
public IgnoredRequestConfigurer anyRequest() {
WebSecurity.this.logger.warn("Applying explicit instruction to ignore all paths");
WebSecurity.this.logger.warn("This disables Spring Security and is not recommended");
return super.anyRequest();
}This aligns with other configured code that guards usage of anyRequest() but does not also attempt to parse strings to discern the intent of the application. Later on, it may be possible for the code to be more intelligent without committing to an increased public API.
|
Hello @jzheaux Thanks for the quick reply
If I do that it breaks the DRY principle. The changes of visibility applies mostly for utils methods (static methods), here the situation is about the nested static class, it is tricky, I thought to move it to an outer/external class but I could be more problematic
I thought to work based on hierarchy (subclass), but since I did realize it applies only to 2 subclasses of the whole tree hierarchy, I took that decision, it opens the same option to ignore something if something new appears in the future, such as: somethingMatchers() About I thought the same, but - if my memory does not fail me in some scenarios the filters appears empty and not empty (yes, for ignoring()), so that approach was discarded, so the key is work with the
That working scenario only applies to For the other methods mentioned, they do not have a common interface to identity quickly if is for an ignore scenario or not. It is the problem from the beginning, there is no a quick way to know if a URL (path) is for ignoring or not. I am open to follow your guidance, you are the expert here. Consider remember, I am starting to play with this API practically from the scratch, and your vision is bigger than my current knowledge, but I explained the experiences and the decisions taken according each case |
|
@manueljordan, sorry for the delay. I'm getting back to this PR now.
Either that, or we need to simplify what we are trying to do. If we are changing the public API in this PR, we are probably trying to go too far too fast.
Either way, if there are no filters for a given request matcher, then requests that match are being effectively ignored. |
jzheaux
added
in: core
|
Hello @jzheaux
What do you suggest do here? You are the expert here - and I always take your suggestions friendly. I hope you take in the same way my thoughts. But according with my research in fix this, fall in break the DRY would be an option but you know ... break something like that is not wise ... it seems you want that I should split my current PR in more PRs covering each case by separate. Am I correct?
Your approach even if is valid - with my PR I am giving an important warning to the developer about security constraints that are being overriding and therefore exposing private things. Do you want split that warning messages how other PR? - something I like wrote in the previous sentence... Let me know your thoughts |
spring-projects-issues
added
status: feedback-provided
Thanks! The feeling is mutual -- I appreciate the effort you are putting in here.
I'd prefer we go with the comments I made in my review.
Agreed. I think it's reasonable to add an even stronger message: // ...
for (RequestMatcher ignoredRequest : this.ignoredRequests) {
WebSecurity.this.logger.warn("You are asking Spring Security to ignore " + matcher + ". This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.");
securityFilterChains.add(new DefaultSecurityFilterChain(ignoredRequest));
}
// ...My point is not that we shouldn't warn, but that this PR should not introduce so much infra to facilitate logging. We should be able to add some sensible warnings without copy-pasting and without affecting the public API. |
jzheaux
added
status: waiting-for-feedback
|
@manueljordan Do you feel like you can make the changes requested? If not, no worries, I can add a polish commit. |
|
Due lack of time, please do it. Thanks for your understanding |
spring-projects-issues
added
status: feedback-provided
jzheaux
added
status: duplicate
When either
web.ignoring().mvcMatchers(...)orweb.ignoring().antMatchers(...)methods are used, for all theirvariations, the DefaultSecurityFilterChain class now indicates
correctly through its ouput what paths are ignored according the
ignoring()settings.Closes gh-9334