Skip to content

Print ignore message DefaultSecurityFilterChain #9526

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Print ignore message DefaultSecurityFilterChain #9526

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 7 additions & 6 deletions ...va/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2019 the original author or authors.
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -54,7 +54,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {

private ApplicationContext context;

private boolean anyRequestConfigured = false;
protected boolean anyRequestConfigured = false;

protected final void setApplicationContext(ApplicationContext context) {
this.context = context;
Expand Down Expand Up @@ -166,7 +166,8 @@ protected final List<MvcRequestMatcher> createMvcMatchers(HttpMethod method, Str
if (!this.context.containsBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME)) {
throw new NoSuchBeanDefinitionException("A Bean named " + HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME
+ " of type " + HandlerMappingIntrospector.class.getName()
+ " is required to use MvcRequestMatcher. Please ensure Spring Security & Spring MVC are configured in a shared ApplicationContext.");
+ " is required to use MvcRequestMatcher."
+ " Please ensure Spring Security & Spring MVC are configured in a shared ApplicationContext.");
}
HandlerMappingIntrospector introspector = this.context.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME,
HandlerMappingIntrospector.class);
Expand Down Expand Up @@ -266,7 +267,7 @@ public C requestMatchers(RequestMatcher... requestMatchers) {
* @author Rob Winch
* @since 3.2
*/
private static final class RequestMatchers {
public static final class RequestMatchers {

private RequestMatchers() {
}
Expand All @@ -279,7 +280,7 @@ private RequestMatchers() {
* from
* @return a {@link List} of {@link AntPathRequestMatcher} instances
*/
static List<RequestMatcher> antMatchers(HttpMethod httpMethod, String... antPatterns) {
public static List<RequestMatcher> antMatchers(HttpMethod httpMethod, String... antPatterns) {
String method = (httpMethod != null) ? httpMethod.toString() : null;
List<RequestMatcher> matchers = new ArrayList<>();
for (String pattern : antPatterns) {
Expand All @@ -295,7 +296,7 @@ static List<RequestMatcher> antMatchers(HttpMethod httpMethod, String... antPatt
* from
* @return a {@link List} of {@link AntPathRequestMatcher} instances
*/
static List<RequestMatcher> antMatchers(String... antPatterns) {
public static List<RequestMatcher> antMatchers(String... antPatterns) {
return antMatchers(null, antPatterns);
}

Expand Down
68 changes: 66 additions & 2 deletions ...rc/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2020 the original author or authors.
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -17,6 +17,7 @@
package org.springframework.security.config.annotation.web.builders;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;

import javax.servlet.Filter;
Expand All @@ -29,6 +30,7 @@
import org.springframework.beans.factory.NoSuchBeanDefinitionException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.core.log.LogMessage;
import org.springframework.http.HttpMethod;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.access.expression.SecurityExpressionHandler;
Expand All @@ -55,6 +57,7 @@
import org.springframework.security.web.firewall.HttpFirewall;
import org.springframework.security.web.firewall.RequestRejectedHandler;
import org.springframework.security.web.firewall.StrictHttpFirewall;
import org.springframework.security.web.server.restriction.IgnoreRequestMatcher;
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
Expand Down Expand Up @@ -101,7 +104,7 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,

private WebInvocationPrivilegeEvaluator privilegeEvaluator;

private DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
private final DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();

private SecurityExpressionHandler<FilterInvocation> expressionHandler = this.defaultWebSecurityExpressionHandler;

Expand Down Expand Up @@ -373,6 +376,8 @@ public class IgnoredRequestConfigurer extends AbstractRequestMatcherRegistry<Ign
@Override
public MvcMatchersIgnoredRequestConfigurer mvcMatchers(HttpMethod method, String... mvcPatterns) {
List<MvcRequestMatcher> mvcMatchers = createMvcMatchers(method, mvcPatterns);
Arrays.asList(mvcPatterns).stream().forEach((t) -> printWarnSecurityMessage(method, t));
mvcMatchers.stream().forEach((t) -> t.ignore());
WebSecurity.this.ignoredRequests.addAll(mvcMatchers);
return new MvcMatchersIgnoredRequestConfigurer(getApplicationContext(), mvcMatchers);
}
Expand All @@ -382,6 +387,38 @@ public MvcMatchersIgnoredRequestConfigurer mvcMatchers(String... mvcPatterns) {
return mvcMatchers(null, mvcPatterns);
}

/**
* @since 5.5
*/
@Override
public IgnoredRequestConfigurer antMatchers(HttpMethod method) {
return antMatchers(method, "/**");
}

/**
* @since 5.5
*/
@Override
public IgnoredRequestConfigurer antMatchers(HttpMethod method, String... antPatterns) {
Assert.state(!this.anyRequestConfigured, "Can't configure antMatchers after anyRequest");
List<RequestMatcher> antMatchers = RequestMatchers.antMatchers(method, antPatterns);
Arrays.asList(antPatterns).stream().forEach((t) -> printWarnSecurityMessage(method, t));
antMatchers.stream().forEach((t) -> ((IgnoreRequestMatcher) t).ignore());
return chainRequestMatchers(antMatchers);
}

/**
* @since 5.5
*/
@Override
public IgnoredRequestConfigurer antMatchers(String... antPatterns) {
Assert.state(!this.anyRequestConfigured, "Can't configure antMatchers after anyRequest");
List<RequestMatcher> antMatchers = RequestMatchers.antMatchers(antPatterns);
Arrays.asList(antPatterns).stream().forEach((t) -> printWarnSecurityMessage(null, t));
antMatchers.stream().forEach((t) -> ((IgnoreRequestMatcher) t).ignore());
return chainRequestMatchers(RequestMatchers.antMatchers(antPatterns));
}

@Override
protected IgnoredRequestConfigurer chainRequestMatchers(List<RequestMatcher> requestMatchers) {
WebSecurity.this.ignoredRequests.addAll(requestMatchers);
Expand All @@ -395,6 +432,33 @@ public WebSecurity and() {
return WebSecurity.this;
}

/**
* @param method the HttpMethod, it could be null too.
* @param pathPattern the path pattern to be ignored
* @since 5.5
*/
private void printWarnSecurityMessage(HttpMethod method, String pathPattern) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This warning message may need to wait as there are numerous other scenarios to cover in order for that to be complete, e.g. regexMatchers, anyRequest(), and requestMatcher(AnyRequestMatcher.INSTANCE). It may be best to begin with the simplest case and do:

@Override
public IgnoredRequestConfigurer anyRequest() {
	WebSecurity.this.logger.warn("Applying explicit instruction to ignore all paths");
	WebSecurity.this.logger.warn("This disables Spring Security and is not recommended");
	return super.anyRequest();
}

This aligns with other configured code that guards usage of anyRequest() but does not also attempt to parse strings to discern the intent of the application. Later on, it may be possible for the code to be more intelligent without committing to an increased public API.

if (pathPattern.equals("/**")) {
WebSecurity.this.logger
.warn("**********************************************************************************");
if (method != null) {
WebSecurity.this.logger.warn(LogMessage.format(
"Applying explicit instruction to ignore the '/**' path for the HttpMethod: %s", method));
WebSecurity.this.logger.warn("You're disabling practically all the paths for that HttpMethod");
WebSecurity.this.logger
.warn("Therefore any path for that HttpMethod is completely ignored by Spring Security");
}
else {
WebSecurity.this.logger.warn("Applying explicit instruction to ignore the '/**' path");
WebSecurity.this.logger.warn("You're disabling practically all the paths");
WebSecurity.this.logger.warn("Therefore any path is completely ignored by Spring Security");
}
WebSecurity.this.logger.warn("It is not recomended for production");
WebSecurity.this.logger
.warn("**********************************************************************************");
}
}

}

}
Loading