diff --git a/config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt b/config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt index 64249d7c80a..1c64bfec8f8 100644 --- a/config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt +++ b/config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt @@ -275,6 +275,12 @@ class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl { val authenticated: AuthorizationManager = AuthenticatedAuthorizationManager.authenticated() + /** + * Specify that URLs are allowed by users who have authenticated and were not "remembered". + */ + val fullyAuthenticated: AuthorizationManager = + AuthenticatedAuthorizationManager.fullyAuthenticated() + internal fun get(): (AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry) -> Unit { return { requests -> authorizationRules.forEach { rule -> diff --git a/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt b/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt index 5a124b2f973..a99fbf6ba46 100644 --- a/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt +++ b/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt @@ -27,6 +27,7 @@ import org.springframework.context.annotation.Configuration import org.springframework.http.HttpMethod import org.springframework.security.access.hierarchicalroles.RoleHierarchy import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl +import org.springframework.security.authentication.TestAuthentication import org.springframework.security.authorization.AuthorizationDecision import org.springframework.security.authorization.AuthorizationManager import org.springframework.security.config.annotation.web.builders.HttpSecurity @@ -38,6 +39,7 @@ import org.springframework.security.core.Authentication import org.springframework.security.core.userdetails.User import org.springframework.security.core.userdetails.UserDetailsService import org.springframework.security.provisioning.InMemoryUserDetailsManager +import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic import org.springframework.security.web.SecurityFilterChain @@ -961,4 +963,45 @@ class AuthorizeHttpRequestsDslTests { } } + + @Test + fun `request when fully authenticated configured then responds ok`() { + this.spring.register(FullyAuthenticatedConfig::class.java).autowire() + + this.mockMvc.post("/path") { + with(SecurityMockMvcRequestPostProcessors.user("user").roles("USER")) + with(csrf()) + } + .andExpect { + status { isOk() } + } + } + + @Configuration + @EnableWebSecurity + @EnableWebMvc + open class FullyAuthenticatedConfig { + @Bean + open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain { + http { + authorizeHttpRequests { + authorize("/path", fullyAuthenticated) + } + httpBasic { } + rememberMe { } + } + return http.build() + } + + @Bean + open fun userDetailsService(): UserDetailsService = InMemoryUserDetailsManager(TestAuthentication.user()) + + @RestController + internal class PathController { + @RequestMapping("/path") + fun path(): String { + return "ok" + } + } + } }