Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support fullyAuthenticated to Kotlin DSL #16190

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -275,6 +275,13 @@ class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl {
val authenticated: AuthorizationManager<RequestAuthorizationContext> =
AuthenticatedAuthorizationManager.authenticated()

/**
* Specify that URLs are allowed by users who have authenticated and were not "remembered".
* @since 6.5
*/
jzheaux marked this conversation as resolved.
Show resolved Hide resolved
val fullyAuthenticated: AuthorizationManager<RequestAuthorizationContext> =
AuthenticatedAuthorizationManager.fullyAuthenticated()

internal fun get(): (AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry) -> Unit {
return { requests ->
authorizationRules.forEach { rule ->
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ import org.springframework.context.annotation.Configuration
import org.springframework.http.HttpMethod
import org.springframework.security.access.hierarchicalroles.RoleHierarchy
import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl
import org.springframework.security.authentication.RememberMeAuthenticationToken
import org.springframework.security.authentication.TestAuthentication
import org.springframework.security.authorization.AuthorizationDecision
import org.springframework.security.authorization.AuthorizationManager
import org.springframework.security.config.annotation.web.builders.HttpSecurity
Expand All @@ -35,11 +37,11 @@ import org.springframework.security.config.core.GrantedAuthorityDefaults
import org.springframework.security.config.test.SpringTestContext
import org.springframework.security.config.test.SpringTestContextExtension
import org.springframework.security.core.Authentication
import org.springframework.security.core.authority.AuthorityUtils
import org.springframework.security.core.userdetails.User
import org.springframework.security.core.userdetails.UserDetailsService
import org.springframework.security.provisioning.InMemoryUserDetailsManager
import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf
import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic
import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.*
import org.springframework.security.web.SecurityFilterChain
import org.springframework.security.web.access.intercept.RequestAuthorizationContext
import org.springframework.security.web.util.matcher.RegexRequestMatcher
Expand Down Expand Up @@ -961,4 +963,61 @@ class AuthorizeHttpRequestsDslTests {
}

}

@Test
fun `request when fully authenticated configured then responds ok`() {
jzheaux marked this conversation as resolved.
Show resolved Hide resolved
this.spring.register(FullyAuthenticatedConfig::class.java).autowire()

this.mockMvc.get("/path") {
with(user("user").roles("USER"))
}.andExpect {
status {
isOk()
}
}
}

@Test
fun `request when fully authenticated configured and remember-me token then responds unauthorized`() {
this.spring.register(FullyAuthenticatedConfig::class.java).autowire()
val rememberMe = RememberMeAuthenticationToken("key", "user",
AuthorityUtils.createAuthorityList("ROLE_USER"))

this.mockMvc.get("/path") {
with(user("user").roles("USER"))
with(authentication(rememberMe))
}.andExpect {
status {
isUnauthorized()
}
}
}

@Configuration
@EnableWebSecurity
@EnableWebMvc
open class FullyAuthenticatedConfig {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
authorize("/path", fullyAuthenticated)
}
httpBasic { }
rememberMe { }
}
return http.build()
}

@Bean
open fun userDetailsService(): UserDetailsService = InMemoryUserDetailsManager(TestAuthentication.user())

@RestController
internal class PathController {
@GetMapping("/path")
fun path(): String {
return "ok"
}
}
}
}
Loading