Skip to content

Commit

Permalink
Merge pull request #1031 from codeconsole/6.1.x-fix-filter-order
Browse files Browse the repository at this point in the history
Filter order is completely different in Spring Security 5
  • Loading branch information
codeconsole authored Oct 11, 2024
2 parents c94ca5d + 99e2d2e commit cb8251d
Show file tree
Hide file tree
Showing 7 changed files with 96 additions and 45 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -87,15 +87,15 @@ class SpringSecurityUtilsIntegrationSpec extends AbstractIntegrationSpec {
expect:
10 == map.size()
map[Integer.MIN_VALUE + 10] instanceof SecurityRequestHolderFilter
map[300] instanceof SecurityContextPersistenceFilter
map[400] instanceof MutableLogoutFilter
map[800] instanceof GrailsUsernamePasswordAuthenticationFilter
map[1400] instanceof SecurityContextHolderAwareRequestFilter
map[1500] instanceof GrailsRememberMeAuthenticationFilter
map[1600] instanceof GrailsAnonymousAuthenticationFilter
map[1800] instanceof FormContentFilter
map[1900] instanceof ExceptionTranslationFilter
map[2000] instanceof FilterSecurityInterceptor
map[SecurityFilterPosition.SECURITY_CONTEXT_FILTER.order] instanceof SecurityContextPersistenceFilter
map[SecurityFilterPosition.LOGOUT_FILTER.order] instanceof MutableLogoutFilter
map[SecurityFilterPosition.FORM_LOGIN_FILTER.order] instanceof GrailsUsernamePasswordAuthenticationFilter
map[SecurityFilterPosition.SERVLET_API_SUPPORT_FILTER.order] instanceof SecurityContextHolderAwareRequestFilter
map[SecurityFilterPosition.REMEMBER_ME_FILTER.order] instanceof GrailsRememberMeAuthenticationFilter
map[SecurityFilterPosition.ANONYMOUS_FILTER.order] instanceof GrailsAnonymousAuthenticationFilter
map[SecurityFilterPosition.EXCEPTION_TRANSLATION_FILTER.order-10] instanceof FormContentFilter
map[SecurityFilterPosition.EXCEPTION_TRANSLATION_FILTER.order] instanceof ExceptionTranslationFilter
map[SecurityFilterPosition.FILTER_SECURITY_INTERCEPTOR.order] instanceof FilterSecurityInterceptor

when:
SpringSecurityUtils.clientRegisterFilter 'foo', SecurityFilterPosition.LOGOUT_FILTER
Expand Down Expand Up @@ -123,7 +123,7 @@ class SpringSecurityUtilsIntegrationSpec extends AbstractIntegrationSpec {

then:
11 == map.size()
map[410] instanceof DummyFilter
map[SecurityFilterPosition.LOGOUT_FILTER.order + 10] instanceof DummyFilter

when:
def filters = securityFilterChains[0].filters
Expand Down
1 change: 1 addition & 0 deletions gradle/libs.versions.toml
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ spring-context-core = { module = 'org.springframework:spring-context', version.r
spring-context-support = { module = 'org.springframework:spring-context-support', version.ref = 'spring' }
spring-expression = { module = 'org.springframework:spring-expression', version.ref = 'spring' }
spring-security-core = { module = 'org.springframework.security:spring-security-core', version.ref = 'spring-security' }
spring-security-config = { module = 'org.springframework.security:spring-security-config', version.ref = 'spring-security' }
spring-security-crypto = { module = 'org.springframework.security:spring-security-crypto', version.ref = 'spring-security' }
spring-security-web = { module = 'org.springframework.security:spring-security-web', version.ref = 'spring-security' }
spring-test = { module = 'org.springframework:spring-test', version.ref = 'spring' }
Expand Down
1 change: 1 addition & 0 deletions plugin/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ dependencies {
testImplementation libs.bundles.grails.testing.support
testImplementation libs.spock.core
testImplementation libs.spring.test
testImplementation libs.spring.security.config

testRuntimeOnly libs.slf4j.nop // Prevents warnings about missing slf4j implementation during tests
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package grails.plugin.springsecurity
package grails.plugin.springsecurity;

/**
* Stores the default order numbers of all Spring Security filters for use in configuration.
Expand All @@ -23,63 +23,101 @@
* @author Burt Beckwith
*/
enum SecurityFilterPosition {
/** First */

FIRST(Integer.MIN_VALUE),
/** HTTP/HTTPS channel filter */

DISABLE_ENCODE_URL_FILTER,

FORCE_EAGER_SESSION_FILTER,

CHANNEL_FILTER,
/** Concurrent Sessions */
CONCURRENT_SESSION_FILTER,
/** Populates the SecurityContextHolder */

SECURITY_CONTEXT_FILTER,
/** Logout */

CONCURRENT_SESSION_FILTER,

WEB_ASYNC_MANAGER_FILTER,

HEADERS_FILTER,

CORS_FILTER,

SAML2_LOGOUT_REQUEST_FILTER,

SAML2_LOGOUT_RESPONSE_FILTER,

CSRF_FILTER,

SAML2_LOGOUT_FILTER,

LOGOUT_FILTER,
/** x509 certs */

OAUTH2_AUTHORIZATION_REQUEST_FILTER,

SAML2_AUTHENTICATION_REQUEST_FILTER,

X509_FILTER,
/** Pre-auth */

PRE_AUTH_FILTER,
/** CAS */

CAS_FILTER,
/** UsernamePasswordAuthenticationFilter */

OAUTH2_LOGIN_FILTER,

SAML2_AUTHENTICATION_FILTER,

FORM_LOGIN_FILTER,
/** OpenID */

OPENID_FILTER,
/** Not used, generates a dynamic login form */

LOGIN_PAGE_FILTER,
/** Digest auth */

LOGOUT_PAGE_FILTER,

DIGEST_AUTH_FILTER,
/** Basic Auth */

BEARER_TOKEN_AUTH_FILTER,

BASIC_AUTH_FILTER,
/** saved request filter */

REQUEST_CACHE_FILTER,
/** SecurityContextHolderAwareRequestFilter */

SERVLET_API_SUPPORT_FILTER,
/** Remember-me cookie */

JAAS_API_SUPPORT_FILTER,

REMEMBER_ME_FILTER,
/** Anonymous auth */

ANONYMOUS_FILTER,
/** SessionManagementFilter */

OAUTH2_AUTHORIZATION_CODE_GRANT_FILTER,

WELL_KNOWN_CHANGE_PASSWORD_REDIRECT_FILTER,

SESSION_MANAGEMENT_FILTER,
/** Spring FormContentFilter allows www-url-form-encoded content-types to provide params in PUT requests */
FORM_CONTENT_FILTER,
/** ExceptionTranslationFilter */

EXCEPTION_TRANSLATION_FILTER,
/** FilterSecurityInterceptor */

FILTER_SECURITY_INTERCEPTOR,
/** Switch user */

SWITCH_USER_FILTER,
/** Last */
LAST(Integer.MAX_VALUE)

private static final int INTERVAL = 100
LAST(Integer.MAX_VALUE);

private static final int INTERVAL = 100;

/** The position in the chain. */
final int order
private final int order;

private SecurityFilterPosition() {
order = ordinal() * INTERVAL
SecurityFilterPosition() {
this.order = ordinal() * INTERVAL;
}

private SecurityFilterPosition(int filterOrder) {
order = filterOrder
SecurityFilterPosition(int order) {
this.order = order;
}

public int getOrder() {
return this.order;
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -762,7 +762,7 @@ final class SpringSecurityUtils {
orderedNames[SecurityFilterPosition.SWITCH_USER_FILTER.order] = 'switchUserProcessingFilter'
}

orderedNames[SecurityFilterPosition.FORM_CONTENT_FILTER.order] = 'formContentFilter'
orderedNames[SecurityFilterPosition.EXCEPTION_TRANSLATION_FILTER.order-10] = 'formContentFilter'

// add in filters contributed by secondary plugins
orderedNames << SpringSecurityUtils.orderedFilters
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ package grails.plugin.springsecurity
import grails.plugin.springsecurity.web.GrailsSecurityFilterChain
import grails.plugin.springsecurity.web.SecurityRequestHolder
import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl
import org.springframework.security.config.http.SecurityFiltersMapper
import org.springframework.security.core.GrantedAuthority
import org.springframework.security.core.authority.SimpleGrantedAuthority
import org.springframework.security.web.FilterChainProxy
Expand Down Expand Up @@ -340,6 +341,11 @@ class SpringSecurityUtilsSpec extends AbstractUnitSpec {
!SpringSecurityUtils.ifAnyGranted('ROLE_4')
}

void 'SecurityFilterPosition order should match SecurityFilters'() {
expect:
SecurityFilterPosition.SWITCH_USER_FILTER.order == SecurityFiltersMapper.SWITCH_USER_FILTER.order
}

void 'private constructor'() {
expect:
SecurityTestUtils.testPrivateConstructor SpringSecurityUtils
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
package org.springframework.security.config.http

class SecurityFiltersMapper {
static final SWITCH_USER_FILTER = SecurityFilters.SWITCH_USER_FILTER
}

0 comments on commit cb8251d

Please sign in to comment.