2 سال پیش · 185991a606
--- a/web/src/main/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManager.java
+++ b/web/src/main/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManager.java
@@ -49,8 +49,6 @@ public final class RequestMatcherDelegatingAuthorizationManager implements Autho
 
				 
			
 
				 	private final List<RequestMatcherEntry<AuthorizationManager<RequestAuthorizationContext>>> mappings;
			
 
				 
			
 
				-	private AuthorizationManager<RequestAuthorizationContext> defaultManager = (authentication, request) -> null;
			
 
				-
			
 
				 	private RequestMatcherDelegatingAuthorizationManager(
			
 
				 			List<RequestMatcherEntry<AuthorizationManager<RequestAuthorizationContext>>> mappings) {
			
 
				 		Assert.notEmpty(mappings, "mappings cannot be empty");
			
@@ -84,10 +82,8 @@ public final class RequestMatcherDelegatingAuthorizationManager implements Autho
 
				 						new RequestAuthorizationContext(request, matchResult.getVariables()));
			
 
				 			}
			
 
				 		}
			
 
				-		if (this.logger.isTraceEnabled()) {
			
 
				-			this.logger.trace(LogMessage.format("Checking authorization on %s using %s", request, this.defaultManager));
			
 
				-		}
			
 
				-		return this.defaultManager.check(authentication, new RequestAuthorizationContext(request));
			
 
				+		this.logger.trace("Abstaining since did not find matching RequestMatcher");
			
 
				+		return null;
			
 
				 	}
			
 
				 
			
 
				 	/**
			
@@ -98,21 +94,6 @@ public final class RequestMatcherDelegatingAuthorizationManager implements Autho
 
				 		return new Builder();
			
 
				 	}
			
 
				 
			
 
				-	/**
			
 
				-	 * Use this {@link AuthorizationManager} if the request fails to match any other
			
 
				-	 * configured {@link AuthorizationManager}.
			
 
				-	 *
			
 
				-	 * <p>
			
 
				-	 * This is specifically handy when considering whether to accept or deny requests by
			
 
				-	 * default. The default is to abstain from deciding on requests that don't match
			
 
				-	 * configuration.
			
 
				-	 * @param authorizationManager the {@link AuthorizationManager} to use
			
 
				-	 * @since 5.8
			
 
				-	 */
			
 
				-	public void setDefaultAuthorizationManager(AuthorizationManager<RequestAuthorizationContext> authorizationManager) {
			
 
				-		this.defaultManager = authorizationManager;
			
 
				-	}
			
 
				-
			
 
				 	/**
			
 
				 	 * A builder for {@link RequestMatcherDelegatingAuthorizationManager}.
			
 
				 	 */
			
--- a/web/src/test/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManagerTests.java
+++ b/web/src/test/java/org/springframework/security/web/access/intercept/RequestMatcherDelegatingAuthorizationManagerTests.java
@@ -24,7 +24,6 @@ import org.springframework.mock.web.MockHttpServletRequest;
 
				 import org.springframework.security.authentication.TestingAuthenticationToken;
			
 
				 import org.springframework.security.authorization.AuthorityAuthorizationManager;
			
 
				 import org.springframework.security.authorization.AuthorizationDecision;
			
 
				-import org.springframework.security.authorization.AuthorizationManager;
			
 
				 import org.springframework.security.core.Authentication;
			
 
				 import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
			
 
				 import org.springframework.security.web.util.matcher.AnyRequestMatcher;
			
@@ -32,10 +31,6 @@ import org.springframework.security.web.util.matcher.RequestMatcherEntry;
 
				 
			
 
				 import static org.assertj.core.api.Assertions.assertThat;
			
 
				 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
			
 
				-import static org.mockito.ArgumentMatchers.any;
			
 
				-import static org.mockito.BDDMockito.given;
			
 
				-import static org.mockito.Mockito.mock;
			
 
				-import static org.mockito.Mockito.verify;
			
 
				 
			
 
				 /**
			
 
				  * Tests for {@link RequestMatcherDelegatingAuthorizationManager}.
			
@@ -120,20 +115,6 @@ public class RequestMatcherDelegatingAuthorizationManagerTests {
 
				 		assertThat(unmapped.isGranted()).isFalse();
			
 
				 	}
			
 
				 
			
 
				-	@Test
			
 
				-	public void checkWhenNoMatchesThenUsesDefaultAuthorizationManager() {
			
 
				-		RequestMatcherDelegatingAuthorizationManager manager = RequestMatcherDelegatingAuthorizationManager.builder()
			
 
				-				.add((request) -> false, (authentication, context) -> new AuthorizationDecision(false)).build();
			
 
				-		AuthorizationManager<RequestAuthorizationContext> defaultManager = mock(AuthorizationManager.class);
			
 
				-		given(defaultManager.check(any(), any())).willReturn(new AuthorizationDecision(true));
			
 
				-		manager.setDefaultAuthorizationManager(defaultManager);
			
 
				-		Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password");
			
 
				-		AuthorizationDecision decision = manager.check(authentication, new MockHttpServletRequest(null, "/endpoint"));
			
 
				-		assertThat(decision).isNotNull();
			
 
				-		assertThat(decision.isGranted()).isTrue();
			
 
				-		verify(defaultManager).check(any(), any());
			
 
				-	}
			
 
				-
			
 
				 	@Test
			
 
				 	public void addWhenMappingsConsumerNullThenException() {
			
 
				 		assertThatIllegalArgumentException()