3 年之前 · df0f6f83af
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurer.java
@@ -21,7 +21,6 @@ import java.util.List;
 
				 import javax.servlet.http.HttpServletRequest;
			
 
				 
			
 
				 import org.springframework.context.ApplicationContext;
			
 
				-import org.springframework.security.authentication.AuthenticationDetailsSource;
			
 
				 import org.springframework.security.authentication.AuthenticationManager;
			
 
				 import org.springframework.security.authentication.AuthenticationTrustResolver;
			
 
				 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
			
@@ -91,11 +90,6 @@ public final class ServletApiConfigurer<H extends HttpSecurityBuilder<H>>
 
				 		if (trustResolver != null) {
			
 
				 			this.securityContextRequestFilter.setTrustResolver(trustResolver);
			
 
				 		}
			
 
				-		AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = http
			
 
				-				.getSharedObject(AuthenticationDetailsSource.class);
			
 
				-		if (authenticationDetailsSource != null) {
			
 
				-			this.securityContextRequestFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
			
 
				-		}
			
 
				 		ApplicationContext context = http.getSharedObject(ApplicationContext.class);
			
 
				 		if (context != null) {
			
 
				 			String[] grantedAuthorityDefaultsBeanNames = context.getBeanNamesForType(GrantedAuthorityDefaults.class);
			
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.java
@@ -30,7 +30,6 @@ import org.springframework.beans.factory.annotation.Autowired;
 
				 import org.springframework.context.annotation.Bean;
			
 
				 import org.springframework.context.annotation.Configuration;
			
 
				 import org.springframework.security.access.AccessDeniedException;
			
 
				-import org.springframework.security.authentication.AuthenticationDetailsSource;
			
 
				 import org.springframework.security.authentication.AuthenticationManager;
			
 
				 import org.springframework.security.authentication.AuthenticationTrustResolver;
			
 
				 import org.springframework.security.authentication.TestingAuthenticationToken;
			
@@ -150,15 +149,6 @@ public class ServletApiConfigurerTests {
 
				 		verify(SharedTrustResolverConfig.TR, atLeastOnce()).isAnonymous(any());
			
 
				 	}
			
 
				 
			
 
				-	@Test
			
 
				-	public void configureWhenSharedObjectAuthenticationDetailsSourceThenAuthenticationDetailsSourceUsed() {
			
 
				-		this.spring.register(SharedAuthenticationDetailsSourceConfig.class).autowire();
			
 
				-		SecurityContextHolderAwareRequestFilter scaFilter = getFilter(SecurityContextHolderAwareRequestFilter.class);
			
 
				-		AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = getFieldValue(scaFilter,
			
 
				-				"authenticationDetailsSource");
			
 
				-		assertThat(authenticationDetailsSource).isEqualTo(SharedAuthenticationDetailsSourceConfig.ADS);
			
 
				-	}
			
 
				-
			
 
				 	@Test
			
 
				 	public void requestWhenServletApiWithDefaultsInLambdaThenUsesDefaultRolePrefix() throws Exception {
			
 
				 		this.spring.register(ServletApiWithDefaultsInLambdaConfig.class, AdminController.class).autowire();
			
@@ -331,22 +321,6 @@ public class ServletApiConfigurerTests {
 
				 
			
 
				 	}
			
 
				 
			
 
				-	@EnableWebSecurity
			
 
				-	static class SharedAuthenticationDetailsSourceConfig extends WebSecurityConfigurerAdapter {
			
 
				-
			
 
				-		@SuppressWarnings("unchecked")
			
 
				-		static AuthenticationDetailsSource<HttpServletRequest, ?> ADS = spy(AuthenticationDetailsSource.class);
			
 
				-
			
 
				-		@Override
			
 
				-		protected void configure(HttpSecurity http) {
			
 
				-			// @formatter:off
			
 
				-			http
			
 
				-				.setSharedObject(AuthenticationDetailsSource.class, ADS);
			
 
				-			// @formatter:on
			
 
				-		}
			
 
				-
			
 
				-	}
			
 
				-
			
 
				 	@EnableWebSecurity
			
 
				 	static class ServletApiWithDefaultsInLambdaConfig extends WebSecurityConfigurerAdapter {
			
 
				 
			
--- a/web/src/main/java/org/springframework/security/web/servletapi/HttpServlet3RequestFactory.java
+++ b/web/src/main/java/org/springframework/security/web/servletapi/HttpServlet3RequestFactory.java
@@ -81,7 +81,7 @@ final class HttpServlet3RequestFactory implements HttpServletRequestFactory {
 
				 
			
 
				 	private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
			
 
				 
			
 
				-	private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
			
 
				+	private final AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
			
 
				 
			
 
				 	private AuthenticationEntryPoint authenticationEntryPoint;
			
 
				 
			
@@ -162,18 +162,6 @@ final class HttpServlet3RequestFactory implements HttpServletRequestFactory {
 
				 		this.trustResolver = trustResolver;
			
 
				 	}
			
 
				 
			
 
				-	/**
			
 
				-	 * Sets the {@link AuthenticationDetailsSource} to be used. The default is
			
 
				-	 * {@link WebAuthenticationDetailsSource}.
			
 
				-	 * @param authenticationDetailsSource the {@link AuthenticationDetailsSource} to use.
			
 
				-	 * Cannot be null.
			
 
				-	 */
			
 
				-	void setAuthenticationDetailsSource(
			
 
				-			AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
			
 
				-		Assert.notNull(authenticationDetailsSource, "authenticationDetailsSource cannot be null");
			
 
				-		this.authenticationDetailsSource = authenticationDetailsSource;
			
 
				-	}
			
 
				-
			
 
				 	@Override
			
 
				 	public HttpServletRequest create(HttpServletRequest request, HttpServletResponse response) {
			
 
				 		return new Servlet3SecurityContextHolderAwareRequestWrapper(request, this.rolePrefix, response);
			
--- a/web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilter.java
+++ b/web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilter.java
@@ -27,14 +27,12 @@ import javax.servlet.ServletResponse;
 
				 import javax.servlet.http.HttpServletRequest;
			
 
				 import javax.servlet.http.HttpServletResponse;
			
 
				 
			
 
				-import org.springframework.security.authentication.AuthenticationDetailsSource;
			
 
				 import org.springframework.security.authentication.AuthenticationManager;
			
 
				 import org.springframework.security.authentication.AuthenticationTrustResolver;
			
 
				 import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
			
 
				 import org.springframework.security.core.context.SecurityContext;
			
 
				 import org.springframework.security.core.context.SecurityContextHolder;
			
 
				 import org.springframework.security.web.AuthenticationEntryPoint;
			
 
				-import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
			
 
				 import org.springframework.security.web.authentication.logout.LogoutHandler;
			
 
				 import org.springframework.util.Assert;
			
 
				 import org.springframework.web.filter.GenericFilterBean;
			
@@ -82,8 +80,6 @@ public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean {
 
				 
			
 
				 	private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
			
 
				 
			
 
				-	private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
			
 
				-
			
 
				 	public void setRolePrefix(String rolePrefix) {
			
 
				 		Assert.notNull(rolePrefix, "Role prefix must not be null");
			
 
				 		this.rolePrefix = rolePrefix;
			
@@ -176,23 +172,9 @@ public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean {
 
				 		updateFactory();
			
 
				 	}
			
 
				 
			
 
				-	/**
			
 
				-	 * Sets the {@link AuthenticationDetailsSource} to be used. The default is
			
 
				-	 * {@link WebAuthenticationDetailsSource}.
			
 
				-	 * @param authenticationDetailsSource the {@link AuthenticationDetailsSource} to use.
			
 
				-	 * Cannot be null.
			
 
				-	 */
			
 
				-	public void setAuthenticationDetailsSource(
			
 
				-			AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
			
 
				-		Assert.notNull(authenticationDetailsSource, "authenticationDetailsSource cannot be null");
			
 
				-		this.authenticationDetailsSource = authenticationDetailsSource;
			
 
				-		updateFactory();
			
 
				-	}
			
 
				-
			
 
				 	private HttpServletRequestFactory createServlet3Factory(String rolePrefix) {
			
 
				 		HttpServlet3RequestFactory factory = new HttpServlet3RequestFactory(rolePrefix);
			
 
				 		factory.setTrustResolver(this.trustResolver);
			
 
				-		factory.setAuthenticationDetailsSource(this.authenticationDetailsSource);
			
 
				 		factory.setAuthenticationEntryPoint(this.authenticationEntryPoint);
			
 
				 		factory.setAuthenticationManager(this.authenticationManager);
			
 
				 		factory.setLogoutHandlers(this.logoutHandlers);
			
--- a/web/src/test/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilterTests.java
+++ b/web/src/test/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilterTests.java
@@ -1,5 +1,5 @@
 
				 /*
			
 
				- * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
			
 
				+ * Copyright 2004, 2005, 2006, 2021 Acegi Technology Pty Limited
			
 
				  *
			
 
				  * Licensed under the Apache License, Version 2.0 (the "License");
			
 
				  * you may not use this file except in compliance with the License.
			
@@ -36,6 +36,7 @@ import org.mockito.junit.jupiter.MockitoExtension;
 
				 
			
 
				 import org.springframework.mock.web.MockHttpServletRequest;
			
 
				 import org.springframework.mock.web.MockHttpServletResponse;
			
 
				+import org.springframework.mock.web.MockHttpSession;
			
 
				 import org.springframework.security.authentication.AuthenticationManager;
			
 
				 import org.springframework.security.authentication.BadCredentialsException;
			
 
				 import org.springframework.security.authentication.TestingAuthenticationToken;
			
@@ -45,12 +46,14 @@ import org.springframework.security.core.AuthenticationException;
 
				 import org.springframework.security.core.context.SecurityContext;
			
 
				 import org.springframework.security.core.context.SecurityContextHolder;
			
 
				 import org.springframework.security.web.AuthenticationEntryPoint;
			
 
				+import org.springframework.security.web.authentication.WebAuthenticationDetails;
			
 
				 import org.springframework.security.web.authentication.logout.LogoutHandler;
			
 
				 import org.springframework.test.util.ReflectionTestUtils;
			
 
				 
			
 
				 import static org.assertj.core.api.Assertions.assertThat;
			
 
				 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
			
 
				 import static org.mockito.ArgumentMatchers.any;
			
 
				+import static org.mockito.ArgumentMatchers.anyBoolean;
			
 
				 import static org.mockito.ArgumentMatchers.anyString;
			
 
				 import static org.mockito.ArgumentMatchers.eq;
			
 
				 import static org.mockito.BDDMockito.given;
			
@@ -59,6 +62,7 @@ import static org.mockito.Mockito.mock;
 
				 import static org.mockito.Mockito.times;
			
 
				 import static org.mockito.Mockito.verify;
			
 
				 import static org.mockito.Mockito.verifyZeroInteractions;
			
 
				+import static org.mockito.Mockito.when;
			
 
				 
			
 
				 /**
			
 
				  * Tests {@link SecurityContextHolderAwareRequestFilter}.
			
@@ -217,6 +221,27 @@ public class SecurityContextHolderAwareRequestFilterTests {
 
				 		verifyZeroInteractions(this.authenticationEntryPoint, this.authenticationManager, this.logoutHandler);
			
 
				 	}
			
 
				 
			
 
				+	@Test
			
 
				+	public void loginWhenHttpServletRequestHasAuthenticationDetailsThenAuthenticationRequestHasDetails()
			
 
				+			throws Exception {
			
 
				+		String ipAddress = "10.0.0.100";
			
 
				+		String sessionId = "session-id";
			
 
				+		when(this.request.getRemoteAddr()).thenReturn(ipAddress);
			
 
				+		when(this.request.getSession(anyBoolean())).thenReturn(new MockHttpSession(null, sessionId));
			
 
				+		wrappedRequest().login("username", "password");
			
 
				+
			
 
				+		ArgumentCaptor<UsernamePasswordAuthenticationToken> authenticationCaptor = ArgumentCaptor
			
 
				+				.forClass(UsernamePasswordAuthenticationToken.class);
			
 
				+		verify(this.authenticationManager).authenticate(authenticationCaptor.capture());
			
 
				+
			
 
				+		UsernamePasswordAuthenticationToken authenticationRequest = authenticationCaptor.getValue();
			
 
				+		assertThat(authenticationRequest.getDetails()).isInstanceOf(WebAuthenticationDetails.class);
			
 
				+
			
 
				+		WebAuthenticationDetails details = (WebAuthenticationDetails) authenticationRequest.getDetails();
			
 
				+		assertThat(details.getRemoteAddress()).isEqualTo(ipAddress);
			
 
				+		assertThat(details.getSessionId()).isEqualTo(sessionId);
			
 
				+	}
			
 
				+
			
 
				 	@Test
			
 
				 	public void logout() throws Exception {
			
 
				 		TestingAuthenticationToken expectedAuth = new TestingAuthenticationToken("user", "password", "ROLE_USER");