Merge branch '7.0.x' into renovate/spring-boot

Author: codeconsole

.github/workflows/gradle.yml

@@ -10,8 +10,8 @@ on:
       - '[3-9]+.[3-9]+.x'      
   workflow_dispatch:
 env:
-  GIT_USER_NAME: puneetbehl
-  GIT_USER_EMAIL: [email protected]
+  GIT_USER_NAME: grails-build
+  GIT_USER_EMAIL: [email protected]
 
 jobs:
   core-tests:
@@ -70,6 +70,7 @@ jobs:
             spring-security-core:build 
             --refresh-dependencies
             -Dgeb.env=chromeHeadless
+            -x javadoc
 
       - name: Publish Snapshot artifacts to Artifactory (repo.grails.org)
         uses: gradle/actions/setup-gradle@v3
@@ -82,6 +83,7 @@ jobs:
           arguments: |
             -Dorg.gradle.internal.publish.checksums.insecure=true 
             spring-security-core:publish
+            -x javadoc            
 
       - name: Generate Snapshot Documentation
         if: success()

.sdkmanrc

@@ -0,0 +1 @@
+java=17.0.12-librca

README.md

@@ -13,3 +13,18 @@ See [documentation](https://grails-plugins.github.io/grails-spring-security-core
 - `4.0.x` compatible with Grails 4
 - `3.3.x` compatible with Grails 3.3.x
 - `3.2.x` compatible with Grails 3.2.x
+
+Grails 7 requires disabling any Spring Security Auto Configurations you may have in your classpath.  This can be done via annotation or `application.yml`
+e.g.
+```yml
+spring:
+  autoconfigure:
+    exclude:
+      - org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration
+      - org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoConfiguration
+      - org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
+      - org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration
+      - org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientAutoConfiguration
+      - org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerAutoConfiguration
+      - org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration
+```

buildSrc/build.gradle

@@ -4,6 +4,7 @@ repositories {
 }
 
 dependencies {
+    implementation platform("org.grails:grails-bom:7.0.0-SNAPSHOT")
     implementation buildsrcLibs.asciidoctorj
     implementation buildsrcLibs.asset.pipeline.gradle
     implementation buildsrcLibs.grails.gradle.plugin, {

examples/integration-test-app/src/integration-test/groovy/grails/plugin/springsecurity/SpringSecurityUtilsIntegrationSpec.groovy

@@ -87,15 +87,15 @@ class SpringSecurityUtilsIntegrationSpec extends AbstractIntegrationSpec {
         expect:
         10 == map.size()
         map[Integer.MIN_VALUE + 10] instanceof SecurityRequestHolderFilter
-        map[300] instanceof SecurityContextPersistenceFilter
-        map[400] instanceof MutableLogoutFilter
-        map[800] instanceof GrailsUsernamePasswordAuthenticationFilter
-        map[1400] instanceof SecurityContextHolderAwareRequestFilter
-        map[1500] instanceof GrailsRememberMeAuthenticationFilter
-        map[1600] instanceof GrailsAnonymousAuthenticationFilter
-        map[1800] instanceof FormContentFilter
-        map[1900] instanceof ExceptionTranslationFilter
-        map[2000] instanceof FilterSecurityInterceptor
+        map[SecurityFilterPosition.SECURITY_CONTEXT_FILTER.order] instanceof SecurityContextPersistenceFilter
+        map[SecurityFilterPosition.LOGOUT_FILTER.order] instanceof MutableLogoutFilter
+        map[SecurityFilterPosition.FORM_LOGIN_FILTER.order] instanceof GrailsUsernamePasswordAuthenticationFilter
+        map[SecurityFilterPosition.SERVLET_API_SUPPORT_FILTER.order] instanceof SecurityContextHolderAwareRequestFilter
+        map[SecurityFilterPosition.REMEMBER_ME_FILTER.order] instanceof GrailsRememberMeAuthenticationFilter
+        map[SecurityFilterPosition.ANONYMOUS_FILTER.order] instanceof GrailsAnonymousAuthenticationFilter
+        map[SecurityFilterPosition.EXCEPTION_TRANSLATION_FILTER.order-10] instanceof FormContentFilter
+        map[SecurityFilterPosition.EXCEPTION_TRANSLATION_FILTER.order] instanceof ExceptionTranslationFilter
+        map[SecurityFilterPosition.FILTER_SECURITY_INTERCEPTOR.order] instanceof FilterSecurityInterceptor
 
         when:
         SpringSecurityUtils.clientRegisterFilter 'foo', SecurityFilterPosition.LOGOUT_FILTER
@@ -123,7 +123,7 @@ class SpringSecurityUtilsIntegrationSpec extends AbstractIntegrationSpec {
 
         then:
         11 == map.size()
-        map[410] instanceof DummyFilter
+        map[SecurityFilterPosition.LOGOUT_FILTER.order + 10] instanceof DummyFilter
 
         when:
         def filters = securityFilterChains[0].filters

gradle/libs.versions.toml

@@ -1,6 +1,6 @@
 [versions]
 asset-pipeline = '5.0.1'
-commons-lang = '2.6'
+commons-text = '1.12.0'
 ehcache = '3.10.8'
 geb = '7.0'
 gorm-hibernate5 = '9.0.0-SNAPSHOT'
@@ -25,7 +25,7 @@ spring-security = '6.3.3'
 tomcat = '10.1.29'
 
 [libraries]
-commons-lang = { module = 'commons-lang:commons-lang', version.ref = 'commons-lang' }
+commons-text = { module = 'org.apache.commons:commons-text', version.ref = 'commons-text' }
 ehcache = { module = 'org.ehcache:ehcache', version.ref = 'ehcache' }
 geb-core = { module = 'org.gebish:geb-core', version.ref = 'geb' }
 geb-spock = { module = 'org.gebish:geb-spock', version.ref = 'geb' }
@@ -76,6 +76,7 @@ spring-context-core = { module = 'org.springframework:spring-context', version.r
 spring-context-support = { module = 'org.springframework:spring-context-support', version.ref = 'spring' }
 spring-expression = { module = 'org.springframework:spring-expression', version.ref = 'spring' }
 spring-security-core = { module = 'org.springframework.security:spring-security-core', version.ref = 'spring-security' }
+spring-security-config = { module = 'org.springframework.security:spring-security-config', version.ref = 'spring-security' }
 spring-security-crypto = { module = 'org.springframework.security:spring-security-crypto', version.ref = 'spring-security' }
 spring-security-web = { module = 'org.springframework.security:spring-security-web', version.ref = 'spring-security' }
 spring-test = { module = 'org.springframework:spring-test', version.ref = 'spring' }

plugin/build.gradle

@@ -9,12 +9,6 @@ plugins {
 
 group = 'org.grails.plugins'
 
-configurations {
-    all {
-        exclude group: 'javax.servlet'
-    }
-}
-
 dependencies {
 
 	api libs.grails.core
@@ -32,7 +26,7 @@ dependencies {
 	api libs.spring.security.web
 	api libs.spring.web
 
-	implementation libs.commons.lang
+	implementation libs.commons.text
 	implementation libs.ehcache
 	implementation libs.grails.bootstrap
 	implementation libs.grails.converters
@@ -42,6 +36,7 @@ dependencies {
 	implementation libs.spring.core
 	implementation libs.spring.security.crypto
 	implementation libs.spring.tx
+	compileOnly "jline:jline" // for shell commands
 
 	compileOnly libs.groovy.core // Compile-time annotations
 	compileOnly libs.jakarta.servlet.api // Provided
@@ -50,6 +45,7 @@ dependencies {
 	testImplementation libs.bundles.grails.testing.support
 	testImplementation libs.spock.core
 	testImplementation libs.spring.test
+	testImplementation libs.spring.security.config
 
 	testRuntimeOnly libs.slf4j.nop // Prevents warnings about missing slf4j implementation during tests
 }

…ngsecurity/SecurityFilterPosition.groovy …ringsecurity/SecurityFilterPosition.javaplugin/src/main/groovy/grails/plugin/springsecurity/SecurityFilterPosition.groovy renamed to plugin/src/main/groovy/grails/plugin/springsecurity/SecurityFilterPosition.java plugin/src/main/groovy/grails/plugin/springsecurity/SecurityFilterPosition.groovy renamed to plugin/src/main/groovy/grails/plugin/springsecurity/SecurityFilterPosition.java

@@ -12,7 +12,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package grails.plugin.springsecurity
+package grails.plugin.springsecurity;
 
 /**
  * Stores the default order numbers of all Spring Security filters for use in configuration.
@@ -22,64 +22,100 @@
  *
  * @author Burt Beckwith
  */
-enum SecurityFilterPosition {
-	/** First */
+enum SecurityFilterPosition  {
+
 	FIRST(Integer.MIN_VALUE),
-	/** HTTP/HTTPS channel filter */
+
+	DISABLE_ENCODE_URL_FILTER,
+
+	FORCE_EAGER_SESSION_FILTER,
+
 	CHANNEL_FILTER,
-	/** Concurrent Sessions */
-	CONCURRENT_SESSION_FILTER,
-	/** Populates the SecurityContextHolder */
+
 	SECURITY_CONTEXT_FILTER,
-	/** Logout */
+
+	CONCURRENT_SESSION_FILTER,
+
+	WEB_ASYNC_MANAGER_FILTER,
+
+	HEADERS_FILTER,
+
+	CORS_FILTER,
+
+	SAML2_LOGOUT_REQUEST_FILTER,
+
+	SAML2_LOGOUT_RESPONSE_FILTER,
+
+	CSRF_FILTER,
+
+	SAML2_LOGOUT_FILTER,
+
 	LOGOUT_FILTER,
-	/** x509 certs */
+
+	OAUTH2_AUTHORIZATION_REQUEST_FILTER,
+
+	SAML2_AUTHENTICATION_REQUEST_FILTER,
+
 	X509_FILTER,
-	/** Pre-auth */
+
 	PRE_AUTH_FILTER,
-	/** CAS */
+
 	CAS_FILTER,
-	/** UsernamePasswordAuthenticationFilter */
+
+	OAUTH2_LOGIN_FILTER,
+
+	SAML2_AUTHENTICATION_FILTER,
+
 	FORM_LOGIN_FILTER,
-	/** OpenID */
-	OPENID_FILTER,
-	/** Not used, generates a dynamic login form */
+
 	LOGIN_PAGE_FILTER,
-	/** Digest auth */
+
+	LOGOUT_PAGE_FILTER,
+
 	DIGEST_AUTH_FILTER,
-	/** Basic Auth */
+
+	BEARER_TOKEN_AUTH_FILTER,
+
 	BASIC_AUTH_FILTER,
-	/** saved request filter */
+
 	REQUEST_CACHE_FILTER,
-	/** SecurityContextHolderAwareRequestFilter */
+
 	SERVLET_API_SUPPORT_FILTER,
-	/** Remember-me cookie */
+
+	JAAS_API_SUPPORT_FILTER,
+
 	REMEMBER_ME_FILTER,
-	/** Anonymous auth */
+
 	ANONYMOUS_FILTER,
-	/** SessionManagementFilter */
+
+	OAUTH2_AUTHORIZATION_CODE_GRANT_FILTER,
+
+	WELL_KNOWN_CHANGE_PASSWORD_REDIRECT_FILTER,
+
 	SESSION_MANAGEMENT_FILTER,
-	/** Spring FormContentFilter allows www-url-form-encoded content-types to provide params in PUT requests */
-	FORM_CONTENT_FILTER,
-	/** ExceptionTranslationFilter */
+
 	EXCEPTION_TRANSLATION_FILTER,
-	/** FilterSecurityInterceptor */
+
 	FILTER_SECURITY_INTERCEPTOR,
-	/** Switch user */
+
 	SWITCH_USER_FILTER,
-	/** Last */
-	LAST(Integer.MAX_VALUE)
 
-	private static final int INTERVAL = 100
+	LAST(Integer.MAX_VALUE);
+
+	private static final int INTERVAL = 100;
 
-	/** The position in the chain. */
-	final int order
+	private final int order;
 
-	private SecurityFilterPosition() {
-		order = ordinal() * INTERVAL
+	SecurityFilterPosition() {
+		this.order = ordinal() * INTERVAL;
 	}
 
-	private SecurityFilterPosition(int filterOrder) {
-		order = filterOrder
+	SecurityFilterPosition(int order) {
+		this.order = order;
 	}
+
+	public int getOrder() {
+		return this.order;
+	}
+
 }

plugin/src/main/groovy/grails/plugin/springsecurity/SpringSecurityCoreGrailsPlugin.groovy

@@ -57,6 +57,7 @@ import grails.plugins.Plugin
 import grails.util.Metadata
 import groovy.util.logging.Slf4j
 import org.grails.web.mime.HttpServletResponseExtension
+import org.springframework.boot.autoconfigure.security.SecurityProperties
 import org.springframework.boot.web.servlet.FilterRegistrationBean
 import org.springframework.boot.web.servlet.ServletListenerRegistrationBean
 import org.springframework.cache.jcache.JCacheCacheManager
@@ -221,17 +222,7 @@ class SpringSecurityCoreGrailsPlugin extends Plugin {
 			filter = ref('springSecurityFilterChain')
 			urlPatterns = ['/*']
 			dispatcherTypes = EnumSet.of(DispatcherType.ERROR, DispatcherType.REQUEST)
-
-			// The filter chain has to be after grailsWebRequestFilter, but its order changed
-			// in 3.1 (from Ordered.HIGHEST_PRECEDENCE + 30 (-2147483618) to
-			// FilterRegistrationBean.REQUEST_WRAPPER_FILTER_MAX_ORDER + 30 (30))
-			String grailsVersion = Metadata.current.getGrailsVersion()
-			if (grailsVersion.startsWith('3.0')) {
-				order = Ordered.HIGHEST_PRECEDENCE + 100
-			}
-			else {
-				order = 100 // FilterRegistrationBean.REQUEST_WRAPPER_FILTER_MAX_ORDER + 100
-			}
+			order = SecurityProperties.DEFAULT_FILTER_ORDER
 		}
 
 		if (conf.useHttpSessionEventPublisher) {
@@ -673,6 +664,13 @@ to default to 'Annotation'; setting value to 'Annotation'
 		// build filters here to give dependent plugins a chance to register some
 		SortedMap<Integer, String> filterNames = ReflectionUtils.findFilterChainNames(conf)
 		def securityFilterChains = applicationContext.securityFilterChains
+
+		// if sitemesh 3 is installed, the filter should be applied a second time
+		// as part of the security filter chain so that pages are decorated using the security context
+		if (applicationContext.containsBean('sitemesh')) {
+			filterNames[SecurityFilterPosition.EXCEPTION_TRANSLATION_FILTER.order - 10] = 'sitemesh'
+		}
+
 		SpringSecurityUtils.buildFilterChains filterNames, conf.filterChain.chainMap ?: [], securityFilterChains, applicationContext
 		log.trace 'Filter chain: {}', securityFilterChains