Use ErrorController.getErrorPath() to ignore the error path for security

Dave Syer · Dave Syer · commit 95c15733bc5f · 2014-09-17T10:19:18.000+01:00
Fixes gh-1548 again
diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/jdbc/DataSourceTransactionManagerAutoConfiguration.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/jdbc/DataSourceTransactionManagerAutoConfiguration.java
@@ -16,6 +16,7 @@
 
 package org.springframework.boot.autoconfigure.jdbc;
 
+import javax.annotation.PostConstruct;
 import javax.sql.DataSource;
 
 import org.springframework.beans.factory.annotation.Autowired;
@@ -61,7 +62,10 @@ public PlatformTransactionManager transactionManager() {
 	@Configuration
 	@EnableTransactionManagement
 	protected static class TransactionManagementConfiguration {
-
+		@PostConstruct
+		public void init() {
+			System.err.println("*************");
+		}
 	}
 
 }
diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java
@@ -30,6 +30,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.security.SecurityProperties.Headers;
+import org.springframework.boot.autoconfigure.web.ErrorController;
 import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
@@ -50,6 +51,7 @@
 import org.springframework.security.web.header.writers.HstsHeaderWriter;
 import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.util.StringUtils;
 import org.springframework.web.servlet.support.RequestDataValueProcessor;
 
 /**
@@ -86,7 +88,7 @@
 public class SpringBootWebSecurityConfiguration {
 
 	private static List<String> DEFAULT_IGNORED = Arrays.asList("/css/**", "/js/**",
-			"/images/**", "/**/favicon.ico", "/error");
+			"/images/**", "/**/favicon.ico");
 
 	@Bean
 	@ConditionalOnMissingBean({ IgnoredPathsWebSecurityConfigurerAdapter.class })
@@ -132,6 +134,9 @@ else if (ignored.contains("none")) {
 	private static class IgnoredPathsWebSecurityConfigurerAdapter implements
 			WebSecurityConfigurer<WebSecurity> {
 
+		@Autowired(required = false)
+		private ErrorController errorController;
+
 		@Autowired
 		private SecurityProperties security;
 
@@ -146,10 +151,21 @@ public void configure(WebSecurity builder) throws Exception {
 		public void init(WebSecurity builder) throws Exception {
 			IgnoredRequestConfigurer ignoring = builder.ignoring();
 			List<String> ignored = getIgnored(this.security);
+			if (this.errorController != null) {
+				ignored.add(normalizePath(this.errorController.getErrorPath()));
+			}
 			String[] paths = this.server.getPathsArray(ignored);
 			ignoring.antMatchers(paths);
 		}
 
+		private String normalizePath(String errorPath) {
+			String result = StringUtils.cleanPath(errorPath);
+			if (!result.startsWith("/")) {
+				result = "/" + result;
+			}
+			return result;
+		}
+
 	}
 
 	// Pull in @EnableWebMvcSecurity if Spring MVC is available and no-one defined a
diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java
@@ -71,7 +71,7 @@ public void testWebConfiguration() throws Exception {
 		// 5 for static resources and one for the rest
 		List<SecurityFilterChain> filterChains = this.context.getBean(
 				FilterChainProxy.class).getFilterChains();
-		assertEquals(6, filterChains.size());
+		assertEquals(5, filterChains.size());
 	}
 
 	@Test
diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java
@@ -30,7 +30,7 @@ public class SpringBootWebSecurityConfigurationTests {
 	@Test
 	public void testDefaultIgnores() {
 		assertTrue(SpringBootWebSecurityConfiguration
-				.getIgnored(new SecurityProperties()).contains("/error"));
+				.getIgnored(new SecurityProperties()).contains("/css/**"));
 	}
 
 }

Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@ public void testWebConfiguration() throws Exception {`
`71`	`71`	`// 5 for static resources and one for the rest`
`72`	`72`	`List<SecurityFilterChain> filterChains = this.context.getBean(`
`73`	`73`	`FilterChainProxy.class).getFilterChains();`
`74`		`- assertEquals(6, filterChains.size());`
	`74`	`+ assertEquals(5, filterChains.size());`
`75`	`75`	`}`
`76`	`76`
`77`	`77`	`@Test`
Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ public class SpringBootWebSecurityConfigurationTests {`
`30`	`30`	`@Test`
`31`	`31`	`public void testDefaultIgnores() {`
`32`	`32`	`assertTrue(SpringBootWebSecurityConfiguration`
`33`		`- .getIgnored(new SecurityProperties()).contains("/error"));`
	`33`	`+ .getIgnored(new SecurityProperties()).contains("/css/**"));`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`}`