Skip to content

Commit 401058d

Browse files
kandaguru17marcusdacoregio
kandaguru17
authored and
marcusdacoregio
committed
Implemented AuthorizeHttpRequestsConfigurer to consider GrantedAuthorityDefaults for custom rolePrefix
Closes gh-13215
1 parent c5461b1 commit 401058d

File tree

2 files changed

+42
-1
lines changed

2 files changed

+42
-1
lines changed

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@
3535
import org.springframework.security.config.annotation.ObjectPostProcessor;
3636
import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry;
3737
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
38+
import org.springframework.security.config.core.GrantedAuthorityDefaults;
3839
import org.springframework.security.web.access.intercept.AuthorizationFilter;
3940
import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
4041
import org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager;
@@ -62,11 +63,22 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
6263

6364
private final Supplier<RoleHierarchy> roleHierarchy;
6465

66+
private final String rolePrefix;
67+
6568
/**
6669
* Creates an instance.
6770
* @param context the {@link ApplicationContext} to use
6871
*/
6972
public AuthorizeHttpRequestsConfigurer(ApplicationContext context) {
73+
String[] grantedAuthorityDefaultsBeanNames = context.getBeanNamesForType(GrantedAuthorityDefaults.class);
74+
if (grantedAuthorityDefaultsBeanNames.length == 1) {
75+
GrantedAuthorityDefaults grantedAuthorityDefaults = context.getBean(grantedAuthorityDefaultsBeanNames[0],
76+
GrantedAuthorityDefaults.class);
77+
this.rolePrefix = grantedAuthorityDefaults.getRolePrefix();
78+
}
79+
else {
80+
this.rolePrefix = "ROLE_";
81+
}
7082
this.registry = new AuthorizationManagerRequestMatcherRegistry(context);
7183
if (context.getBeanNamesForType(AuthorizationEventPublisher.class).length > 0) {
7284
this.publisher = context.getBean(AuthorizationEventPublisher.class);
@@ -279,7 +291,8 @@ public AuthorizationManagerRequestMatcherRegistry denyAll() {
279291
* customizations
280292
*/
281293
public AuthorizationManagerRequestMatcherRegistry hasRole(String role) {
282-
return access(withRoleHierarchy(AuthorityAuthorizationManager.hasRole(role)));
294+
return access(withRoleHierarchy(AuthorityAuthorizationManager
295+
.hasAuthority(AuthorizeHttpRequestsConfigurer.this.rolePrefix + role)));
283296
}
284297

285298
/**

config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@
3737
import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry;
3838
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
3939
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
40+
import org.springframework.security.config.core.GrantedAuthorityDefaults;
4041
import org.springframework.security.config.test.SpringTestContext;
4142
import org.springframework.security.config.test.SpringTestContextExtension;
4243
import org.springframework.security.core.authority.AuthorityUtils;
@@ -475,6 +476,17 @@ public void getWhenExpressionRoleUserOrAdminConfiguredAndRoleIsOtherThenResponds
475476
this.mvc.perform(requestWithRoleOther).andExpect(status().isForbidden());
476477
}
477478

479+
@Test
480+
public void getWhenRoleUserConfiguredAsGrantedAuthorityDefaultThenRespondsWithOk() throws Exception {
481+
this.spring.register(GrantedAuthorityDefaultConfig.class, BasicController.class).autowire();
482+
// @formatter:off
483+
MockHttpServletRequestBuilder requestWithUser = get("/")
484+
.with(user("user")
485+
.authorities(new SimpleGrantedAuthority("CUSTOM_PREFIX_USER")));
486+
// @formatter:on
487+
this.mvc.perform(requestWithUser).andExpect(status().isOk());
488+
}
489+
478490
@Test
479491
public void getWhenExpressionHasIpAddressLocalhostConfiguredIpAddressIsLocalhostThenRespondsWithOk()
480492
throws Exception {
@@ -557,6 +569,22 @@ public void getWhenAnonymousConfiguredAndLoggedInUserThenRespondsWithForbidden()
557569
this.mvc.perform(requestWithUser).andExpect(status().isForbidden());
558570
}
559571

572+
@Configuration
573+
@EnableWebSecurity
574+
static class GrantedAuthorityDefaultConfig {
575+
576+
@Bean
577+
GrantedAuthorityDefaults grantedAuthorityDefaults() {
578+
return new GrantedAuthorityDefaults("CUSTOM_PREFIX_");
579+
}
580+
581+
@Bean
582+
SecurityFilterChain myFilterChain(HttpSecurity http) throws Exception {
583+
return http.authorizeHttpRequests((c) -> c.anyRequest().hasRole("USER")).build();
584+
}
585+
586+
}
587+
560588
@Configuration
561589
@EnableWebSecurity
562590
static class NoRequestsConfig {

0 commit comments

Comments
 (0)