Merge branch 'spring-projects:main' into main

Author: douxiaofeng99

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.UUID;
 import java.util.function.Consumer;
 import java.util.function.Function;
@@ -53,6 +54,7 @@
 import org.springframework.security.authentication.DelegatingReactiveAuthenticationManager;
 import org.springframework.security.authentication.ReactiveAuthenticationManager;
 import org.springframework.security.authentication.ReactiveAuthenticationManagerResolver;
+import org.springframework.security.authentication.ott.GenerateOneTimeTokenRequest;
 import org.springframework.security.authentication.ott.OneTimeToken;
 import org.springframework.security.authentication.ott.reactive.InMemoryReactiveOneTimeTokenService;
 import org.springframework.security.authentication.ott.reactive.OneTimeTokenReactiveAuthenticationManager;
@@ -156,7 +158,9 @@
 import org.springframework.security.web.server.authentication.logout.SecurityContextServerLogoutHandler;
 import org.springframework.security.web.server.authentication.logout.ServerLogoutHandler;
 import org.springframework.security.web.server.authentication.logout.ServerLogoutSuccessHandler;
+import org.springframework.security.web.server.authentication.ott.DefaultServerGenerateOneTimeTokenRequestResolver;
 import org.springframework.security.web.server.authentication.ott.GenerateOneTimeTokenWebFilter;
+import org.springframework.security.web.server.authentication.ott.ServerGenerateOneTimeTokenRequestResolver;
 import org.springframework.security.web.server.authentication.ott.ServerOneTimeTokenAuthenticationConverter;
 import org.springframework.security.web.server.authentication.ott.ServerOneTimeTokenGenerationSuccessHandler;
 import org.springframework.security.web.server.authorization.AuthorizationContext;
@@ -5940,6 +5944,8 @@ public final class OneTimeTokenLoginSpec {
 
 		private ServerSecurityContextRepository securityContextRepository;
 
+		private ServerGenerateOneTimeTokenRequestResolver requestResolver;
+
 		private String loginProcessingUrl = "/login/ott";
 
 		private String defaultSubmitPageUrl = "/login/ott";
@@ -5985,6 +5991,7 @@ private void configureOttGenerateFilter(ServerHttpSecurity http) {
 					getTokenGenerationSuccessHandler());
 			generateFilter
 				.setRequestMatcher(ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, this.tokenGeneratingUrl));
+			generateFilter.setGenerateRequestResolver(getRequestResolver());
 			http.addFilterAt(generateFilter, SecurityWebFiltersOrder.ONE_TIME_TOKEN);
 		}
 
@@ -6112,6 +6119,32 @@ public OneTimeTokenLoginSpec authenticationConverter(ServerAuthenticationConvert
 			return this;
 		}
 
+		/**
+		 * Use this {@link ServerGenerateOneTimeTokenRequestResolver} when resolving
+		 * {@link GenerateOneTimeTokenRequest} from {@link ServerWebExchange}. By default,
+		 * the {@link DefaultServerGenerateOneTimeTokenRequestResolver} is used.
+		 * @param requestResolver the
+		 * {@link DefaultServerGenerateOneTimeTokenRequestResolver} to use
+		 * @since 6.5
+		 */
+		public OneTimeTokenLoginSpec generateRequestResolver(
+				ServerGenerateOneTimeTokenRequestResolver requestResolver) {
+			Assert.notNull(requestResolver, "generateRequestResolver cannot be null");
+			this.requestResolver = requestResolver;
+			return this;
+		}
+
+		private ServerGenerateOneTimeTokenRequestResolver getRequestResolver() {
+			if (this.requestResolver != null) {
+				return this.requestResolver;
+			}
+			ServerGenerateOneTimeTokenRequestResolver bean = getBeanOrNull(
+					ServerGenerateOneTimeTokenRequestResolver.class);
+			this.requestResolver = Objects.requireNonNullElseGet(bean,
+					DefaultServerGenerateOneTimeTokenRequestResolver::new);
+			return this.requestResolver;
+		}
+
 		/**
 		 * Specifies the URL to process the login request, defaults to {@code /login/ott}.
 		 * Only POST requests are processed, for that reason make sure that you pass a

config/src/main/kotlin/org/springframework/security/config/web/server/ServerOneTimeTokenLoginDsl.kt

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@ package org.springframework.security.config.web.server
 
 import org.springframework.security.authentication.ReactiveAuthenticationManager
 import org.springframework.security.authentication.ott.reactive.ReactiveOneTimeTokenService
+import org.springframework.security.web.server.authentication.ott.ServerGenerateOneTimeTokenRequestResolver
 import org.springframework.security.web.server.authentication.ServerAuthenticationConverter
 import org.springframework.security.web.server.authentication.ServerAuthenticationFailureHandler
 import org.springframework.security.web.server.authentication.ServerAuthenticationSuccessHandler
@@ -34,6 +35,7 @@ import org.springframework.security.web.server.context.ServerSecurityContextRepo
  * @property authenticationConverter Use this [ServerAuthenticationConverter] when converting incoming requests to an authentication
  * @property authenticationFailureHandler the [ServerAuthenticationFailureHandler] to use when authentication
  * @property authenticationSuccessHandler the [ServerAuthenticationSuccessHandler] to be used
+ * @property generateRequestResolver the [ServerGenerateOneTimeTokenRequestResolver] to be used
  * @property defaultSubmitPageUrl sets the URL that the default submit page will be generated
  * @property showDefaultSubmitPage configures whether the default one-time token submit page should be shown
  * @property loginProcessingUrl the URL to process the login request
@@ -50,6 +52,7 @@ class ServerOneTimeTokenLoginDsl {
     var authenticationSuccessHandler: ServerAuthenticationSuccessHandler? = null
     var tokenGenerationSuccessHandler: ServerOneTimeTokenGenerationSuccessHandler? = null
     var securityContextRepository: ServerSecurityContextRepository? = null
+    var generateRequestResolver: ServerGenerateOneTimeTokenRequestResolver? = null
     var defaultSubmitPageUrl: String? = null
     var loginProcessingUrl: String? = null
     var tokenGeneratingUrl: String? = null
@@ -71,6 +74,7 @@ class ServerOneTimeTokenLoginDsl {
                 )
             }
             securityContextRepository?.also { oneTimeTokenLogin.securityContextRepository(securityContextRepository) }
+            generateRequestResolver?.also { oneTimeTokenLogin.generateRequestResolver(generateRequestResolver) }
             defaultSubmitPageUrl?.also { oneTimeTokenLogin.defaultSubmitPageUrl(defaultSubmitPageUrl) }
             showDefaultSubmitPage?.also { oneTimeTokenLogin.showDefaultSubmitPage(showDefaultSubmitPage!!) }
             loginProcessingUrl?.also { oneTimeTokenLogin.loginProcessingUrl(loginProcessingUrl) }

config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java

@@ -99,6 +99,9 @@
 import org.springframework.security.authentication.ott.InvalidOneTimeTokenException;
 import org.springframework.security.authentication.ott.OneTimeTokenAuthenticationToken;
 import org.springframework.security.authentication.password.CompromisedPasswordException;
+import org.springframework.security.authorization.AuthorityAuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationDeniedException;
 import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken;
 import org.springframework.security.cas.authentication.CasAuthenticationToken;
 import org.springframework.security.cas.authentication.CasServiceTicketAuthenticationToken;
@@ -471,6 +474,11 @@ class SpringSecurityCoreVersionSerializableTests {
 		generatorByClassName.put(AbstractSessionEvent.class, (r) -> new AbstractSessionEvent(securityContext));
 		generatorByClassName.put(SecurityConfig.class, (r) -> new SecurityConfig("value"));
 		generatorByClassName.put(TransientSecurityContext.class, (r) -> new TransientSecurityContext(authentication));
+		generatorByClassName.put(AuthorizationDeniedException.class,
+				(r) -> new AuthorizationDeniedException("message", new AuthorizationDecision(false)));
+		generatorByClassName.put(AuthorizationDecision.class, (r) -> new AuthorizationDecision(true));
+		generatorByClassName.put(AuthorityAuthorizationDecision.class,
+				(r) -> new AuthorityAuthorizationDecision(true, AuthorityUtils.createAuthorityList("ROLE_USER")));
 
 		// cas
 		generatorByClassName.put(CasServiceTicketAuthenticationToken.class, (r) -> {

config/src/test/java/org/springframework/security/config/web/server/OneTimeTokenLoginSpecTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,6 +21,8 @@
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.ArgumentMatchers;
+import org.mockito.Mockito;
 import reactor.core.publisher.Mono;
 
 import org.springframework.beans.factory.annotation.Autowired;
@@ -40,6 +42,8 @@
 import org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 import org.springframework.security.web.server.authentication.RedirectServerAuthenticationSuccessHandler;
+import org.springframework.security.web.server.authentication.ott.DefaultServerGenerateOneTimeTokenRequestResolver;
+import org.springframework.security.web.server.authentication.ott.ServerGenerateOneTimeTokenRequestResolver;
 import org.springframework.security.web.server.authentication.ott.ServerOneTimeTokenGenerationSuccessHandler;
 import org.springframework.security.web.server.authentication.ott.ServerRedirectOneTimeTokenGenerationSuccessHandler;
 import org.springframework.test.web.reactive.server.WebTestClient;
@@ -49,6 +53,8 @@
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatException;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
 
 /**
  * Tests for {@link ServerHttpSecurity.OneTimeTokenLoginSpec}
@@ -107,7 +113,7 @@ void oneTimeTokenWhenCorrectTokenThenCanAuthenticate() {
 				.expectHeader().valueEquals("Location", "/login/ott");
 		// @formatter:on
 
-		String token = TestServerOneTimeTokenGenerationSuccessHandler.lastToken.getTokenValue();
+		String token = getLastToken().getTokenValue();
 
 		// @formatter:off
 		this.client.mutateWith(SecurityMockServerConfigurers.csrf())
@@ -143,7 +149,7 @@ void oneTimeTokenWhenDifferentAuthenticationUrlsThenCanAuthenticate() {
 				.expectHeader().valueEquals("Location", "/redirected");
 		// @formatter:on
 
-		String token = TestServerOneTimeTokenGenerationSuccessHandler.lastToken.getTokenValue();
+		String token = getLastToken().getTokenValue();
 
 		// @formatter:off
 		this.client.mutateWith(SecurityMockServerConfigurers.csrf())
@@ -179,7 +185,7 @@ void oneTimeTokenWhenCorrectTokenUsedTwiceThenSecondTimeFails() {
 				.expectHeader().valueEquals("Location", "/login/ott");
 		// @formatter:on
 
-		String token = TestServerOneTimeTokenGenerationSuccessHandler.lastToken.getTokenValue();
+		String token = getLastToken().getTokenValue();
 
 		// @formatter:off
 		this.client.mutateWith(SecurityMockServerConfigurers.csrf())
@@ -268,6 +274,12 @@ void oneTimeTokenWhenFormLoginConfiguredThenRendersRequestTokenForm() {
 		assertThat(response.contains(GENERATE_OTT_PART)).isTrue();
 	}
 
+	private OneTimeToken getLastToken() {
+		OneTimeToken lastToken = this.spring.getContext()
+			.getBean(TestServerOneTimeTokenGenerationSuccessHandler.class).lastToken;
+		return lastToken;
+	}
+
 	@Test
 	void oneTimeTokenWhenNoOneTimeTokenGenerationSuccessHandlerThenException() {
 		assertThatException()
@@ -280,27 +292,58 @@ Please provide it as a bean or pass it to the oneTimeTokenLogin() DSL.
 					""");
 	}
 
+	@Test
+	void oneTimeTokenWhenCustomRequestResolverSetThenCustomResolverUse() {
+		this.spring.register(OneTimeTokenConfigWithCustomRequestResolver.class).autowire();
+
+		// @formatter:off
+		this.client.mutateWith(SecurityMockServerConfigurers.csrf())
+				.post()
+				.uri((uriBuilder) -> uriBuilder
+						.path("/ott/generate")
+						.build()
+				)
+				.contentType(MediaType.APPLICATION_FORM_URLENCODED)
+				.body(BodyInserters.fromFormData("username", "user"))
+				.exchange()
+				.expectStatus()
+				.is3xxRedirection()
+				.expectHeader().valueEquals("Location", "/login/ott");
+		// @formatter:on
+
+		ServerGenerateOneTimeTokenRequestResolver resolver = this.spring.getContext()
+			.getBean(ServerGenerateOneTimeTokenRequestResolver.class);
+
+		verify(resolver, times(1)).resolve(ArgumentMatchers.any(ServerWebExchange.class));
+	}
+
 	@Configuration(proxyBeanMethods = false)
 	@EnableWebFlux
 	@EnableWebFluxSecurity
 	@Import(UserDetailsServiceConfig.class)
 	static class OneTimeTokenDefaultConfig {
 
 		@Bean
-		SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
+		SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http,
+				ServerOneTimeTokenGenerationSuccessHandler ottSuccessHandler) {
 			// @formatter:off
 			http
 					.authorizeExchange((authorize) -> authorize
 							.anyExchange()
 							.authenticated()
 					)
 					.oneTimeTokenLogin((ott) -> ott
-							.tokenGenerationSuccessHandler(new TestServerOneTimeTokenGenerationSuccessHandler())
+							.tokenGenerationSuccessHandler(ottSuccessHandler)
 					);
 			// @formatter:on
 			return http.build();
 		}
 
+		@Bean
+		TestServerOneTimeTokenGenerationSuccessHandler ottSuccessHandler() {
+			return new TestServerOneTimeTokenGenerationSuccessHandler();
+		}
+
 	}
 
 	@Configuration(proxyBeanMethods = false)
@@ -310,7 +353,8 @@ SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
 	static class OneTimeTokenDifferentUrlsConfig {
 
 		@Bean
-		SecurityWebFilterChain securityFilterChain(ServerHttpSecurity http) {
+		SecurityWebFilterChain securityFilterChain(ServerHttpSecurity http,
+				ServerOneTimeTokenGenerationSuccessHandler ottSuccessHandler) {
 			// @formatter:off
 			http
 					.authorizeExchange((authorize) -> authorize
@@ -319,14 +363,19 @@ SecurityWebFilterChain securityFilterChain(ServerHttpSecurity http) {
 					)
 					.oneTimeTokenLogin((ott) -> ott
 							.tokenGeneratingUrl("/generateurl")
-							.tokenGenerationSuccessHandler(new TestServerOneTimeTokenGenerationSuccessHandler("/redirected"))
+							.tokenGenerationSuccessHandler(ottSuccessHandler)
 							.loginProcessingUrl("/loginprocessingurl")
 							.authenticationSuccessHandler(new RedirectServerAuthenticationSuccessHandler("/authenticated"))
 					);
 			// @formatter:on
 			return http.build();
 		}
 
+		@Bean
+		TestServerOneTimeTokenGenerationSuccessHandler ottSuccessHandler() {
+			return new TestServerOneTimeTokenGenerationSuccessHandler("/redirected");
+		}
+
 	}
 
 	@Configuration(proxyBeanMethods = false)
@@ -336,7 +385,8 @@ SecurityWebFilterChain securityFilterChain(ServerHttpSecurity http) {
 	static class OneTimeTokenFormLoginConfig {
 
 		@Bean
-		SecurityWebFilterChain securityFilterChain(ServerHttpSecurity http) {
+		SecurityWebFilterChain securityFilterChain(ServerHttpSecurity http,
+				ServerOneTimeTokenGenerationSuccessHandler ottSuccessHandler) {
 			// @formatter:off
 			http
 					.authorizeExchange((authorize) -> authorize
@@ -345,12 +395,17 @@ SecurityWebFilterChain securityFilterChain(ServerHttpSecurity http) {
 					)
 					.formLogin(Customizer.withDefaults())
 					.oneTimeTokenLogin((ott) -> ott
-							.tokenGenerationSuccessHandler(new TestServerOneTimeTokenGenerationSuccessHandler())
+							.tokenGenerationSuccessHandler(ottSuccessHandler)
 					);
 			// @formatter:on
 			return http.build();
 		}
 
+		@Bean
+		TestServerOneTimeTokenGenerationSuccessHandler ottSuccessHandler() {
+			return new TestServerOneTimeTokenGenerationSuccessHandler();
+		}
+
 	}
 
 	@Configuration(proxyBeanMethods = false)
@@ -385,10 +440,44 @@ ReactiveUserDetailsService userDetailsService() {
 
 	}
 
+	@Configuration(proxyBeanMethods = false)
+	@EnableWebFlux
+	@EnableWebFluxSecurity
+	@Import(UserDetailsServiceConfig.class)
+	static class OneTimeTokenConfigWithCustomRequestResolver {
+
+		@Bean
+		SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http,
+				ServerOneTimeTokenGenerationSuccessHandler ottSuccessHandler) {
+			// @formatter:off
+			http
+					.authorizeExchange((authorize) -> authorize
+							.anyExchange()
+							.authenticated()
+					)
+					.oneTimeTokenLogin((ott) -> ott
+							.tokenGenerationSuccessHandler(ottSuccessHandler)
+					);
+			// @formatter:on
+			return http.build();
+		}
+
+		@Bean
+		ServerGenerateOneTimeTokenRequestResolver resolver() {
+			return Mockito.spy(new DefaultServerGenerateOneTimeTokenRequestResolver());
+		}
+
+		@Bean
+		TestServerOneTimeTokenGenerationSuccessHandler ottSuccessHandler() {
+			return new TestServerOneTimeTokenGenerationSuccessHandler();
+		}
+
+	}
+
 	private static class TestServerOneTimeTokenGenerationSuccessHandler
 			implements ServerOneTimeTokenGenerationSuccessHandler {
 
-		private static OneTimeToken lastToken;
+		private OneTimeToken lastToken;
 
 		private final ServerOneTimeTokenGenerationSuccessHandler delegate;
 
@@ -402,7 +491,7 @@ private static class TestServerOneTimeTokenGenerationSuccessHandler
 
 		@Override
 		public Mono<Void> handle(ServerWebExchange exchange, OneTimeToken oneTimeToken) {
-			lastToken = oneTimeToken;
+			this.lastToken = oneTimeToken;
 			return this.delegate.handle(exchange, oneTimeToken);
 		}