Merge pull request #1032 from codeconsole/7.0.x-6.1.x-merge

6.1.x merge
grails · Oct 11, 2024 · 84fac4c · 84fac4c
2 parents 0959844 + b0af376
commit 84fac4c
Show file tree

Hide file tree

Showing 9 changed files with 111 additions and 57 deletions.
diff --git a/.sdkmanrc b/.sdkmanrc
@@ -0,0 +1 @@
+java=17.0.12-librca
diff --git a/...ration-test/groovy/grails/plugin/springsecurity/SpringSecurityUtilsIntegrationSpec.groovy b/...ration-test/groovy/grails/plugin/springsecurity/SpringSecurityUtilsIntegrationSpec.groovy
@@ -87,15 +87,15 @@ class SpringSecurityUtilsIntegrationSpec extends AbstractIntegrationSpec {
         expect:
         10 == map.size()
         map[Integer.MIN_VALUE + 10] instanceof SecurityRequestHolderFilter
-        map[300] instanceof SecurityContextPersistenceFilter
-        map[400] instanceof MutableLogoutFilter
-        map[800] instanceof GrailsUsernamePasswordAuthenticationFilter
-        map[1400] instanceof SecurityContextHolderAwareRequestFilter
-        map[1500] instanceof GrailsRememberMeAuthenticationFilter
-        map[1600] instanceof GrailsAnonymousAuthenticationFilter
-        map[1800] instanceof FormContentFilter
-        map[1900] instanceof ExceptionTranslationFilter
-        map[2000] instanceof FilterSecurityInterceptor
+        map[SecurityFilterPosition.SECURITY_CONTEXT_FILTER.order] instanceof SecurityContextPersistenceFilter
+        map[SecurityFilterPosition.LOGOUT_FILTER.order] instanceof MutableLogoutFilter
+        map[SecurityFilterPosition.FORM_LOGIN_FILTER.order] instanceof GrailsUsernamePasswordAuthenticationFilter
+        map[SecurityFilterPosition.SERVLET_API_SUPPORT_FILTER.order] instanceof SecurityContextHolderAwareRequestFilter
+        map[SecurityFilterPosition.REMEMBER_ME_FILTER.order] instanceof GrailsRememberMeAuthenticationFilter
+        map[SecurityFilterPosition.ANONYMOUS_FILTER.order] instanceof GrailsAnonymousAuthenticationFilter
+        map[SecurityFilterPosition.EXCEPTION_TRANSLATION_FILTER.order-10] instanceof FormContentFilter
+        map[SecurityFilterPosition.EXCEPTION_TRANSLATION_FILTER.order] instanceof ExceptionTranslationFilter
+        map[SecurityFilterPosition.FILTER_SECURITY_INTERCEPTOR.order] instanceof FilterSecurityInterceptor
 
         when:
         SpringSecurityUtils.clientRegisterFilter 'foo', SecurityFilterPosition.LOGOUT_FILTER
@@ -123,7 +123,7 @@ class SpringSecurityUtilsIntegrationSpec extends AbstractIntegrationSpec {
 
         then:
         11 == map.size()
-        map[410] instanceof DummyFilter
+        map[SecurityFilterPosition.LOGOUT_FILTER.order + 10] instanceof DummyFilter
 
         when:
         def filters = securityFilterChains[0].filters

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -76,6 +76,7 @@ spring-context-core = { module = 'org.springframework:spring-context', version.r
 spring-context-support = { module = 'org.springframework:spring-context-support', version.ref = 'spring' }
 spring-expression = { module = 'org.springframework:spring-expression', version.ref = 'spring' }
 spring-security-core = { module = 'org.springframework.security:spring-security-core', version.ref = 'spring-security' }
+spring-security-config = { module = 'org.springframework.security:spring-security-config', version.ref = 'spring-security' }
 spring-security-crypto = { module = 'org.springframework.security:spring-security-crypto', version.ref = 'spring-security' }
 spring-security-web = { module = 'org.springframework.security:spring-security-web', version.ref = 'spring-security' }
 spring-test = { module = 'org.springframework:spring-test', version.ref = 'spring' }

diff --git a/plugin/build.gradle b/plugin/build.gradle
@@ -50,6 +50,7 @@ dependencies {
 	testImplementation libs.bundles.grails.testing.support
 	testImplementation libs.spock.core
 	testImplementation libs.spring.test
+	testImplementation libs.spring.security.config
 
 	testRuntimeOnly libs.slf4j.nop // Prevents warnings about missing slf4j implementation during tests
 }

diff --git a/...ingsecurity/SecurityFilterPosition.groovy → ...pringsecurity/SecurityFilterPosition.java b/...ingsecurity/SecurityFilterPosition.groovy → ...pringsecurity/SecurityFilterPosition.java
@@ -12,7 +12,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package grails.plugin.springsecurity
+package grails.plugin.springsecurity;
 
 /**
  * Stores the default order numbers of all Spring Security filters for use in configuration.
@@ -22,64 +22,100 @@
  *
  * @author Burt Beckwith
  */
-enum SecurityFilterPosition {
-	/** First */
+enum SecurityFilterPosition  {
+
 	FIRST(Integer.MIN_VALUE),
-	/** HTTP/HTTPS channel filter */
+
+	DISABLE_ENCODE_URL_FILTER,
+
+	FORCE_EAGER_SESSION_FILTER,
+
 	CHANNEL_FILTER,
-	/** Concurrent Sessions */
-	CONCURRENT_SESSION_FILTER,
-	/** Populates the SecurityContextHolder */
+
 	SECURITY_CONTEXT_FILTER,
-	/** Logout */
+
+	CONCURRENT_SESSION_FILTER,
+
+	WEB_ASYNC_MANAGER_FILTER,
+
+	HEADERS_FILTER,
+
+	CORS_FILTER,
+
+	SAML2_LOGOUT_REQUEST_FILTER,
+
+	SAML2_LOGOUT_RESPONSE_FILTER,
+
+	CSRF_FILTER,
+
+	SAML2_LOGOUT_FILTER,
+
 	LOGOUT_FILTER,
-	/** x509 certs */
+
+	OAUTH2_AUTHORIZATION_REQUEST_FILTER,
+
+	SAML2_AUTHENTICATION_REQUEST_FILTER,
+
 	X509_FILTER,
-	/** Pre-auth */
+
 	PRE_AUTH_FILTER,
-	/** CAS */
+
 	CAS_FILTER,
-	/** UsernamePasswordAuthenticationFilter */
+
+	OAUTH2_LOGIN_FILTER,
+
+	SAML2_AUTHENTICATION_FILTER,
+
 	FORM_LOGIN_FILTER,
-	/** OpenID */
-	OPENID_FILTER,
-	/** Not used, generates a dynamic login form */
+
 	LOGIN_PAGE_FILTER,
-	/** Digest auth */
+
+	LOGOUT_PAGE_FILTER,
+
 	DIGEST_AUTH_FILTER,
-	/** Basic Auth */
+
+	BEARER_TOKEN_AUTH_FILTER,
+
 	BASIC_AUTH_FILTER,
-	/** saved request filter */
+
 	REQUEST_CACHE_FILTER,
-	/** SecurityContextHolderAwareRequestFilter */
+
 	SERVLET_API_SUPPORT_FILTER,
-	/** Remember-me cookie */
+
+	JAAS_API_SUPPORT_FILTER,
+
 	REMEMBER_ME_FILTER,
-	/** Anonymous auth */
+
 	ANONYMOUS_FILTER,
-	/** SessionManagementFilter */
+
+	OAUTH2_AUTHORIZATION_CODE_GRANT_FILTER,
+
+	WELL_KNOWN_CHANGE_PASSWORD_REDIRECT_FILTER,
+
 	SESSION_MANAGEMENT_FILTER,
-	/** Spring FormContentFilter allows www-url-form-encoded content-types to provide params in PUT requests */
-	FORM_CONTENT_FILTER,
-	/** ExceptionTranslationFilter */
+
 	EXCEPTION_TRANSLATION_FILTER,
-	/** FilterSecurityInterceptor */
+
 	FILTER_SECURITY_INTERCEPTOR,
-	/** Switch user */
+
 	SWITCH_USER_FILTER,
-	/** Last */
-	LAST(Integer.MAX_VALUE)
 
-	private static final int INTERVAL = 100
+	LAST(Integer.MAX_VALUE);
+
+	private static final int INTERVAL = 100;
 
-	/** The position in the chain. */
-	final int order
+	private final int order;
 
-	private SecurityFilterPosition() {
-		order = ordinal() * INTERVAL
+	SecurityFilterPosition() {
+		this.order = ordinal() * INTERVAL;
 	}
 
-	private SecurityFilterPosition(int filterOrder) {
-		order = filterOrder
+	SecurityFilterPosition(int order) {
+		this.order = order;
 	}
+
+	public int getOrder() {
+		return this.order;
+	}
+
 }
diff --git a/plugin/src/main/groovy/grails/plugin/springsecurity/SpringSecurityCoreGrailsPlugin.groovy b/plugin/src/main/groovy/grails/plugin/springsecurity/SpringSecurityCoreGrailsPlugin.groovy
@@ -673,6 +673,14 @@ to default to 'Annotation'; setting value to 'Annotation'
 		// build filters here to give dependent plugins a chance to register some
 		SortedMap<Integer, String> filterNames = ReflectionUtils.findFilterChainNames(conf)
 		def securityFilterChains = applicationContext.securityFilterChains
+
+		// if sitemesh 3 is installed, an additional sitemesh 3 filter will need to be registered
+		// as part of the security filter chain so that pages are decorated using the security context
+		def sitemesh3Filter = applicationContext.getBean('sitemesh3Secured')
+		if (sitemesh3Filter) {
+			filterNames[SecurityFilterPosition.EXCEPTION_TRANSLATION_FILTER.order - 10] = 'sitemesh3Secured'
+		}
+
 		SpringSecurityUtils.buildFilterChains filterNames, conf.filterChain.chainMap ?: [], securityFilterChains, applicationContext
 		log.trace 'Filter chain: {}', securityFilterChains
 

diff --git a/plugin/src/main/groovy/grails/plugin/springsecurity/SpringSecurityUtils.groovy b/plugin/src/main/groovy/grails/plugin/springsecurity/SpringSecurityUtils.groovy
@@ -762,7 +762,7 @@ final class SpringSecurityUtils {
 				orderedNames[SecurityFilterPosition.SWITCH_USER_FILTER.order] = 'switchUserProcessingFilter'
 			}
 
-			orderedNames[SecurityFilterPosition.FORM_CONTENT_FILTER.order] = 'formContentFilter'
+			orderedNames[SecurityFilterPosition.EXCEPTION_TRANSLATION_FILTER.order-10] = 'formContentFilter'
 
 			// add in filters contributed by secondary plugins
 			orderedNames << SpringSecurityUtils.orderedFilters
@@ -778,16 +778,12 @@ final class SpringSecurityUtils {
 
 		def allConfiguredFilters = [:]
 		filterNames.each { Integer order, String name ->
-			Filter filter = applicationContext.getBean(name, Filter)
-			allConfiguredFilters[name] = filter
-			SpringSecurityUtils.configuredOrderedFilters[order] = filter
-		}
-		// if sitemesh 3 is installed, an additional sitemesh 3 filter will need to be registered
-		// as part of the security filter chain so that pages are decorated using the security context
-		FilterRegistrationBean sitemesh3Filter = (FilterRegistrationBean) applicationContext.getBean('sitemesh3Secured')
-		if (sitemesh3Filter) {
-			allConfiguredFilters['sitemesh3Secured'] = sitemesh3Filter.filter
-			SpringSecurityUtils.configuredOrderedFilters[SecurityFilterPosition.FORM_CONTENT_FILTER.previous().order] = sitemesh3Filter.filter
+			def filter = applicationContext.getBean(name)
+			if (filter instanceof FilterRegistrationBean) {
+				filter = ((FilterRegistrationBean) filter).filter
+			}
+			allConfiguredFilters[name] = (Filter) filter
+			SpringSecurityUtils.configuredOrderedFilters[order] = (Filter) filter
 		}
 		log.trace 'Ordered filters: {}', SpringSecurityUtils.configuredOrderedFilters
 

diff --git a/plugin/src/test/groovy/grails/plugin/springsecurity/SpringSecurityUtilsSpec.groovy b/plugin/src/test/groovy/grails/plugin/springsecurity/SpringSecurityUtilsSpec.groovy
@@ -17,6 +17,7 @@ package grails.plugin.springsecurity
 import grails.plugin.springsecurity.web.GrailsSecurityFilterChain
 import grails.plugin.springsecurity.web.SecurityRequestHolder
 import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl
+import org.springframework.security.config.http.SecurityFiltersMapper
 import org.springframework.security.core.GrantedAuthority
 import org.springframework.security.core.authority.SimpleGrantedAuthority
 import org.springframework.security.web.FilterChainProxy
@@ -340,6 +341,11 @@ class SpringSecurityUtilsSpec extends AbstractUnitSpec {
 		!SpringSecurityUtils.ifAnyGranted('ROLE_4')
 	}
 
+	void 'SecurityFilterPosition order should match SecurityFilters'() {
+		expect:
+			SecurityFilterPosition.SWITCH_USER_FILTER.order == SecurityFiltersMapper.SWITCH_USER_FILTER.order
+	}
+
 	void 'private constructor'() {
 		expect:
 		SecurityTestUtils.testPrivateConstructor SpringSecurityUtils

diff --git a/plugin/src/test/groovy/org/springframework/security/config/http/SecurityFiltersMapper.groovy b/plugin/src/test/groovy/org/springframework/security/config/http/SecurityFiltersMapper.groovy
@@ -0,0 +1,5 @@
+package org.springframework.security.config.http
+
+class SecurityFiltersMapper {
+    static final SWITCH_USER_FILTER = SecurityFilters.SWITCH_USER_FILTER
+}